Iptables rules in PostUp & PostDown

[tregnier]

Hi,

Some feedback after few days breaking my teeth on the configuration of wireguard.

I managed to get a connection with the synology NAS used as the server, but none of the other local device on the same LAN as the Synology server. I could acces 192.168.0.2 (Synology NAS), but none of the other device, like 192.168.0.3 could be accessed.

After few search, I realized that the following lines on the wireguard server config : PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

was not writiting any rules on the iptables. I breaked them into 2 lines:

PostUp = iptables -A FORWARD -i %i -j ACCEPT PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Everything is now working like a charm.

my configuration:

• Running XPenology DSM 6.1.x, I compiled a package of wireguard for the actual hardware I have. Local network on synology server side is subnet 255.255.255.0 / 192.168.0.x with several device connected over wifi & ethernet (Synology server on ethernet)

• I am renting a domain name (from OVH) as I do not have static ip address. So far I was accessing Synology through https/port 443. I am using Synology DDNS parameters to update the domain to know the current public IP

• My Lan is connected to internet behind a router/modem

• Port 1500 is forwarded to Synology NAS on the router: UDP 1500 --> 192.168.0.2:1500

• Confirguration of wireguard /etc/wireuard/wg0.conf on Synology NAS :

  
  [Interface]
  Address = 10.0.10.1/24
  PrivateKey = ************************
  ListenPort = 1500
  PostUp = iptables -A FORWARD -i %i -j ACCEPT
  PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  PostDown = iptables -D FORWARD -i %i -j ACCEPT
  PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer] PublicKey = Device 1 public key AllowedIPs = 10.0.10.2/32

[Peer] PublicKey = Device 2 Public Key AllowedIPs = 10.0.10.3/32

Configuration on client device:

[Interface] PrivateKey = *** ListenPort = 1500 Address = 10.0.10.3/32

[Peer] PublicKey = Synology Public Key AllowedIPs = 0.0.0.0/1, 128.0.0.0/1 Endpoint = mydomain:1500

Above AllowedIPs for client redirect all traffic through the VPN, if I connect from my phone and look at my public ip address, I will see my IP address from home
I can configure: AllowedIPs = 10.0.10.1/32, 192.168.0.0/24 to have only my local network going through the VPN, i.e. only extending my ome LAN through the VPN Tunnel

As you can guess I am a real beginner on all those matters, hope this can help other. I am actually curious why the PostUp & PostDown in one line does not work for me - it might be as stupid as some space character mistake or so, I'm actually curious to know.

So no real issue here (well, solved) but not too sure where to post it as it might help others.

Thanks,
theo

[lockevod]

You have to allow routing. Change your wg0.conf to:

[Interface] Address = 10.0.0.1/16 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -s 10.0.0.0/16 -o bond0 -j MASQUERADE;sleep 10;ip route add 10.0.0.0/16 via 10.0.0.1 dev %i PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -s 10.0.0.0/16 -o bond0 -j MASQUERADE ListenPort = 16666

obviously you have to include private key and peer info... and you need to change bond0 for your interface (eth0, etc)...

On the other hand, probably you need to allow forward packet:

modify

/etc/sysctl.conf

and add net.ipv4.ip_forward = 1

you will need to reboot

[lockevod]

Listen port you can change it :)

[tregnier]

Hi!

Actually my issue was that concatenate the instruction for allowing routing didn't work, not sure why.

I changed : PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

To: PostUp = iptables -A FORWARD -i %i -j ACCEPT PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

and all is working fine now. I just wanted to let people know in case someone get the same issue!

[Monoboy4ik]

hello, need your help my wg0.conf:

[Interface] PrivateKey = *** Address = 10.66.66.2/32 PostUp = iptables -A FORWARD -i %i -j ACCEPT PostUp = iptables -t nat -A POSTROUTING -o ovs_eth1 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT PostDown = iptables -t nat -D POSTROUTING -o ovs_eth1 -j MASQUERADE

[Peer] PublicKey = PresharedKey = Endpoint = ***** AllowedIPs = 0.0.0.0/0

after wg-quick up wg0 see this: [#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip -4 address add 10.66.66.2/32 dev wg0 [#] ip link set mtu 1420 up dev wg0 [#] wg set wg0 fwmark 51820 [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820 [#] ip -4 rule add not fwmark 51820 table 51820 [#] ip -4 rule add table main suppress_prefixlength 0 [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1 [#] iptables-restore -n iptables-restore v1.8.3 (legacy): iptables-restore: unable to initialize table 'raw'

Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information. [#] ip -4 rule delete table 51820 [#] ip -4 rule delete table main suppress_prefixlength 0 [#] ip link delete dev wg0

I want to use Syno as a client