search

anbuchelva / Pi-hole-and-Wireguard-on-Oracle-Cloud-always-free-tier

Block advertisements and trackers using pi-hole in Oracle Always Free tier
MIT License
112 stars 19 forks source link

Using RDP between clients #7

Closed robertgpeterson closed 1 year ago

robertgpeterson commented 1 year ago

Thank you for this script to install WG & PiHole on Oracle. I have previously used another script on Ionos and then on Google cloud to compare performance from Africa. Then I discovered Oracle and tried to set up a VM using the other script but couldn't get it to work. I went looking I found this script and now I am able to connect from my clients perfectly. Thank you!

I am however having trouble connecting between clients using RDP. I have tried various configurations mirroring what works on the other Wireguard servers without success. I am suspecting a difference in iptables but not knowledgeable enough to determine that.

Do you have any suggestions?

Thank you again for the helpful script! Rob

For quick reference, here is wg config from Oracle plus the script that it references which works:

WG CONFIG FILE (ORACLE)

Address = 10.66.66.1/24,fd42:42:42::1/64 ....... PostUp = /etc/wireguard/ipt/start.sh; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE PostDown = /etc/wireguard/ipt/stop.sh; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE iptables -t nat -I POSTROUTING 1 -s 10.66.66.1/24 -o ens3 -j MASQUERADE

ORACLE START.SH

iptables -I INPUT 1 -i wg0 -j ACCEPT iptables -I FORWARD 1 -i ens3 -o wg0 -j ACCEPT iptables -I FORWARD 1 -i wg0 -o ens3 -j ACCEPT iptables -I INPUT 1 -i ens3 -p udp --dport 51515 -j ACCEPT

ip6tables -t nat -I POSTROUTING 1 -s fd42:42:42::1/64 -o ens3 -j MASQUERADE ip6tables -I INPUT 1 -i wg0 -j ACCEPT ip6tables -I FORWARD 1 -i ens3 -o wg0 -j ACCEPT ip6tables -I FORWARD 1 -i wg0 -o ens3 -j ACCEPT

Here is the content of the Google WG server that does allow RDP.

GOOGLE CLOUD WG CONFIG

[Interface] Address = 10.66.66.1/24,fd42:42:42::1/64 ....... PostUp = iptables -I INPUT -p udp --dport 54209 -j ACCEPT PostUp = iptables -I FORWARD -i ens4 -o wg0 -j ACCEPT PostUp = iptables -I FORWARD -i wg0 -j ACCEPT PostUp = iptables -t nat -A POSTROUTING -o ens4 -j MASQUERADE PostUp = ip6tables -I FORWARD -i wg0 -j ACCEPT PostUp = ip6tables -t nat -A POSTROUTING -o ens4 -j MASQUERADE

anbuchelva commented 1 year ago

I assume you need to add this in the rules . Make sure you use the right port no.

PostUp = iptables -I INPUT -p udp --dport 51515 -j ACCEPT

Let me know the result. Check this for more info.

robertgpeterson commented 1 year ago

Thank you for the suggestion. I tried adding that as 2nd "PostUp =" line with both "INPUT" and "INPUT 1" (noticed in the START.SH file) but could no longer connect via Wireguard to the Oracle server/peer using either one. Does the order or location (in the script itself) matter?

The fact that this calls a script makes it a little harder for me to compare. I integrated the contents of the START.SH to the other entries that follow the script and broke it out into individual lines. This is what I get. There is apparently something here that makes it so that this works on Oracle and something that doesn't let RDP but don't have enough iptables experience to figure that out.

PostUp = iptables -I INPUT 1 -i wg0 -j ACCEPT # Script PostUp = iptables -I FORWARD 1 -i ens3 -o wg0 -j ACCEPT # Script PostUp = iptables -I FORWARD 1 -i wg0 -o ens3 -j ACCEPT # Script PostUp = iptables -I INPUT 1 -i ens3 -p udp --dport 51515 -j ACCEPT #Script PostUp = iptables -A FORWARD -i wg0 -j ACCEPT PostUp = iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE PostUp = ip6tables -A FORWARD -i wg0 -j ACCEPT PostUp = ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE

The performance on Oracle seems really solid and would love to see this work.

anbuchelva commented 1 year ago

I don't have vast knowledge in iptables. here is the outcome of the start.sh stored in /etc/wireguard/ipt/

#!/bin/bash

/sbin/iptables -t nat -I POSTROUTING 1 -s 10.66.66.1/24 -o ens3 -j MASQUERADE
/sbin/iptables -I INPUT 1 -i wg0 -j ACCEPT
/sbin/iptables -I FORWARD 1 -i ens3 -o wg0 -j ACCEPT
/sbin/iptables -I FORWARD 1 -i wg0 -o ens3 -j ACCEPT
/sbin/iptables -I INPUT 1 -i ens3 -p udp --dport 51515 -j ACCEPT

/sbin/ip6tables -t nat -I POSTROUTING 1 -s fd42:42:42::1/64 -o ens3 -j MASQUERADE
/sbin/ip6tables -I INPUT 1 -i wg0 -j ACCEPT
/sbin/ip6tables -I FORWARD 1 -i ens3 -o wg0 -j ACCEPT
/sbin/ip6tables -I FORWARD 1 -i wg0 -o ens3 -j ACCEPT
robertgpeterson commented 1 year ago

So the line that seems similar is this one in the Orace Script:

/sbin/iptables -I INPUT 1 -i ens3 -p udp --dport 51515 -j ACCEPT

It includes "-i ens" that is not in the google script.

Remove the "-i ens" and try?

robertgpeterson commented 1 year ago

Tried it. Didn't break VPN connectivity but didn't allow RDP.

anbuchelva commented 1 year ago

You can try using tailscale, they provide easy way to connect the clients. I'm sorry, I couldn't help you.

robertgpeterson commented 1 year ago

thank you for trying. I have $300 credit on google and will use that for a while pending some time to try to identify the difference.