WireGuard – Port Forwarding Guide


Using applications like qbittorrent and airdcpp to share files. They all need some ports to be forwarded in order to be "connectable".

In the home connection I would go into the router settings and then forward the ports, ex. 56000 to my PC's local ip address: And the services would work alright.

Later set up wireguard on a Linode VPS wishing I can vpn into it and and mask my IP. But when I do that, my ip address is changed when I go to somewhere like https://whoer.net . But the ports used, ex. 56000 is not forwarded and thus the apps are not "connectable".

What are the things I need to add in iptables in order for the VPS to forward those ports like my home router does?

Port 56000 is set to allow in the active VPS ufw firewall.

Many thanks for looking.

This is what my VPS wireguard conf looks like:

Address =,fd42:42:42::1/64
ListenPort = 49503
PrivateKey = ***

PublicKey = ***
PresharedKey = ***
AllowedIPs =,fd42:42:42::2/128

Best Answer

Since you're using UFW, first make sure the UFW rule for port 56000 that you added is not a regular input rule, but instead a "route" (aka forwarding) rule, like this (assuming it's for a TCP port; replace tcp with udp for UDP):

ufw route allow proto tcp to port 56000

Then you need an iptables rule like this for each port you want to forward (where eth0 is the name of your WAN interface):

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 56000 -j DNAT --to-destination

If you have a bunch of individual ports you want to forward, you can put them all (up to 15 ports) in the same rule using the --dports flag (note the s) of the multiport module:

iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dports 123,456,789 -j DNAT --to-destination

And since you're using UFW, you probably want to put your PREROUTING rules in the *nat block of your /etc/ufw/before.rules config file, like this (assuming you probably already have something similar to the POSTROUTING rule there):

# /etc/ufw/before.rules
-A PREROUTING -i eth0 -p tcp --dport 56000 -j DNAT --to-destination

If you don't already have a *nat block in your /etc/ufw/before.rules file, add it at the end of the file. Restart UFW after you make the changes.

Related Topic