i am setting-up a VPN using WireGuard and are stuck configuring my firewall on the respective VPN server. I want the following features available:
- VPN devices (
10.6.0.0/24
) available from LAN (10.20.0.0/24
) (problem!) - LAN devices (
10.20.0.0/24
) available from VPN (10.6.0.0/24
) (works!)
Current iptables configuration:
Forward all traffic from existing (already open) connections in any direction
iptables -t filter -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
This enables LAN devicesto be available from VPN (works fine)
# Direction: VPN -> LAN -------------------------------------------------------------
iptables -t nat -A PREROUTING -d 10.20.0.0/24 -j DNAT --to-destination 10.6.0.1 # Act as destination NAT from VPN to LAN (be the LAN-gateway for the VPN)
iptables -t filter -A FORWARD -s 10.6.0.0/24 -d 10.20.0.0/24 -j ACCEPT # Accept traffic from VPN to LAN
iptables -t nat -A POSTROUTING -s 10.6.0.0/24 -d 10.20.0.0/24 -j MASQUERADE # Mask traffic from VPN to LAN for responses
This shall enable VPN devices to be available from LAN (need help!)
# Direction: LAN -> VPN -------------------------------------------------------------
iptables -t filter -A FORWARD -s 10.20.0.0/24 -d 10.6.0.0/24 -j ACCEPT # Accept traffic from LAN to VPN
iptables -t nat -A POSTROUTING -s 10.20.0.0/24 -d 10.6.0.0/24 -j MASQUERADE # Mask traffic from LAN to VPN for responses
Current findings:
From looking at these rules, I am probably mising another DNAT/SNAT in the lower section, but I still can't figure it out...
The interface counters on the VPN interface show, that pings are sent out to the VPN client and do return! So the problem seems to be the arriving VPN packet to be translated and forwarded to the LAN.
If further information is required, please ask :) Thanks for your time!