New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Portforwarding Wireguard setup
I setup wireguard on a VPS to use it as a VPN to enable portforwarding for various uses like gaming and NAS setup.
Given below is the UFW rules I have added
To Action From
-- ------ ----
45000 ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
21/tcp ALLOW Anywhere
20/tcp ALLOW Anywhere
22/tcp ALLOW Anywhere
45000/udp ALLOW Anywhere
45000/tcp ALLOW Anywhere
40000:60007/tcp ALLOW Anywhere
45000 (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
21/tcp (v6) ALLOW Anywhere (v6)
20/tcp (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)
45000/udp (v6) ALLOW Anywhere (v6)
45000/tcp (v6) ALLOW Anywhere (v6)
40000:60007/tcp (v6) ALLOW Anywhere (v6)10.7.0.2 56000/tcp ALLOW FWD Anywhere
10.7.0.2 45000/tcp ALLOW FWD Anywhere
This is my wg0 config
# Do not alter the commented lines
# They are used by wireguard-install
# ENDPOINT 181.xxx.32.x14
[Interface]
Address = 10.7.0.1/24, fddd:xxxxxx::1/64
PrivateKey = xxx
ListenPort = 51xx0
# BEGIN_PEER pcs
[Peer]
PublicKey = xxx
PresharedKey = xxx
AllowedIPs = 10.7.0.2/32, fddd:xxxx::2/128
# END_PEER pcs
This is the /etc/ufw before.rules data
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines
# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT
# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local
# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i ens3 -p tcp --dport 56000 -j DNAT --to-destination 10.7.0.2
-A POSTROUTING -o ens3 -j MASQUERADE
-A PREROUTING -i ens3 -p tcp --dport 55000 -j DNAT --to-destination 10.7.0.2
-A POSTROUTING -o ens3 -j MASQUERADE
COMMIT
And this is the etc/default ufw file data
# /etc/default/ufw
#
# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6=yes
# Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_INPUT_POLICY="ACCEPT"
# Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_OUTPUT_POLICY="ACCEPT"
# Set the default forward policy to ACCEPT, DROP or REJECT. Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY="ACCEPT"
# Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
# note that setting this to ACCEPT may be a security risk. See 'man ufw' for
# details
DEFAULT_APPLICATION_POLICY="SKIP"
# By default, ufw only touches its own chains. Set this to 'yes' to have ufw
# manage the built-in chains too. Warning: setting this to 'yes' will break
# non-ufw managed firewall rules
MANAGE_BUILTINS=no
#
# IPT backend
#
# only enable if using iptables backend
IPT_SYSCTL=/etc/ufw/sysctl.conf
# Extra connection tracking modules to load. IPT_MODULES should typically be
# empty for new installations and modules added only as needed. See
# 'CONNECTION HELPERS' from 'man ufw-framework' for details. Complete list can
# be found in net/netfilter/Kconfig of your kernel source. Some common modules:
# nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support
# nf_conntrack_netbios_ns: NetBIOS (samba) client support
# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
# nf_conntrack_ftp, nf_nat_ftp: active FTP support
# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
# nf_conntrack_sane: sane support
IPT_MODULES=""
I used this tool https://www.yougetsignal.com/tools/open-ports/ to check for open ports and the ports are closed. I tried restarting UFW too no luck. Please help me with the Config.
Comments
1 does the destination ping from the vpn server so ping 10.7.0.2 if so then make sure there is something actually running on the port you are checking and that the server/machine you are trying to port forward to does not have a firewall blocking the ports.
I am connected to the VPN on a windows machine and try to setup deluge and qbitorrent with the specified port. Doesn't work
As far as i know there is no firewall blocking the port
UPD is forwarded too
Do you have port opened on your computer?
sudo iptables -t nat -A PREROUTING -i ens3 -p tcp --dport 60000:60100 -j DNAT --to-destination 11.7.0.4:60000-60100sudo iptables -A FORWARD -i ens3 -o wg0 -p tcp --syn --dport 60000:60100 -m conntrack --ctstate NEW -j ACCEPTsudo iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 60000:60100 -d 11.7.0.4 -j SNAT --to-source 11.7.0.1Thats what I did for forwarding
The wireguard listening port, I assume 51820, doesn't seem open from the ufw rules. Open it
sudo ufw allow 51820and check.Also run the below two commands and confirm that the output is 1 for both.
If not, you will have to enable ip forwarding by the kernel. Set them to 1 in either
/etc/sysctl.confor/etc/ufw/sysctl.confwhich is referenced in /etc/default/ufw.See if these help.
iv had this happen before where you also need to go to /etc/ufw/sysctl.conf and uncomment these lines
net.ipv4.ip_forward=1net/ipv6/conf/default/forwarding=1net/ipv6/conf/all/forwarding=1You may also need to go to /etc/ufw/before.rules and /etc/ufw/before6.rules
to keep the routeing rules persistent on reboot.