WireGuard: 2 client peers on the same server with Internet connection and port forwarding

Question

Dear ServerFault community,

I have recently bought a home-server. I did not want to host any content on my office IP (1.1.1.1) and I, therefore, bought an OVH VPS with 4 IPs and created a WireGuard tunnel to use the VPS' IP as the homeserver IP.

OVH VPS also forwards all the ports to my homeserver.

I am currently using 2 of the 4 OVH VPS' IPs (2.2.2.2) and (3.3.3.3).

I created two WireGuard tunnels on the VPS on different subnets. One on 10.0.0.0 and one on 10.1.0.0.

My AIM was to achieve a config so that listening to 10.0.0.2 would resolve to 2.2.2.2 and listening to 10.1.0.2 would resolve to 3.3.3.3.

This does work for the first tunnel and for the second tunnel when running by themsleves on AllowedIPs = 0.0.0.0/0.

The problem is that when running togheter on AllowedIPs = 0.0.0.0/0 Internet connection stops.

I tried changing WG1's Allowed IPs to 10.1.0.0/24 but then a WG1 has no internet connection working.

Here are my configuration files:

Server WG0 (OVH VPS):

[Interface]
Address = 10.0.0.1/24
ListenPort = 51821
PrivateKey = {CENSORED}

### Client vpn
[Peer]
PublicKey = {CENSORED}
PresharedKey = {CENSORED}
AllowedIPs = 10.0.0.2/32

Server WG1 (OVH VPS):

[Interface]
Address = 10.1.0.1/24
ListenPort = 51822
PrivateKey = {CENSORED}

[Peer]
PublicKey = {CENSORED}
PresharedKey = {CENSORED}
AllowedIPs = 10.1.0.2/32

OVH VPS' IPTables configuration:

# Generated by iptables-save v1.8.7 on Tue May 31 15:25:37 2022
*filter
:INPUT ACCEPT [1698:235639]
:FORWARD ACCEPT [1053:163056]
:OUTPUT ACCEPT [1451:166474]
:f2b-sshd - [0:0]
COMMIT
# Completed on Tue May 31 15:25:37 2022
# Generated by iptables-save v1.8.7 on Tue May 31 15:25:37 2022
*nat
:PREROUTING ACCEPT [435:15811]
:INPUT ACCEPT [428:15399]
:OUTPUT ACCEPT [32:2255]
:POSTROUTING ACCEPT [119:6298]
-A PREROUTING -d 2.2.2.2/32 -p tcp -m tcp -m multiport --dports 1000:51820 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -d 2.2.2.2/32 -p tcp -m tcp -m multiport --dports 51826:65534 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -d 2.2.2.2/32 -p udp -m udp -m multiport --dports 1000:51820 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -d 2.2.2.2/32 -p udp -m udp -m multiport --dports 51826:65534 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -d 2.2.2.2/32 -p tcp -m tcp -m multiport --dports 21,22,80,25,995,110,443,465,993,143 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -d 2.2.2.2/32 -p udp -m udp -m multiport --dports 21,22,80,25,995,110,443,465,993,143 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -d 3.3.3.3/32 -p tcp -m tcp -m multiport --dports 1000:51820 -j DNAT --to-destination 10.1.0.2
-A PREROUTING -d 3.3.3.3/32 -p tcp -m tcp -m multiport --dports 51826:65534 -j DNAT --to-destination 10.1.0.2
-A PREROUTING -d 3.3.3.3/32 -p udp -m udp -m multiport --dports 1000:51820 -j DNAT --to-destination 10.1.0.2
-A PREROUTING -d 3.3.3.3/32 -p udp -m udp -m multiport --dports 51826:65534 -j DNAT --to-destination 10.1.0.2
-A PREROUTING -d 3.3.3.3/32 -p tcp -m tcp -m multiport --dports 21,22,80,25,995,110,443,465,993,143 -j DNAT --to-destination 10.1.0.2
-A PREROUTING -d 3.3.3.3/32 -p udp -m udp -m multiport --dports 21,22,80,25,995,110,443,465,993,143 -j DNAT --to-destination 10.1.0.2
-A POSTROUTING -s 10.0.0.2/32 -p tcp -m tcp -m multiport --sports 1000:51820 -j SNAT --to-source 2.2.2.2
-A POSTROUTING -s 10.0.0.2/32 -p tcp -m tcp -m multiport --sports 51826:65534 -j SNAT --to-source 2.2.2.2
-A POSTROUTING -s 10.0.0.2/32 -p tcp -m tcp -m multiport --sports 21,22,80,25,995,110,443,465,993,143 -j SNAT --to-source 2.2.2.2
-A POSTROUTING -s 10.0.0.2/32 -p udp -m udp -m multiport --sports 1000:51820 -j SNAT --to-source 2.2.2.2
-A POSTROUTING -s 10.0.0.2/32 -p udp -m udp -m multiport --sports 51826:65534 -j SNAT --to-source 2.2.2.2
-A POSTROUTING -s 10.0.0.2/32 -p udp -m udp -m multiport --sports 21,22,80,25,995,110,443,465,993,143 -j SNAT --to-source 2.2.2.2
-A POSTROUTING -s 10.1.0.2/32 -p tcp -m tcp -m multiport --sports 1000:51820 -j SNAT --to-source 3.3.3.3
-A POSTROUTING -s 10.1.0.2/32 -p tcp -m tcp -m multiport --sports 51826:65534 -j SNAT --to-source 3.3.3.3
-A POSTROUTING -s 10.1.0.2/32 -p tcp -m tcp -m multiport --sports 21,22,80,25,995,110,443,465,993,143 -j SNAT --to-source 3.3.3.3
-A POSTROUTING -s 10.1.0.2/32 -p udp -m udp -m multiport --sports 1000:51820 -j SNAT --to-source 3.3.3.3
-A POSTROUTING -s 10.1.0.2/32 -p udp -m udp -m multiport --sports 51826:65534 -j SNAT --to-source 3.3.3.3
-A POSTROUTING -s 10.1.0.2/32 -p udp -m udp -m multiport --sports 21,22,80,25,995,110,443,465,993,143 -j SNAT --to-source 3.3.3.3
COMMIT
# Completed on Tue May 31 15:25:37 2022

