Port forwarding on WireGuard seems unsupported in 388.1

[Jeffrey Young]

I was able to open the port on the fireguard vpn using the following lines only in firewall-start

ifconfig br0:0 192.168.1.xxx up
iptables -t nat -A PREROUTING -i wgc2 -p udp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx
iptables -t nat -A PREROUTING -i wgc2 -p tcp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx

@Jeffrey Young do I still need to put the delete rules with the above lines?

The NAT rules should go in the nat-start script. The ifconfig can stay in firewall-start script.

Yes, you should include the delete (-D) rules above your insert rules so as not to create a bunch of duplicates rules should the script get called multiple times.

By wireguard very nature, a kill switch is not possible.

EDIT: perhaps we can rewind and you explain exactly what you are trying to achieve. The reason for setting up an alias IP on the br0 bridge is confusing me.

 

[ZebMcKayhan]

I was able to open the port on the fireguard vpn using the following lines only in firewall-start

ifconfig br0:0 192.168.1.xxx up
iptables -t nat -A PREROUTING -i wgc2 -p udp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx
iptables -t nat -A PREROUTING -i wgc2 -p tcp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx

@Jeffrey Young do I still need to put the delete rules with the above lines?

Its always a good idea to execute your modified commands at the prompt directly so you see the commands execute ok and there are no errors and give you correct effect, before putting them in nat/firewall start. And/or you can test and tweak the commands until its working.

you didnt use the FORWARD command, I guess you have "allow inbound firewall" turned on so firewall is wide open between wgc2 and your lan. My commands only opens for the forwarded packets, all others are closed. Do as you wish.

 

[abir1909]

The NAT rules should go in the nat-start script. The ifconfig can stay in firewall-start script.

Yes, you should include the delete (-D) rules above your insert rules so as not to create a bunch of duplicates rules should the script get called multiple times.

By wireguard very nature, a kill switch is not possible.

EDIT: perhaps we can rewind and you explain exactly what you are trying to achieve. The reason for setting up an alias IP on the br0 bridge is confusing me.

I am running transmission on the router. in transmission settings.json I setup a bind ip for transmission "bind-address-ipv4": "192.168.1.xxx" that way I can have that specific ip go through the vpn. In order for this ip to get internet I had to add the br0 bridge command to firewall-start.

@ZebMcKayhan I didn’t open the inbound firewall as you can see. However, I have no knowledge of how to do this things, I am piecing up different information from the forum and running tests. If there is better way to achieve it I would love to know. Thx
(see attached settings)

 

[Jeffrey Young]

I am running transmission on the router. in transmission settings.json I setup a bind ip for transmission "bind-address-ipv4": "192.168.1.xxx" that way I can have that specific ip go through the vpn. In order for this ip to get internet I had to add the br0 bridge command to firewall-start.

@ZebMcKayhan I didn’t open the inbound firewall as you can see. However, I have no knowledge of how to do this things, I am piecing up different information from the forum and running tests. If there is better way to achieve it I would love to know. Thx
(see attached settings)

Thanks. That adds context. Also explains why you did not need the forward rules. You were talking to the router itself. No need to forward.

 

[abir1909]

Thanks. That adds context. Also explains why you did not need the forward rules. You were talking to the router itself. No need to forward.

With that said, would you change something in my settings?
You previously mentioned to move the nat rules to nat-start. Do I still need to do it? Should I create a nat start script?
Also, you mentioned the delete rules (-D). Do I still need it? If so how would you add it to my existing script (I have no idea)
Thanks

 

[Jeffrey Young]

With that said, would you change something in my settings?
You previously mentioned to move the nat rules to nat-start. Do I still need to do it? Should I create a nat start script?
Also, you mentioned the delete rules (-D). Do I still need it? If so how would you add it to my existing script (I have no idea)
Thanks

Yes, any iptables rules that deal with NAT should go in the nat-start script. How they are handled and why in Merlin, I don't know.

Your nat-start script would then look something like;

#!/bin/sh

iptables -t nat -D PREROUTING -i wgc2 -p udp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx > /dev/null 2>&1
iptables -t nat -D PREROUTING -i wgc2 -p tcp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx > /dev/null 2>&1

iptables -t nat -I PREROUTING -i wgc2 -p udp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx
iptables -t nat -I PREROUTING -i wgc2 -p tcp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx

That that I am using -I (insert) as opposed to -A (append). If you append the rules to the end, you run the risk of inserting your rules after a DROP rule or a RETURN rule in the tables.

 

[abir1909]

Yes, any iptables rules that deal with NAT should go in the nat-start script. How they are handled and why in Merlin, I don't know.

Your nat-start script would then look something like;

#!/bin/sh

iptables -t nat -D PREROUTING -i wgc2 -p udp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx > /dev/null 2>&1
iptables -t nat -D PREROUTING -i wgc2 -p tcp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx > /dev/null 2>&1

iptables -t nat -I PREROUTING -i wgc2 -p udp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx
iptables -t nat -I PREROUTING -i wgc2 -p tcp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx

That that I am using -I (insert) as opposed to -A (append). If you append the rules to the end, you run the risk of inserting your rules after a DROP rule or a RETURN rule in the tables.

thanks Jeffrey, i made the changes and seems to work just fine. port is open on the wireguard vpn. will report if any issues.

 

[ZebMcKayhan]

thanks Jeffrey, i made the changes and seems to work just fine. port is open on the wireguard vpn. will report if any issues.

Just fyi... if you need this port to reach some local service om the router, my 2 rules in FORWARD chain should be replaced by something like this in the INPUT chain:

iptables -I INPUT -p tcp -i wgc1 --dport 8080 -j ACCEPT
iptables -I INPUT -p udp -i wgc1 --dport 8080 -j ACCEPT

But apperantly Transmission (or yourself, via some means) already took care of this. But thought I mention it for future reference.

