Re: [Shorewall-users] WireGuard Port Forwarding

Sun, 23 Dec 2018 11:00:38 -0800 

On 12/22/18 5:04 PM, Justin Pryzby wrote:
> On Sat, Dec 22, 2018 at 04:17:59PM -0800, C. Cook wrote:
>> I've set up WireGuard on a VM in my LAN.  In the LAN's router I am
>> port-forwarding my chosen (UDP) WireGuard port to the WireGuard server
>> in the LAN. (All CentOS 7.6)  I've forwarded the shorewall.dmp from the
>> WG server to Tom.
> What are the hosts involved ?
> WG <-> LAN router <-> internet ?

Yes, exactly.


> What address/interface/zone are you connecting from ?

Connecting from the phone using the WireGuard app, from some random IP
in the webosphere.

Comes in the router eth0 ('net') and is supposed to be DNATted out eth1
('local').


> Shorewall is running on WG, router, or both ?

Both.  Shorewall errors seen on the router, previously noted.


>> For the life of me I can not get the WG phone app communicating with the
>> server.
> From the LAN or public internet ?

>From public random IP.


> There seems to be an issue with shorewall, but did you also check that WG has
> its port opened and forwarded to the VM ?

The server is listening but I can't confirm that it's appearing on the
router without connecting.


>> [1123910.652480] FORWARD REJECT IN=eth0 OUT=eth0
>> MAC=00:1f:5b:69:23:8c:f6:b5:2f:a2:db:8e:08:00 SRC=172.58.40.50
>> DST=10.1.50.16 LEN=176 TOS=0x00 PREC=0x00 TTL=53 ID=0 PROTO=UDP
>> SPT=37262 DPT=7962 LEN=156
> Is this is matching a "policy" log line or something else ?

I could see that the router was directing incoming WG packets from eth0,
back out eth0 (improperly) and Tom points out that they're getting
dropped in the FORWARD chain since I'm not allowing that.


> eth0 is "net" but has a private IP ?

No eth0 has a public IP.  eth1 and eth2 have private IPs, in separate
class C's.


>> Here's the DNAT in rules:
>>
>> DNAT            net     local:10.1.50.16        udp     wgvpn   -
> Is that line early enough and in the (default) NEW section ?

This is what I used to DNAT to my DMZ, and yes in NEW.


> Should I assume wgvpn is added to local services as UDP port 7962 ?

Yes, correct.


> shorewall.conf has IP_FORWARDING=Yes ?
IP_FORWARDING=Keep

I guess since this is the router that should be Yes.  Changed.





_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to