All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
How to set up port forwarding for torrenting with WireGuard VPN on VPS
psychobacter
Member
I have a VPS running a WireGuard VPN (PiVPN), and I'm trying to set up port forwarding for improved torrenting performance (like what services such as ProtonVPN and AirVPN provide). My Windows 10 computer is the client, and it's behind a router.
I've already configured port forwarding on my router, but I'm struggling to get it working correctly on my VPS. Can someone please provide a step-by-step guide on how to set up port forwarding on my VPS for this purpose?
Network and OS info
OS running on VPS: Ubuntu 22.04.4 LTS
OS running on PC: WIndows 10
VPS public ip: 1.2.3.4
WireGuard interface: wg0
IPv4 address for wg0: 10.89.138.1
Network adapter on VPS: enp0s6
IPv4 address for enp0s6: 10.0.0.238
My computer's IP on the wireguard interface: 10.89.138.2
Port used for incoming connections on qbittorrent: 35836
Comments
https://serverfault.com/questions/1067746/port-forwarding-with-wireguard
Could be of help
Bumping this discussion cause I still haven't found a solution yet
just putting my 2 cents out here.. not sure about wireguard itself, but this is possible with the tailscale if you use the exit node feature. its easy as clicking a button to turn it on (using a vps as my vpn to torrent) and its based on wireguard.
do PiVPN give you dedicated IP or port for forwarding ? since you dont mention it
If they do , you can check this
https://www.linuxserver.io/blog/routing-docker-host-and-container-traffic-through-wireguard
Update
I tried the following with no luck:
Then I finally managed to get it working. When I installed PiVPN, it created the following rules in the Forward chain
The first rule was preventing me from getting port forwarding to work, despite numerous attempts. However, after modifying this rule to:
port forwarding started functioning correctly. As I am just a beginner, could anyone explain what is happening here? Would this modification cause any issue? Everything seems to be working, but since PiVPN initially set it up that way, there must be a reason for it. Therefore, I’m hesitant about making changes.
Note: While troubleshooting I had to reinstall PiVPN and qBittorrent so the subnet and ports are different now
Your VPS is running Ubuntu 22.04, so you can follow these instructions verbatim to setup a Wireguard server, (I tested it recently and you can just copy/paste the commands): https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-22-04
I think what you were missing was telling your VPS to IP Forward traffic to the internet, (Section 4 of the article above), but the PiVPN setup should configure that for you.
You'll also need to make sure your client passes all traffic to the VPN by adding the following line in your client config, (you'll probably just update the IP rather than add it as a new line).
AllowedIPs = 0.0.0.0/0
You should also plan for DNS lookups or you'll expose the VPS activity, which you generally want to avoid when you're deploying a VPN.
Ideally setup Unbound on the VPN server and get it to forward your DNS over TLS for privacy, (this guide is for FreeBSD but it also works for Ubuntu): https://www.jwillikers.com/dns-over-tls-with-unbound
Wireguard and Unbound are both very lightweight, (especially when they're only forwarding to the internet), but it's well worth going the extra mile to keep your DNS lookups private as well as your traffic.
I’ve posted a new comment with an update. Could you please take a look and let me know your thoughts?
I'm on a phone right now, but it looks like removing the "cstate" part of the PiVPN-added irewall rule fixed it for you, and you're asking what that means?
The firewall rules you're looking at allow traffic to/from the Wireguard virtual network interface, (wg0 or whatever), to the "physical" VPS network interface, (eth0 or whatever). If not explicitly permitted the Kernel will keep those two networks isolated by default.
The "cstate" part of the rule refers to the firewall's connection tracking, and the unchanged rule only allows connections that are "Established" and "Related", but prevents establishing New connections...so removing that part of the rule is allowing two way traffic.
You're using Ubuntu so you might want to take a look at ufw, (uncomplicated firewall), which abstracts the IP Tables rules and uses a much simpler syntax to do the same things: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu
Also, take a look at Wireguard's PostUp/PostDown rules to setup your firewall by running the commands when the VPN starts/stops. That way you can add/remove firewall rules as they're needed for your connections, which is good security practice.
This seems like a mistake: iptables -t nat -A POSTROUTING -p tcp --dport 32554 -d 10.221.178.2 -j MASQUERADE
Try to change it to: iptables -t nat -A POSTROUTING -p tcp -s 10.221.178.2 -j MASQUERADE
PiVPN already set up the following rule for me in the POSTROUTING chain so I don't think I would be needing it right?
You are right; in this case, just delete POSTROUTING -p tcp -s 10.221.178.2 -j MASQUERADE
And also check that your Windows machine uses the default gateway from Wiregard