 

[abir1909]

Hi @ZebMcKayhan and team. you guys helped me two year ago writing the script to allow transmission through the wireguard client. that nat-start and firewall-start worked great for the past 2 years and now it stopped. not sure if it due to the amtm update or Asus firmware update but the same scripts not working. transmission is not downloading. any ideas? thank you.

 

[Aiadi]

Hi @ZebMcKayhan and team. you guys helped me two year ago writing the script to allow transmission through the wireguard client. that nat-start and firewall-start worked great for the past 2 years and now it stopped. not sure if it due to the amtm update or Asus firmware update but the same scripts not working. transmission is not downloading. any ideas? thank you.

From my limited knowledge, I guess that this could be a firmware rather than AMTM issue:

Post in thread 'Wireguard Server not allowing access to Intranet even though selected' https://www.snbforums.com/threads/w...tranet-even-though-selected.82379/post-960126

 

[Jeffrey Young]

Hi @ZebMcKayhan and team. you guys helped me two year ago writing the script to allow transmission through the wireguard client. that nat-start and firewall-start worked great for the past 2 years and now it stopped. not sure if it due to the amtm update or Asus firmware update but the same scripts not working. transmission is not downloading. any ideas? thank you.

Please list in your signature the router you are using and the firmware version. It goes a long way in providing help.

As @Aiadi has pointed out, the newest 3006 firmware has proved to give some new challenges. I don't use Asus's GUI implementation of Wireguard. I prefer to stay with the CLI (have so since the first wiregaurd kernel module was complied for the AC86U).

The only suggestions that I have for you are;

1. Verify your VPN provider link is still functioning
2. Check the br0 bridge to ensure your alias IP address is still setup (ifconfig br0)
3. Check the firewall rules to see if your rules are still in place (either iptables -t nat -nvL or iptables-save). Also see if there are any other rules that may be interfering.

Sorry, this is the best I can do right now. The 3006 branch is still much too immature to run in a production environment (in my opinion). I won't be jumping to 3006 for a long time yet (at least for a few more version releases - at least until Asus has finished using its userbase to batá test their stuff).

 

[abir1909]

Please list in your signature the router you are using and the firmware version. It goes a long way in providing help.

As @Aiadi has pointed out, the newest 3006 firmware has proved to give some new challenges. I don't use Asus's GUI implementation of Wireguard. I prefer to stay with the CLI (have so since the first wiregaurd kernel module was complied for the AC86U).

The only suggestions that I have for you are;

1. Verify your VPN provider link is still functioning
2. Check the br0 bridge to ensure your alias IP address is still setup (ifconfig br0)
3. Check the firewall rules to see if your rules are still in place (either iptables -t nat -nvL or iptables-save). Also see if there are any other rules that may be interfering.

Sorry, this is the best I can do right now. The 3006 branch is still much too immature to run in a production environment (in my opinion). I won't be jumping to 3006 for a long time yet (at least for a few more version releases - at least until Asus has finished using its userbase to batá test their stuff).

thank you for the reply. added the details to my signature.
i haven't changed my previous setup. i have both nat-start and firewall-start scripts still in place. the firewall-start only have the ifconfig br0:0 192.168.1.xxx up and the nat-start have the below.

Yes, any iptables rules that deal with NAT should go in the nat-start script. How they are handled and why in Merlin, I don't know.

Your nat-start script would then look something like;

#!/bin/sh

iptables -t nat -D PREROUTING -i wgc2 -p udp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx > /dev/null 2>&1
iptables -t nat -D PREROUTING -i wgc2 -p tcp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx > /dev/null 2>&1

iptables -t nat -I PREROUTING -i wgc2 -p udp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx
iptables -t nat -I PREROUTING -i wgc2 -p tcp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx

That that I am using -I (insert) as opposed to -A (append). If you append the rules to the end, you run the risk of inserting your rules after a DROP rule or a RETURN rule in the tables.

i am getting peers and it downloads but the transmission GUI shows port as closed! i also opened the port on the router wan firewall settings just in case. i also opened the same UDP port on the Torguard port forward tool website. (didn't open the TCP, don't think it's needed?? )

i must be missing something.
thx

 

[abir1909]

Please list in your signature the router you are using and the firmware version. It goes a long way in providing help.

As @Aiadi has pointed out, the newest 3006 firmware has proved to give some new challenges. I don't use Asus's GUI implementation of Wireguard. I prefer to stay with the CLI (have so since the first wiregaurd kernel module was complied for the AC86U).

The only suggestions that I have for you are;

1. Verify your VPN provider link is still functioning
2. Check the br0 bridge to ensure your alias IP address is still setup (ifconfig br0)
3. Check the firewall rules to see if your rules are still in place (either iptables -t nat -nvL or iptables-save). Also see if there are any other rules that may be interfering.

Sorry, this is the best I can do right now. The 3006 branch is still much too immature to run in a production environment (in my opinion). I won't be jumping to 3006 for a long time yet (at least for a few more version releases - at least until Asus has finished using its userbase to batá test their stuff).

thank you for the reply. added the details to my signature.
i haven't changed my previous setup. i have both nat-start and firewall-start scripts still in place. the firewall-start only have

 

[Jeffrey Young]

i am getting peers and it downloads

I am confused. It is working? I don't use transmission, so I really can't say why transmission says the port is closed.

 

[abir1909]

I am confused. It is working? I don't use transmission, so I really can't say why transmission says the port is closed.

I managed to get it working.
Regarding the port I think it has to do with TorGuard port forwarding. I emailed them.