I have 2 machines running ubuntu 22.04, we will call them server and proxy. The proxy is a vps with an static public ip, and the server is running behind a nat. I want to route all traffic on some ports on the proxy to the server.
Right now, both proxy and server are Virtual box VMs that exist on the same local network becuase i test the deployment of my ansible playbook on these before actually deploying to the real production server and proxy vps wich will not be on the same local network.
I have set up a wireguard vpn beetween the 2 and both can ping each other, if i curl the vpn adress of the server from the proxy i get the correct html response, and setting up nginx on the proxy (which is not the intended final solution cause i would like to route other services that aren't http/https) allows me to proxy_pass to the vpn ip and once again get correct html response.
But i haven't been able to set up the forward using iptables/ufw. This is my wireguard configuration that includes the iptables routing rules on interface up.
Proxy:
[Interface]
# Proxy with static ip
Address = 10.250.0.1/32
ListenPort = 23456
PrivateKey = {private key}
# packet forwarding
PreUp = sysctl -w net.ipv4.ip_forward=1
# port forwarding
PreUp = iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.250.0.2
PostDown = iptables -t nat -D PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.250.0.2
PreUp = iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 10.250.0.2
PostDown = iptables -t nat -D PREROUTING -p tcp --dport 443 -j DNAT --to-destination 10.250.0.2
[Peer]
# main_server behind nat
PublicKey = {pub key}
AllowedIPs = 10.250.0.2/32
Server:
[Interface]
Address = 10.250.0.2/32
ListenPort = 23456
PrivateKey = {priv key}
[Peer]
PublicKey = {pub key}
Endpoint = {proxy server ip}:23456
AllowedIPs = 10.250.0.0/16
PersistentKeepalive = 25
Running sudo iptables-save -c
returns the following
# Completed on Wed Aug 24 17:01:57 2022
# Generated by iptables-save v1.8.7 on Wed Aug 24 17:01:57 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
[0:0] -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.250.0.2
[4:208] -A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.250.0.2
COMMIT
With the number of packets and bytes [4:208]
increasing everytime i try to access the proxy via web browser
Output of ip -br link; ip -4 -br address; ip -4 route; ip -4 rule
on the proxy
#ip -br link
lo UNKNOWN 00:00:00:00:00:00 <LOOPBACK,UP,LOWER_UP>
enp0s3 UP 02:54:94:87:80:ef <BROADCAST,MULTICAST,UP,LOWER_UP>
enp0s8 UP 30:29:a0:55:d8:7a <BROADCAST,MULTICAST,UP,LOWER_UP>
wg0 UNKNOWN <POINTOPOINT,NOARP,UP,LOWER_UP>
#ip -4 -br address
lo UNKNOWN 127.0.0.1/8
enp0s3 UP 10.0.2.15/24 metric 100
enp0s8 UP 192.168.1.16/24
wg0 UNKNOWN 10.250.0.1/32
#ip -4 route
default via 10.0.2.2 dev enp0s3 proto dhcp src 10.0.2.15 metric 100
10.0.2.0/24 dev enp0s3 proto kernel scope link src 10.0.2.15 metric 100
10.0.2.2 dev enp0s3 proto dhcp scope link src 10.0.2.15 metric 100
10.0.2.3 dev enp0s3 proto dhcp scope link src 10.0.2.15 metric 100
10.250.0.2 dev wg0 scope link
192.168.1.0/24 dev enp0s8 proto kernel scope link src 192.168.1.16
#ip -4 rule
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
and on the server
#ip -br link
lo UNKNOWN 00:00:00:00:00:00 <LOOPBACK,UP,LOWER_UP>
enp0s3 UP 02:54:94:87:80:ef <BROADCAST,MULTICAST,UP,LOWER_UP>
enp0s8 UP ea:f0:86:64:9e:3b <BROADCAST,MULTICAST,UP,LOWER_UP>
docker0 DOWN 02:42:d2:03:f2:d2 <NO-CARRIER,BROADCAST,MULTICAST,UP>
br-43f8704a8cf1 UP 02:42:69:c4:10:d4 <BROADCAST,MULTICAST,UP,LOWER_UP>
br-888a874e1802 UP 02:42:a5:d4:12:a8 <BROADCAST,MULTICAST,UP,LOWER_UP>
veth482896b@if9 UP 72:fe:4a:76:e6:16 <BROADCAST,MULTICAST,UP,LOWER_UP>
vetha620638@if11 UP 7a:46:41:6a:c3:b4 <BROADCAST,MULTICAST,UP,LOWER_UP>
veth6a64f9a@if15 UP 0e:07:7f:44:da:60 <BROADCAST,MULTICAST,UP,LOWER_UP>
veth140bc79@if17 UP 16:4c:99:ee:ac:b0 <BROADCAST,MULTICAST,UP,LOWER_UP>
vethd577326@if19 UP de:f7:3f:a3:20:57 <BROADCAST,MULTICAST,UP,LOWER_UP>
vethe90974c@if21 UP de:66:ab:4a:86:06 <BROADCAST,MULTICAST,UP,LOWER_UP>
veth25c1529@if23 UP 3e:a1:dd:52:00:6a <BROADCAST,MULTICAST,UP,LOWER_UP>
wg0 UNKNOWN <POINTOPOINT,NOARP,UP,LOWER_UP>
vethb11654e@if26 UP a6:7d:f2:d9:a3:0c <BROADCAST,MULTICAST,UP,LOWER_UP>
vethf77e636@if28 UP fa:d8:ad:9b:83:22 <BROADCAST,MULTICAST,UP,LOWER_UP>
vethc24f3aa@if30 UP 2a:c6:ee:41:93:c2 <BROADCAST,MULTICAST,UP,LOWER_UP>
veth807726c@if34 UP 42:ea:b7:0f:bd:67 <BROADCAST,MULTICAST,UP,LOWER_UP>
#ip -4 -br address
lo UNKNOWN 127.0.0.1/8
enp0s3 UP 10.0.2.15/24 metric 100
enp0s8 UP 192.168.1.15/24
docker0 DOWN 172.17.0.1/16
br-43f8704a8cf1 UP 10.0.0.1/16
br-888a874e1802 UP 10.1.0.1/16
wg0 UNKNOWN 10.250.0.2/32
#ip -4 route
default via 10.0.2.2 dev enp0s3 proto dhcp src 10.0.2.15 metric 100
10.0.0.0/16 dev br-43f8704a8cf1 proto kernel scope link src 10.0.0.1
10.0.2.0/24 dev enp0s3 proto kernel scope link src 10.0.2.15 metric 100
10.0.2.2 dev enp0s3 proto dhcp scope link src 10.0.2.15 metric 100
10.0.2.3 dev enp0s3 proto dhcp scope link src 10.0.2.15 metric 100
10.1.0.0/16 dev br-888a874e1802 proto kernel scope link src 10.1.0.1
10.250.0.0/16 dev wg0 scope link
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.1.0/24 dev enp0s8 proto kernel scope link src 192.168.1.15
#ip -4 rule
0: from all lookup local
32766: from all lookup main
32767: from all lookup default