Wireguard with NAT (home network) [SOLVED]

Kernels & Hardware, configuring network, installing services

Wireguard with NAT (home network) [SOLVED]

Postby Scorpion » 2018-12-19 13:11

When I ' m on an external network (especially when on a public one) I would like to connect via wireguard to a pc on my home network. I will avoid ADS so but since I' m using as a server a machine with my home network all the privacy part is nullified right? I mean with my ISP (and who knows who else, or maybe no ne). Even with tor?
My public ip is static (after some months maybe change once) and is the one of a pc of my ISP.
I can forward some port of that machine (public ip) to a port of a local machine that I own.
I found a guide to how use wireguard https://www.stavros.io/posts/how-to-con ... wireguard/:
Server /etc/wireguard/wg0.conf
Code: Select all
[Interface]
Address = 192.168.2.1 # This is not the ip of my server right? A new one created for this wg0?
PrivateKey = <server's privatekey>
ListenPort = 51820

[Peer]
PublicKey = <client's publickey>
AllowedIPs = 192.168.2.2/32 # Same thing here

Client conf
Code: Select all
[Interface]
Address = 192.168.2.2
PrivateKey = <client's privatekey>
ListenPort = 21841

[Peer]
PublicKey = <server's publickey>
Endpoint = <server's ip>:51820 # Can I use <my_public_ip>:<forwarded_port_to_internal_51820>?
AllowedIPs = 0.0.0.0/0, ::/0 # To forward all the traffic

# This is for if you're behind a NAT and
# want the connection to be kept alive.
PersistentKeepalive = 25 # So do I need this value?

I checked the quick start https://www.wireguard.com/quickstart/.
Is it possible to use wireguard with NAT (since that my server has not a "direct" ip)?
I tried so but I cannot load any page.
Last edited by Scorpion on 2019-01-03 15:31, edited 1 time in total.
Scorpion
 
Posts: 82
Joined: 2018-10-17 11:38

Re: Wireguard with NAT (home network)

Postby reinob » 2018-12-20 19:19

If you configure your router (doing NAT) to forward incoming UDP port 5182 to your wireguard server, it should work fine.

Wireguard is not known for it's debugging/logging powers, but at least you should see something when you try to connect. We can take it from there.

If you want to use your Wireguard server to actually connect via it to the Internet (and not just as point-to-point connection), then you also need to set up the actual forwarding.

Like so..
Code: Select all
PostUp     = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
reinob
 
Posts: 589
Joined: 2014-06-30 11:42

Re: Wireguard with NAT (home network)

Postby Scorpion » 2018-12-20 19:56

reinob wrote:If you want to use your Wireguard server to actually connect via it to the Internet (and not just as point-to-point connection), then you also need to set up the actual forwarding.

Is that code for the server wg0.conf? Or is for the terminal? Can you explain it?
I changed to NAT from TCP to UPD why is needed?
Scorpion
 
Posts: 82
Joined: 2018-10-17 11:38

Re: Wireguard with NAT (home network)

Postby reinob » 2018-12-21 17:48

Scorpion wrote:
reinob wrote:If you want to use your Wireguard server to actually connect via it to the Internet (and not just as point-to-point connection), then you also need to set up the actual forwarding.

Is that code for the server wg0.conf? Or is for the terminal? Can you explain it?


A VPN connects, without any further configuration, a client with a server. This means that if you use Wireguard on the client and server, they will be able to talk to each other. For some people, this is all they need.

I wrote that if your intention is to use your server as a gateway to Internet (so client -> server -> internet), which I guess is what most people understand with "VPN", then you need your server to actually function as a router (i.e. forwarding packets received from a client where the destination is not the server itself.)

You can either set that up manually/automatically outside of Wireguard, but the easiest is to add, to your server's wg.conf something like:

Code: Select all
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

(that's two lines, one beginning with PostUp, the other with PostDown)

That goes in the [Interface] section of the file (where Address, Privatekey and ListenPort are).

I changed to NAT from TCP to UPD why is needed?


Wireguard only supports UDP. Most VPNs work only with UDP, as TCP-in-TCP is -- or can be -- highly suboptimal.
If you can only work with TCP (can happen), then OpenVPN is a better option than Wireguard.
(I actually use both with my phone, Wireguard for normal use (hotspot, mobile) and OpenVPN in hotspots that only allow "web" traffic (TCP 80/443/8080).

