Home / server / Questions / 1014577
In Process
TRW
Asked: 2020-04-29 02:45:43 +0800 CST

Howto configure Wireguard on Linux router to route all traffic from LAN to remote wireguard VPN server

  • 772

I've an Armbian linux on a NanoPi R1 running. It routes all traffic from eth1 (LAN static IP, dnsmasq for DHCP/DNS) to eth0 (WAN dhcp-client) via IPTables NAT/Masquerading. That works fine. A client behind eth1 in the LAN can reach outside world.

Now I've installed Wireguard on the device. There is a Wireguard VPN service in the cloud. I can reach it on the Pi and it routes all traffic from the Pi thru the wg0 interface.

But the clients in LAN cannot reach anything anymore. I don't understand how to route all traffic from eth1 thru wg0 and reach eth0. There are many examples in the net, how to configure the other way around (the VPN server), but I'm not sure, how to configure the wg interface.

[Interface]
Address = 10.0.0.10/32, fd01:10:0::10/128
ListenPort = 21841
PrivateKey = ...

PostUp   = iptables -A FORWARD -i %i -o eth1 -j ACCEPT; iptables -A FORWARD -o %i -i eth1 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -o eth1 -j ACCEPT; iptables -D FORWARD -o %i -i eth1 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth1 -j MASQUERADE

DNS = <provider-ip>

[Peer]
PublicKey = <pubkey>
EndPoint = <vpnserver>:<vpnport>
AllowedIPs = 0.0.0.0/0, ::/0

PersistentKeepalive = 25

Even when I remove or change the PostUp/Down, the behaviour doesn't change. IP Forward is enabled in kernel.

This is my ruleset after I started wg0:

$> iptables -L -n -x -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
      12     1752 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    4267   282274 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
     273    24031 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
   0        0 ACCEPT     all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           
     825    87848 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
     701    85098 DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
     419    26498 ACCEPT     all  --  eth1   eth0    192.168.11.0/24      0.0.0.0/0            ctstate NEW
   15343  6475800 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
       0        0 ACCEPT     all  --  wg0    eth1    0.0.0.0/0            0.0.0.0/0           
      69    12915 ACCEPT     all  --  eth1   wg0     0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

I can see, that eth1 sends packets to wg0, but they don't come back. What is wrong?

The masq table looks like that:

$> iptables -L -n -x -v -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
     742    52126 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
       0        0 MASQUERADE  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
nat iptables wireguard

0 Answers