How to forward traffic on various ports through a wireguard vpn using iptables/ufw

Question

I have 2 machines running ubuntu 22.04, we will call them server and proxy. The proxy is a vps with an static public ip, and the server is running behind a nat. I want to route all traffic on some ports on the proxy to the server.

Right now, both proxy and server are Virtual box VMs that exist on the same local network becuase i test the deployment of my ansible playbook on these before actually deploying to the real production server and proxy vps wich will not be on the same local network.

I have set up a wireguard vpn beetween the 2 and both can ping each other, if i curl the vpn adress of the server from the proxy i get the correct html response, and setting up nginx on the proxy (which is not the intended final solution cause i would like to route other services that aren't http/https) allows me to proxy_pass to the vpn ip and once again get correct html response.

But i haven't been able to set up the forward using iptables/ufw. This is my wireguard configuration that includes the iptables routing rules on interface up.

Proxy:

[Interface]
# Proxy with static ip
Address = 10.250.0.1/32
ListenPort = 23456
PrivateKey = {private key}
# packet forwarding
PreUp = sysctl -w net.ipv4.ip_forward=1
# port forwarding
PreUp = iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.250.0.2
PostDown = iptables -t nat -D PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.250.0.2
PreUp = iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 10.250.0.2
PostDown = iptables -t nat -D PREROUTING -p tcp --dport 443 -j DNAT --to-destination 10.250.0.2
      
[Peer]
# main_server behind nat
PublicKey = {pub key}
AllowedIPs = 10.250.0.2/32

Server:

[Interface]
Address = 10.250.0.2/32
ListenPort = 23456
PrivateKey = {priv key}

[Peer]
PublicKey = {pub key}
Endpoint = {proxy server ip}:23456
AllowedIPs = 10.250.0.0/16
PersistentKeepalive = 25

Running sudo iptables-save -c returns the following

# Completed on Wed Aug 24 17:01:57 2022
# Generated by iptables-save v1.8.7 on Wed Aug 24 17:01:57 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
[0:0] -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.250.0.2
[4:208] -A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.250.0.2
COMMIT

With the number of packets and bytes [4:208] increasing everytime i try to access the proxy via web browser

Output of ip -br link; ip -4 -br address; ip -4 route; ip -4 rule on the proxy

#ip -br link
lo               UNKNOWN        00:00:00:00:00:00 <LOOPBACK,UP,LOWER_UP>
enp0s3           UP             02:54:94:87:80:ef <BROADCAST,MULTICAST,UP,LOWER_UP>
enp0s8           UP             30:29:a0:55:d8:7a <BROADCAST,MULTICAST,UP,LOWER_UP>
wg0              UNKNOWN        <POINTOPOINT,NOARP,UP,LOWER_UP>
#ip -4 -br address
lo               UNKNOWN        127.0.0.1/8
enp0s3           UP             10.0.2.15/24 metric 100
enp0s8           UP             192.168.1.16/24
wg0              UNKNOWN        10.250.0.1/32
#ip -4 route
default via 10.0.2.2 dev enp0s3 proto dhcp src 10.0.2.15 metric 100
10.0.2.0/24 dev enp0s3 proto kernel scope link src 10.0.2.15 metric 100
10.0.2.2 dev enp0s3 proto dhcp scope link src 10.0.2.15 metric 100
10.0.2.3 dev enp0s3 proto dhcp scope link src 10.0.2.15 metric 100
10.250.0.2 dev wg0 scope link
192.168.1.0/24 dev enp0s8 proto kernel scope link src 192.168.1.16
#ip -4 rule
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

