Wireguard client and ports listening?

blargh · September 6, 2023, 5:31pm

Hi,

My home server is my main server. It runs on Yunohost.
I also have a small VPS on Yunohost.

I have set the VPS as a Wireguard server,
and the home server as a Wireguard client.

Both have IPv4 addresses.
Only the home server has IPv6, which I disabled for convenience.
I disabled IPv6 on wireguard.

I want the home server to have the VPS IP address because:

reverse DNS configuration possible
not on spamming blacklist

What I did:

I successfully connected my home server to the vps through wireguard.

I updated my DNS zones accordingly on my home server.

Problem:

When running diagnosis on my home server connected to Wireguard, it says that ports 80, 443, 25, etc. are inaccessible online.

I opened these ports on both my home router, home yunohost, vps router and yunohost router. But ports are still reported as closed.

I searched for information for wireguard configuration to liberally allow clients with no restriction. On the WG server, I set the allowed IP to 0.0.0.0/0

I tried to make nginx, SMTP, IMAP listen to other ports than the default, and opened those ports on firewalls accordingly.

I even tried - for investigation purpose - to temporarily disable firewalls, open all ports, set my server on DMZ to see where it blocks but I had no success.

I am pretty sure that by lack of experience I missed something. I spent 2.5 full days on it but failed.
Do you have any suggestions?
Let me know if you need more information.
Thanks

manet · September 6, 2023, 7:57pm

Hello,
Maybe you have to route ports via iptables with scripts like these

PostUp.sh (in /etc/wireguard folder)

#Ports_List=$(seq 1 65535)

iptables -A FORWARD -i wg0 -j ACCEPT;
iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE;

# icmp
iptables -A INPUT -p icmp -j ACCEPT;
#ip6tables -A INPUT -p ipv6-icmp -j ACCEPT;

# Routing TCP port 25 and 587 from Yunohost Server to internet
for j in 25 587
do
	iptables -t nat -A POSTROUTING -s XXX.XXX.XXX.XXX -p tcp --dport $j -j SNAT --to YYY.YYY.YYY.YYYY;
	iptables -A FORWARD -s XXX.XXX.XXX.XXX -p tcp --dport $j -j ACCEPT;
done

# Routing TCP port required from VPN server to Yunohost server
Ports_List=(25 80 140 443 587 993 1935 5222 5269 5349 6969 8095 8096 8097 22000 51413 64738)
for i in "${Ports_List[@]}"
do
	if [ $i -ne 22 ]
	then
		iptables -t nat -A PREROUTING -i ens3 -p tcp --dport $i -j DNAT --to-destination XXX.XXX.XXX.XXX;
		iptables -A FORWARD -d 10.10.10.2 -p tcp --dport $i -j ACCEPT;
	fi
done

# Save and quit (CTRL+O, CTRL+X)

Where XXX.XXX.XXX.XXX is your wireguard client IP and YYY.YYY.YYY.YYY is your public IP addr (VPS)

You have to do the same for closing port

PostDown.sh

iptables -D FORWARD -i wg0 -j ACCEPT;
iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE;

# icmp
iptables -D INPUT -p icmp -j ACCEPT;
#ip6tables -D INPUT -p ipv6-icmp -j ACCEPT;

# Routing TCP port 25 and 587 from Yunohost Server to internet
for j in 25 587
do
	iptables -t nat -D POSTROUTING -s XXX.XXX.XXX.XXX -p tcp --dport $j -j SNAT --to YYY.YYY.YYY.YYY;
	iptables -D FORWARD -s XXX.XXX.XXX.XXX -p tcp --dport $j -j ACCEPT;
done

# Routing TCP port required from VPN server to Yunohost server
Ports_List=(25 80 140 443 587 993 5222 5269 5349 8095 8097 22000 64738)
for i in "${Ports_List[@]}"
do
	if [ $i -ne 22]
	then
		iptables -t nat -D PREROUTING -i ens3 -p tcp --dport $i -j DNAT --to-destination XXX.XXX.XXX.XXX;
		iptables -D FORWARD -d XXX.XXX.XXX.XXX -p tcp --dport $i -j ACCEPT;
	fi
done

# Save and quit (CTRL+O, CTRL+X)

ens3 is your ethernet device, wg0 is your wireguard interface.

In these scripts I checked if port 22 is not in the list to avoid to loose control of the VPS.
Thanks

manet · September 6, 2023, 8:06pm

I forgot to tell you, you have to add these 2 lines in your wg0.conf under [Interface] on your server

PostUp = bash /etc/wireguard/PostUp.sh
PostDown = bash /etc/wireguard/PostDown.sh