Update: Sorry guys, looks like I just needed to reboot the public server.

My goal is to forward port 8096 from my private server to my public server. That, is any traffic at public server’s port 8096 should be tunneled to port 8096 of my private server and back.

I’ve set up a wireguard tunnel and ping is working from one device to the other. In this, 10.8.0.1 is the private server and 10.8.0.2 is the public server.

Here are my config files (/etc/wireguard/wg0).

--- On the public server ---
[Interface]
Address = 10.8.0.2/24
ListenPort = 51820
PrivateKey = *****************************************

# packet forwarding
PreUp = sysctl -w net.ipv4.ip_forward=1

# port forwarding
PreUp = firewall-cmd --zone=public --add-port 8096/tcp
PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8096 -j DNAT --to-destination 10.8.0.1:8096
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 8096 -j DNAT --to-destination 10.8.0.1:8096
PostDown = firewall-cmd --zone=public --remove-port 8096/tcp

# packet masquerading
PreUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE

[Peer]
PublicKey = *****************************************
AllowedIPs = 10.8.0.1
--- On the private server ---
[Interface]
Address = 10.8.0.1/24
PrivateKey = *****************************************

[Peer]
PublicKey = *****************************************
AllowedIPs = 10.8.0.2
Endpoint = <public-server-addr>:51820
PersistentKeepalive = 25

Now, I’m trying to test the connection using netcat. I’m listening from my private server using nc -l 8096 (I’ve made sure that the port is unblocked) and trying to connect from a third device using nc <public-server-addr> 8096 but it’s not working.

I have no idea what’s going on here. Some help from experienced people is very appreciated.

  • Geronimo Wenja@agora.nop.chat
    link
    fedilink
    English
    arrow-up
    2
    ·
    2 years ago

    You have to have a firewall rule on your public server to tell it to send any traffic on port 8096 to the IP of your private server. Currently, your public server isn’t listening on that port, so the packets would just be dropped.

    • ѕєχυαℓ ρσℓутσρє@lemmy.sdf.orgOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      2 years ago

      Don’t PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8096 -j DNAT --to-destination 10.8.0.1:8096 and PreUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE do that?

      I’m new to this stuff, so I’m probably wrong. What do you think I need to do to achieve this?

      • Max-P@lemmy.max-p.me
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        2 years ago

        It should yeah, that’s the whole point of doing that through firewall. I’m not entirely sure how MASQUERADE will interact with a prior DNAT though.

      • Geronimo Wenja@agora.nop.chat
        link
        fedilink
        English
        arrow-up
        2
        ·
        2 years ago

        Ah, I did the bad thing and didn’t read properly.

        It looks correct, yes. Can you run iptables -L -t nat on the public host after bringing up the wireguard connection to see if it works?

        Also, if you can do a netcat to that same port from a local computer to that public endpoint without the wireguard connection running, you can test that the port isn’t being blocked anywhere else along the way.

        • ѕєχυαℓ ρσℓутσρє@lemmy.sdf.orgOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          2 years ago

          Edit: Looks like I just needed to reboot the public server.

          This is what I get when I do it.

          Chain PREROUTING (policy ACCEPT)
          target     prot opt source               destination
          DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
          DNAT       tcp  --  anywhere             anywhere             tcp dpt:8096 to:10.8.0.1:8096
          DNAT       tcp  --  anywhere             anywhere             tcp dpt:8096 to:10.8.0.1:8096
          
          Chain INPUT (policy ACCEPT)
          target     prot opt source               destination
          
          Chain OUTPUT (policy ACCEPT)
          target     prot opt source               destination
          DOCKER     all  --  anywhere            !localhost/8          ADDRTYPE match dst-type LOCAL
          
          Chain POSTROUTING (policy ACCEPT)
          target     prot opt source               destination
          

          And yes, it’s working locally. I even got it to work through the tunnel using redir but I need the masquerading to hide my private server’s IP.

          I saw a difference when it worked. I got server [192.168.0.5] 8096 open on connection. But I didn’t see it through this setup. I simply don’t get any reply at all.