and on the server

#ip -br link
lo               UNKNOWN        00:00:00:00:00:00 <LOOPBACK,UP,LOWER_UP>
enp0s3           UP             02:54:94:87:80:ef <BROADCAST,MULTICAST,UP,LOWER_UP>
enp0s8           UP             ea:f0:86:64:9e:3b <BROADCAST,MULTICAST,UP,LOWER_UP>
docker0          DOWN           02:42:d2:03:f2:d2 <NO-CARRIER,BROADCAST,MULTICAST,UP>
br-43f8704a8cf1  UP             02:42:69:c4:10:d4 <BROADCAST,MULTICAST,UP,LOWER_UP>
br-888a874e1802  UP             02:42:a5:d4:12:a8 <BROADCAST,MULTICAST,UP,LOWER_UP>
veth482896b@if9  UP             72:fe:4a:76:e6:16 <BROADCAST,MULTICAST,UP,LOWER_UP>
vetha620638@if11 UP             7a:46:41:6a:c3:b4 <BROADCAST,MULTICAST,UP,LOWER_UP>
veth6a64f9a@if15 UP             0e:07:7f:44:da:60 <BROADCAST,MULTICAST,UP,LOWER_UP>
veth140bc79@if17 UP             16:4c:99:ee:ac:b0 <BROADCAST,MULTICAST,UP,LOWER_UP>
vethd577326@if19 UP             de:f7:3f:a3:20:57 <BROADCAST,MULTICAST,UP,LOWER_UP>
vethe90974c@if21 UP             de:66:ab:4a:86:06 <BROADCAST,MULTICAST,UP,LOWER_UP>
veth25c1529@if23 UP             3e:a1:dd:52:00:6a <BROADCAST,MULTICAST,UP,LOWER_UP>
wg0              UNKNOWN        <POINTOPOINT,NOARP,UP,LOWER_UP>
vethb11654e@if26 UP             a6:7d:f2:d9:a3:0c <BROADCAST,MULTICAST,UP,LOWER_UP>
vethf77e636@if28 UP             fa:d8:ad:9b:83:22 <BROADCAST,MULTICAST,UP,LOWER_UP>
vethc24f3aa@if30 UP             2a:c6:ee:41:93:c2 <BROADCAST,MULTICAST,UP,LOWER_UP>
veth807726c@if34 UP             42:ea:b7:0f:bd:67 <BROADCAST,MULTICAST,UP,LOWER_UP>
#ip -4 -br address
lo               UNKNOWN        127.0.0.1/8
enp0s3           UP             10.0.2.15/24 metric 100
enp0s8           UP             192.168.1.15/24
docker0          DOWN           172.17.0.1/16
br-43f8704a8cf1  UP             10.0.0.1/16
br-888a874e1802  UP             10.1.0.1/16
wg0              UNKNOWN        10.250.0.2/32
#ip -4 route
default via 10.0.2.2 dev enp0s3 proto dhcp src 10.0.2.15 metric 100
10.0.0.0/16 dev br-43f8704a8cf1 proto kernel scope link src 10.0.0.1
10.0.2.0/24 dev enp0s3 proto kernel scope link src 10.0.2.15 metric 100
10.0.2.2 dev enp0s3 proto dhcp scope link src 10.0.2.15 metric 100
10.0.2.3 dev enp0s3 proto dhcp scope link src 10.0.2.15 metric 100
10.1.0.0/16 dev br-888a874e1802 proto kernel scope link src 10.1.0.1
10.250.0.0/16 dev wg0 scope link
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.1.0/24 dev enp0s8 proto kernel scope link src 192.168.1.15
#ip -4 rule
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

The server's configuration has a problem, but actually to give an accurate answer that won't fail then for an other reason, you should [provide](https://serverfault.com/posts/1109375/edit) its complete network setup once the WG tunnel is up: `ip -br link; ip -4 -br address; ip -4 route; ip -4 rule`. Feel free to obfuscate intelligently (but I understand no public address should appear). — A.B, Aug 29 '22 at 14:43
edited question with the netowrk info you asked for, what problems are there on the server configuration? — Laikar, Aug 29 '22 at 15:36
The problems are related to the default route and what (management) access you intend for Server. The fact that your experiment (both in same LAN) won't reflect reality is specifically affected by the choices on how to handle the default route. — A.B, Aug 29 '22 at 15:45
I left both options in my answer. If there's no remote management using a default route, there should be no difference to see. If there's one, then surprises could happen. — A.B, Aug 29 '22 at 16:01
Actually I'm not sure anymore of what I wrote and testing with such environment would be a bit too much. I'm deleting my answer (just try `AllowedIPs = 0.0.0.0/0` and see if that works). — A.B, Aug 29 '22 at 16:27
Changed allowed ips to 0.0.0.0 on peer section of server, and nothing has aparently changed, proxy can still succesfuly curl 10.250.0.2 and get html response, but accessing proxy via url on a browser or trying to curl the proxy ip from a external machine on the same local network still times out — Laikar, Aug 29 '22 at 16:42
I'm sorry I won't be able to help more. Anyway is Docker involved? Is the server running on Server or on a container behind Docker on the Server? This is probably something important to write in the question. — A.B, Aug 29 '22 at 17:02

How to forward traffic on various ports through a wireguard vpn using iptables/ufw

0 Answers0