Homeserver WG0 configuration:

[Interface]
PrivateKey = {CENSORED}
Address = 10.0.0.2/32

[Peer]
PublicKey = {CENSORED}
PresharedKey = {CENSORED}
Endpoint = 2.2.2.2:51821
AllowedIPs = 0.0.0.0/0
#AllowedIPs = 10.0.0.0/24

Homeserver WG1 configuration:

[Interface]
PrivateKey = {CENSORED}
Address = 10.1.0.2/32

[Peer]
PublicKey = {CENSORED}
PresharedKey = {CENSORED}
Endpoint = 3.3.3.3:51822
AllowedIPs = 10.1.0.0/24

With my current (pasted here) configuration I can bind (for example Apache2) to 10.0.0.2 and it correctly resolves and allows people to access the server from 2.2.2.2, but when I bind to 10.1.0.2, the IP address 3.3.3.3 is not accessible from the internet from any port and the interface WG1 has no internet connection (eg. when attempting curl --interface wg1 ifconfig.co).

Thank you in advance for your time and help!

is this question related to a business environment and you are been a professional business administrator? — djdomi, May 31 '22 at 17:22
Yes @djdomi, the environment is business related, otherwise I would not ask on ServerFault… I just defined the server home-server as it is of relatively small dimensions, but as you can recall from the message it is installed in my office for a production environment. — Nicolò, May 31 '22 at 21:12
and what kind of services should be running? a Webserver is easier to use with a reverse proxy — djdomi, Jun 01 '22 at 16:22
I am aware of the possible idea of using a reverse proxy, but as I am going to host databases, docker, emails and anything that could become useful I have the necessity of tunnelling all the ports. @djdomi — Nicolò, Jun 02 '22 at 13:57

Justin Ludwig · Accepted Answer · 2022-06-14T19:19:57.173

The simplest thing to do would be to add masquerading to your VPS's iptables rules -- that would rewrite the source address of packets forwarded to your Homeserver to use the IP address of the VPS's WireGuard interface through which the packets were forwarded (10.0.0.1 for wg0, and 10.1.0.1 for wg1). This allows your Homeserver to use the routes wg-quick sets up in your default routing table to send traffic back through the correct interface.

To do that, add the following POSTROUTING rules to the end of your VPS's iptables config:

-A POSTROUTING -o wg0 -j MASQUERADE
-A POSTROUTING -o wg1 -j MASQUERADE

Then for your Homeserver's wg0.conf, use this for the VPS peer:

AllowedIPs = 10.0.0.0/24

And for your Homeserver's wg1.conf, use this for the VPS peer:

AllowedIPs = 10.1.0.0/24

However, if you need to preserve the original source IP addresses of external packets (like for logging or authentication etc on your Homeserver), masquerading won't work for you. Instead, you need to add some custom policy routing rules for custom route tables on your Homeserver that will send packets back from services bound to 10.0.0.2 through wg0, and 10.1.0.2 through wg1.

To do that, change your Homeserver's wg0.conf to this:

[Interface]
PrivateKey = {CENSORED}
Address = 10.0.0.2/32
Table = 100
PreUp = ip rule add from 10.0.0.2 table 100 priority 123
PostDown = ip rule del from 10.0.0.2 table 100 priority 123

[Peer]
PublicKey = {CENSORED}
PresharedKey = {CENSORED}
Endpoint = 2.2.2.2:51821
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

And your Homeserver's wg1.conf to this:

[Interface]
PrivateKey = {CENSORED}
Address = 10.1.0.2/32
Table = 101
PreUp = ip rule add from 10.1.0.2 table 101 priority 124
PostDown = ip rule del from 10.1.0.2 table 101 priority 124

[Peer]
PublicKey = {CENSORED}
PresharedKey = {CENSORED}
Endpoint = 3.3.3.3:51822
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

I tried what you suggested but with the table set to 100 and 101 WG0 and WG1 do not work at all, not even one by one. They do not handshake nor connect to the server. — Nicolò, Jun 14 '22 at 13:07
You probably also need a `PersistentKeepalive` setting in your Homeserver configs if you're relying on the Homeserver to open up the WireGuard connections to the VPS (I will edit my answer to add that). And if you're testing by initiating connections from the Homeserver, make sure you explicitly specify the appropriate WireGuard interface as the connection source (eg `ping -I wg0 10.0.0.1`). — Justin Ludwig, Jun 14 '22 at 19:17

WireGuard: 2 client peers on the same server with Internet connection and port forwarding

1 Answers1