port forwarding usually means an entry in NAT table to change the destination address (DNAT) of incoming package, usually on a specific port. you should be able to identify the entry that does this by listing the table:
while sending data over the forwarded port from external you should be able to see movement in the pkts/bytes number on this specific entry.
there should also be an entry in the filter table to allow packages on this specific port to be forwarded to the internal network:
also here you can track data by the pkts/byte numbers to verify data is identified and forwarded.
there is nothing that the wireguard config does that really changes any of this. the entries shall still be there.
however, if you have routed all outgoing data through VPN (default) than you might want to think about how a reply from your local client is supposed to find its way back to WAN when all outgoing data is routed through VPN?
//Zeb
Thank you very much for your reply, very much appreciated. Im sorry of this reply will be much more chaotic then yours.
So. When the tunnel is up and I havent added any rules of my own yet, this is what exists in PREROUTING:
86 4776 GAME_VSERVER all -- * * 0.0.0.0/0 <my.public.ip.on.eth0>
86 4776 VSERVER all -- * * 0.0.0.0/0 <my.public.ip.on.eth0>
But if I make a connection from the outside, of course the bytes is ticking up from other traffic, so its hard to check specifically without say tcpdump or something. But I assumed that its of course is incoming there.
So I added another one, still in PREROUTING, that breaks out port 44500 specifically:
5 260 VSERVER tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:44500
Now when I try to connect on that port from the outside, I see the bytes ticking in, in that specific rule. So far so good. Now its not bundled togheter with all the other traffic that I see in the general catch-all rule VSERVER. Again, just for testing purposes.
Now. Since its VSERVER, I took at look at that. The only rule defined in VSERVER is this (2 references due to me making a specific PREROUTING one for my port):
Chain VSERVER (2 references)
122 6583 VUPNP all -- * * 0.0.0.0/0 0.0.0.0/0
And sure enough, when I try to connect from the outside, with my specific port, I see those bytes ticking up a bit faster. But I want to see if its "my" traffic..
To see my specific traffic on port 44500, I added another rule to the VSERVER chain:
10 520 VUPNP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:44500
And again, if I try to connect from the outside, I see that new rule ticking up with only "my" bytes everytime I try on that port.
So the "chain of events" so far is:
* Traffic comes in on port 44500 on the if eth0
* A rule in PREROUTING shovs it further to the chain VSERVER
* At VSERVER I can see the traffic at 10 520 VUPNP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:44500
* The end. The router doesnt know what to do next with the traffic..
So .. how do I add a rule/rules that from VSERVER (or directly from PREROUTING) makes sure that all traffic incoming (tcp, port 44500) gets to my internal device called 10.0.1.100? Because right now, it stops in the chain VSERVER -> VUPNP.
As I wrote in my initial question, I can get port forwarding to with if the vpn tunnel is down:
If I add these rules:
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 44500 -j DNAT --to-destination 10.0.1.100
iptables -t nat -I PREROUTING -i eth0 -p udp --dport 44500 -j DNAT --to-destination 10.0.1.100
iptables -t nat -I POSTROUTING -o eth0 -p tcp --sport 44500 -j MASQUERADE
iptables -t nat -I POSTROUTING -o eth0 -p udp --sport 44500 -j MASQUERADE
I can connect as per my wishes to port 44500 (ssh) on my internal device (10.0.1.100) IF and only IF the wg client is stopped so that the tunnel is brought down.
I wish I was a bit smarter to understand this..
Oh, by the way, I've seen posts like this, but I cant edit /etc/iproute2/rt_tables to try that specific howto, but it seems logical to do. But no matter what I try or do, rt_tables are locked for me to do anything to:
Howto Bypass Wireguard VPN for specific port
Again, a huge thanks for the answer.
//P