Wireguard VPN – Port Unreachable When Connected

iptablesnetworkingroutingvpnwireguard

I have a server that routes all of its traffic through wireguard. When I start the wireguard, all ports listening on this server's public IP are unavailable – even ssh does not work.

What I want is to allow incoming traffic on a port (ssh for example) from any IP, but use wireguard for any outgoing connection.

Example:

MY_SERVER to any public ip -> use wireguard peer for routing (other servers should see wireguard peer's IP as source). This is working by having AllowedIPs = 0.0.0.0/0 in wireguard conf.

Any public IP to MY_SERVER -> this is not working when wireguard is enabled. If I stop wireguard it works.

Any ideas how can I allow incoming connections on my public IP and route outgoing connections through wireguard?

Update:

The main issue is that I am getting asymmetric routing due to wireguard routing all packets through it. So when incoming connection on public IP for given port comes in, it's reply is routed over wg0 instead of public interface and never makes it back to client.

I was able to somewhat fix it by adding ip rule add sport PORT table main but not sure if there is a better fix so I don't have to 1 by 1 add all ports – I want any port I start listening on to be routed correctly. Also, this fix works for TCP but not for UDP. Would be great if I can have it working for both protocols.

Best Answer

Your routing tables are stateless, they don't have any information about a packet being an answer or your port being bound. So you can use the connection table to add a mark when a connection is made to the server interface (not the wireguard one), and then restoring this mark for every packet of this connection.

You can then use this mark in a routing rule:

iptables -t mangle -A PREROUTING -d <server_address> -m conntrack --ctstate NEW -j CONNMARK --set-mark 51820
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
ip rule add fwmark 51820 table main

Or if you use nftables:

nft add rule ip mangle prerouting ip daddr <server_address> meta mark set 51820
nft add rule ip mangle prerouting meta mark 51820 ct mark set mark
nft add rule filter output meta mark set ct mark
ip rule add fwmark 51820 table main

Or you can do it with listing ports in rules, it might be the cleaner. For UDP, you want services to listen on a single IP address (not 0.0.0.0), and then the ip rule should work.

Related Solutions

Iptables – Configure Wireguard to Block All Non-SSH Traffic

I would be tempted to add a chain called perhaps called wireguard or something else with rules like these. These would be get added by something outside wireguard.

# create wireguard chain
iptables -t filter -N wireguard
# permit anything coming from or going to port 22
iptables -t filter -A wireguard -p tcp --dport 1024:65535 --sport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -t filter -A wireguard -p tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
# drop everything else
iptables -t filter -A wireguard -j DROP

Then in your wireguard PostUp, just add rules like this.

iptables -t filter -I FORWARD -i %i -j wireguard
iptables -t filter -I FORWARD -o %i -j wireguard

Wireguard – How to Route All Traffic Through Wireguard Peer

You should probably start with using Table=off in the wg-quick conf on both S and P. The value of AllowedIPs= will not cause changes to the routes / policy routing rules on them then.

EDIT: Actually it should be fine to leave Table= untouched on P unless you need AllowedIPs= of S on it to be 0.0.0.0/0 instead of 192.168.60.0/24 for some reasons, e.g. need traffics originates from itself to be routed S. You don't need to mess with the routes and routing rules on P yourself since even the prefix in Address=192.168.60.2/24 should get the necessary route configured. The next paragraph probably does not apply to what you need -- although it might gives you some extra insights on how things work.

And you should probably use an additional IP subnet for S and P, e.g. 192.168.59.0/30. This will save you the hassle of needing extra ip rule. Remember to add the subnet route for 192.168.60.0/24 on P though, as with Table=off, only prefix routes will be added by the kernel for the prefix(es) in the Address= field(s). Make good use of PostUp= (and PreDown=) btw.

I don't suppose you want to route traffics that originates from S itself to P, so you probably want the following ip rule instead:

# ip rule add iif wg0 from 192.168.60.0/24 lookup 200

If you really need want to route e.g. traffics other than the ssh and wireguard server replies to P, you can additionally have:

# ip rule add iif lo lookup 200
# ip rule add iif lo ipproto tcp sport 22 lookup main
# ip rule add iif lo ipproto udp sport 51820 lookup main

Note: you can't just match with from 192.168.60.1 added in the first rule and omit the other two, because for non-replying traffics, the source address is often (if not always) chosen based on the decided route -- it's not set yet at this point.

Note that the order of the command normally determines the priority, so make sure you add the "superset" rule before the "subset" rules, otherwise the latter will be overridden by the former.

Also it's best to keep table 200 empty until all the desire rules are in position, otherwise remote access of the host could be cut off.

Finally nexthop makes no sense in route to an L3 tunnel:

# ip route add default dev wg0 table 200

P.S. Make sure you didn't just allow IP forwarding in the firewall but also enable it with sysctl.

Best Answer

Related Solutions

Iptables – Configure Wireguard to Block All Non-SSH Traffic

Wireguard – How to Route All Traffic Through Wireguard Peer

Related Topic