Good luck.
reinob
 
Posts: 589
Joined: 2014-06-30 11:42

Re: Wireguard with NAT (home network)

Postby Scorpion » 2018-12-22 13:00

Code: Select all
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Can you explain it a little? for example eth0? I don' t have any eth0 right now.
The server use a wi-fi: wlp2s0, and the wireguard connection is wg0.
Scorpion
 
Posts: 82
Joined: 2018-10-17 11:38

Re: Wireguard with NAT (home network)

Postby reinob » 2018-12-22 18:10

If your server uses wlp2s0 then of course, replace eth0 with wlp2s0.

The PostUp/PostDown lines set-up the forwarding, so that the wg server will act as a router.
You can have a look here:
https://wiki.archlinux.org/index.php/WireGuard

That's what I used as model, so that I can connect with multiple clients and use my server as a VPN gateway using wireguard.
reinob
 
Posts: 589
Joined: 2014-06-30 11:42

Re: Wireguard with NAT (home network)

Postby Scorpion » 2018-12-23 10:38

Client:
Code: Select all
[Interface]
Address = 192.168.2.2
PrivateKey = <client's privatekey>
ListenPort = 21841

[Peer]
PublicKey = <server's publickey>
Endpoint = public_ip:forwarded port with UDP to internal port 5182??????????????
AllowedIPs = 0.0.0.0/0, ::/0 # To forward all the traffic

# This is for if you're behind a NAT and
# want the connection to be kept alive.
PersistentKeepalive = 25

"Endpoint" line:
Is the internal port 5182 the default? Since I did not set a custom port.
Now it doesn' t work.
Scorpion
 
Posts: 82
Joined: 2018-10-17 11:38

Re: Wireguard with NAT (home network)

Postby reinob » 2018-12-25 12:52

Scorpion wrote:
Code: Select all
Endpoint = public_ip:forwarded port with UDP to internal port 5182??????????????


"Endpoint" line:
Is the internal port 5182 the default? Since I did not set a custom port.


At the client, you use endpoint = <your-public-ip>:<PORT1>
Then, at your router, you forward PORT1 (UDP!) to your wireguard server, to the wireguard is listening to there (PORT2).
At your server, you configure wireguard to listen on PORT2.

You can use PORT1 = PORT2 = 5182, or PORT1 = 443 and PORT2 = 51820 or whatever you like.
The important bit is that the router forwards PORT1 on the public interface to PORT2 of wireguard server.

Now it doesn' t work.


OK, what does the client show when you do "wg-quick up your-config".

If it doesn't work, try stopping the server and do the following:
at the server:
Code: Select all
$ nc -u -l -p <PORT2>


at the client:
Code: Select all
$ nc -u -p <PORT1>


If the client can successfully connect via PORT1 to your router and from there to PORT2 of your server, then whatever you type on the client should appear on the server (after CRLF, not after each character).

If that works, then at least the networking is fine. Then you fix your wg config.
If that doesn't work, a combination of one or more of { client, server, router, network } is not working as expected..
reinob
 
Posts: 589
Joined: 2014-06-30 11:42

Re: Wireguard with NAT (home network)

Postby Scorpion » 2018-12-27 17:24

Now I changed the server wg0.conf listen port to 5182. (PORT1 = PORT2 = 5182)
Server
Code: Select all
nc -u -l -p 5182
nc: Address already in use

Client wg0.conf:
Code: Select all
[Interface]
ListenPort = 21841 # What about this port?

Client:
Code: Select all
nc -u -p PORT1
no destination

Now the connection works.
I did a DNS leak test and I found 2 ips similar at the one of the public network in DNS servers.

With tor:
If I use tor will my ISP see my activities? The leak test is fine also without wireguard.
How can I test if if there is some leak?
Scorpion
 
Posts: 82
Joined: 2018-10-17 11:38

Re: Wireguard with NAT (home network)

Postby reinob » 2018-12-30 10:19

@Scorpion,

Glad that it's working fine. Please note that the test with netcat ("nc") was supposed to happen after stopping the wireguard server. It failed because the port was already being used by wireguard. Anyway..

Scorpion wrote:I did a DNS leak test and I found 2 ips similar at the one of the public network in DNS servers.

With tor:
If I use tor will my ISP see my activities? The leak test is fine also without wireguard.
How can I test if if there is some leak?


With tor you obfuscate the routing. Together with encryption it means basically [ in theory, but of course in practice it is not the case ] nobody can see which pages you visit.
No more, but also no less.

As for DNS. Tor doesn't route UDP, so it will not directly take care of routing DNS. Your queries will go to whatever DNS server you have configured, but will be seen as coming from an exit node, and not from your computer.

