jaminmc
commented
1 year ago I believe that only iptables -t nat -A PREROUTING -p udp -m multiport --dports 80,554,51820 -j REDIRECT --to-ports 443 is needed, as it is done pre-routing, so you don't need to open those ports first, as it redirects them to your port 443.
No need for a bash script.. just put it in the PostUp/PostDown section of your WireGuard config file.
Here is my multiport iptables in my wg0.conf file:
PostUp = iptables -t nat -A PREROUTING -i eth0 -p udp -m multiport --dports 10:66,69:1233,1235:8000 -j REDIRECT --to-ports 1234
PostUp = ip6tables -t nat -A PREROUTING -i eth0 -p udp -m multiport --dports 10:66,69:1233,1235:8000 -j REDIRECT --to-ports 1234
PostDown = iptables -t nat -D PREROUTING -i eth0 -p udp -m multiport --dports 10:66,69:1233,1235:8000 -j REDIRECT --to-ports 1234
PostDown = ip6tables -t nat -D PREROUTING -i eth0 -p udp -m multiport --dports 10:66,69:1233,1235:8000 -j REDIRECT --to-ports 1234That is for port 1234 receive... With that, Wireguard will recieve port 10 - 8000, except 67 and 68.
Note: if your server gets an IP from DHCP server, don't forward the 67&68. I also skipped the target port.. It may still work it is in the range, but it is less for it to compute.
I usually run my wireguard on port 443. Recently I was traveling and I came across a network that was doing something weird on port 443 and I could not connect to port 443 with wireguard.
I opened other ports to connect:
iptables -A INPUT -p udp -m multiport --dports 80,554,51820,443 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -m multiport --dports 80,554,51820 -j REDIRECT --to-ports 443
It would be cool if the bash script could allow us to choose a default port that we want to open:
Default port ex : 443 Alternative port : 80, 554, 51820
and configure it with iptables. This way we don't have to have several instances of wireguard on different ports.