8
Unable to forward ports using wireguard
(lemmy.sdf.org)
submitted
1 year ago* (last edited 1 year ago)
by
SexualPolytope@lemmy.sdf.org
to
c/selfhosted@lemmy.world
Update: Sorry guys, looks like I just needed to reboot the public server.
My goal is to forward port 8096
from my private server to my public server. That, is any traffic at public server's port 8096
should be tunneled to port 8096 of my private server and back.
I've set up a wireguard
tunnel and ping
is working from one device to the other. In this, 10.8.0.1
is the private server and 10.8.0.2
is the public server.
Here are my config files (/etc/wireguard/wg0
).
***
On the public server
***
[Interface]
Address = 10.8.0.2/24
ListenPort = 51820
PrivateKey = *****************************************
# packet forwarding
PreUp = sysctl -w net.ipv4.ip_forward=1
# port forwarding
PreUp = firewall-cmd --zone=public --add-port 8096/tcp
PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8096 -j DNAT --to-destination 10.8.0.1:8096
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 8096 -j DNAT --to-destination 10.8.0.1:8096
PostDown = firewall-cmd --zone=public --remove-port 8096/tcp
# packet masquerading
PreUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
[Peer]
PublicKey = *****************************************
AllowedIPs = 10.8.0.1
***
On the private server
***
[Interface]
Address = 10.8.0.1/24
PrivateKey = *****************************************
[Peer]
PublicKey = *****************************************
AllowedIPs = 10.8.0.2
Endpoint = <public-server-addr>:51820
PersistentKeepalive = 25
Now, I'm trying to test the connection using netcat
. I'm listening from my private server using nc -l 8096
(I've made sure that the port is unblocked) and trying to connect from a third device using nc <public-server-addr> 8096
but it's not working.
I have no idea what's going on here. Some help from experienced people is very appreciated.
I suspect the mixing of firewalld and iptables might not be helping there.
Other than that,
-j REDIRECT
might be a bit easier than DNAT, because with DNAT you also need to deal with SNAT too otherwise stuff won't come back to the client properly.Best way to troubleshoot this would be to tcpdump on both ends, and see if packets are coming in, and if they're also coming out.
Edit: Looks like I just needed to reboot the public server.
I was able to get it to work using
redir
but I do need masquerading.