That may be OK for you.. or not. You seem to worry about "leaks" without defining what a leak is (to/for you).
reinob
 
Posts: 589
Joined: 2014-06-30 11:42

Re: Wireguard with NAT (home network)

Postby Scorpion » 2018-12-31 10:16

With wireguard and without tor:
I did a DNS leak test and I found 2 ips similar at the one of the public network in DNS servers.

https://www.dnsleaktest.com
That is for my ISP (of the server).

I did it again from the server with tor and it found a lot of IP but not from my IPS.
From the server (with wireguard) I will check again.
Scorpion
 
Posts: 82
Joined: 2018-10-17 11:38

Re: Wireguard with NAT (home network)

Postby Scorpion » 2019-01-01 15:46

Leak for me is that somebody can see: which pages I visit, ip/location, personal informations, tracking protection and censorship.
Now I updated the server and I have this problem:
Code: Select all
wg-quick up wg0
[#] ip link add wg0 type wireguard
RTNETLINK answers: Operation not supported
Unable to access interface: Protocol not supported
[#] ip link delete dev wg0
Cannot find device "wg0"

I compiled wireguard from the source how can I remove it? I used make install but make uninstall:
Code: Select all
make uninstall
make: *** No rule to make target 'uninstall'.  Stop.
Scorpion
 
Posts: 82
Joined: 2018-10-17 11:38

Re: Wireguard with NAT (home network)

Postby Scorpion » 2019-01-02 16:50

Now I' m using the 4.18.0-0.bpo.1-amd64 kernel again and it is fine.
With wireguard and tor I got the same result that I got with only tor.
The site https://www.dnsleaktest.com found a lot of IPs (not of my ISP).
Without tor it found 3 IPs of my ISP.
It states:
The owners of the servers above have the ability to associate your personal IP address with the names of all the sites you connect to and store this data indefinitely. This does not mean that they do log or store it indefinitely but they may and you need to trust whatever their policy says.
Last edited by Scorpion on 2019-01-02 17:24, edited 2 times in total.
Scorpion
 
Posts: 82
Joined: 2018-10-17 11:38

Re: Wireguard with NAT (home network)

Postby reinob » 2019-01-02 17:01

Scorpion wrote:With wireguard and tor I got the same result that I got with only tor.


I don't think it makes sense to combine vpn and tor. If you actually did it, how did you do that?
You can e.g. use vpn (wg) client -> server and then the server uses tor to forward traffic to internet.
But without knowing what you've done, it's hard to say anything.

Scorpion wrote:The site https://www.dnsleaktest.com found a lot of IPs (not of my ISP).
Without tor it found 3 IPs of my ISP.
It states:
The owners of the servers above have the ability to associate your personal IP address with the names of all the sites you connect to and store this data indefinitely. This does not mean that they do log or store it indefinitely but they may and you need to trust whatever their policy says.


Without tor, and assuming that means "with wireguard", then that test will show the DNS servers which were used by your computer. I'm not sure what you mean with "3 IPs of my ISP". If you were using the wireguard server to do the DNS lookup then you should only see that 1 IP and not 3.

Anyway, from your post it's not clear whether you have a problem/question, so we'll leave it here.
reinob
 
Posts: 589
Joined: 2014-06-30 11:42

Re: Wireguard with NAT (home network)

Postby Scorpion » 2019-01-02 17:14

I don't think it makes sense to combine vpn and tor. If you actually did it, how did you do that?
You can e.g. use vpn (wg) client -> server and then the server uses tor to forward traffic to internet.
But without knowing what you've done, it's hard to say anything.

I used tor as a browser on the client.
Without tor, and assuming that means "with wireguard", then that test will show the DNS servers which were used by your computer. I'm not sure what you mean with "3 IPs of my ISP". If you were using the wireguard server to do the DNS lookup then you should only see that 1 IP and not 3.

Yes that is what I meant. When using wireguard it states:
Hello public_ip from my_location. And then you can take the test.
Now I took the test again and it found 2 IPs from 2 servers owned by my ISP, that are different from my public_ip which is another server of my ISP.
Is it normal?

It was a question and it seems that the answer is:
You can e.g. use vpn (wg) client -> server and then the server uses tor to forward traffic to internet.


It would be nice being able to remove and reinstall wireguard so I can use the 4.18.0-0.bpo.3-amd64 kernel.
Scorpion
 
Posts: 82
Joined: 2018-10-17 11:38


Return to System configuration

Who is online

Users browsing this forum: No registered users and 6 guests

fashionable