Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Wireguard with NAT (home network) [SOLVED]

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
User avatar
Scorpion
Posts: 389
Joined: 2018-10-17 11:38
Has thanked: 5 times

Wireguard with NAT (home network) [SOLVED]

#1 Post by Scorpion »

When I ' m on an external network (especially when on a public one) I would like to connect via wireguard to a pc on my home network. I will avoid ADS so but since I' m using as a server a machine with my home network all the privacy part is nullified right? I mean with my ISP (and who knows who else, or maybe no ne). Even with tor?
My public ip is static (after some months maybe change once) and is the one of a pc of my ISP.
I can forward some port of that machine (public ip) to a port of a local machine that I own.
I found a guide to how use wireguard https://www.stavros.io/posts/how-to-con ... wireguard/:
Server /etc/wireguard/wg0.conf

Code: Select all

[Interface]
Address = 192.168.2.1 # This is not the ip of my server right? A new one created for this wg0?
PrivateKey = <server's privatekey>
ListenPort = 51820

[Peer]
PublicKey = <client's publickey>
AllowedIPs = 192.168.2.2/32 # Same thing here
Client conf

Code: Select all

[Interface]
Address = 192.168.2.2
PrivateKey = <client's privatekey>
ListenPort = 21841

[Peer]
PublicKey = <server's publickey>
Endpoint = <server's ip>:51820 # Can I use <my_public_ip>:<forwarded_port_to_internal_51820>? 
AllowedIPs = 0.0.0.0/0, ::/0 # To forward all the traffic

# This is for if you're behind a NAT and
# want the connection to be kept alive.
PersistentKeepalive = 25 # So do I need this value?
I checked the quick start https://www.wireguard.com/quickstart/.
Is it possible to use wireguard with NAT (since that my server has not a "direct" ip)?
I tried so but I cannot load any page.
Last edited by Scorpion on 2019-01-03 15:31, edited 1 time in total.

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: Wireguard with NAT (home network)

#2 Post by reinob »

If you configure your router (doing NAT) to forward incoming UDP port 5182 to your wireguard server, it should work fine.

Wireguard is not known for it's debugging/logging powers, but at least you should see something when you try to connect. We can take it from there.

If you want to use your Wireguard server to actually connect via it to the Internet (and not just as point-to-point connection), then you also need to set up the actual forwarding.

Like so..

Code: Select all

PostUp     = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

User avatar
Scorpion
Posts: 389
Joined: 2018-10-17 11:38
Has thanked: 5 times

Re: Wireguard with NAT (home network)

#3 Post by Scorpion »

reinob wrote:If you want to use your Wireguard server to actually connect via it to the Internet (and not just as point-to-point connection), then you also need to set up the actual forwarding.
Is that code for the server wg0.conf? Or is for the terminal? Can you explain it?
I changed to NAT from TCP to UPD why is needed?

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: Wireguard with NAT (home network)

#4 Post by reinob »

Scorpion wrote:
reinob wrote:If you want to use your Wireguard server to actually connect via it to the Internet (and not just as point-to-point connection), then you also need to set up the actual forwarding.
Is that code for the server wg0.conf? Or is for the terminal? Can you explain it?
A VPN connects, without any further configuration, a client with a server. This means that if you use Wireguard on the client and server, they will be able to talk to each other. For some people, this is all they need.

I wrote that if your intention is to use your server as a gateway to Internet (so client -> server -> internet), which I guess is what most people understand with "VPN", then you need your server to actually function as a router (i.e. forwarding packets received from a client where the destination is not the server itself.)

You can either set that up manually/automatically outside of Wireguard, but the easiest is to add, to your server's wg.conf something like:

Code: Select all

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
(that's two lines, one beginning with PostUp, the other with PostDown)

That goes in the [Interface] section of the file (where Address, Privatekey and ListenPort are).
I changed to NAT from TCP to UPD why is needed?
Wireguard only supports UDP. Most VPNs work only with UDP, as TCP-in-TCP is -- or can be -- highly suboptimal.
If you can only work with TCP (can happen), then OpenVPN is a better option than Wireguard.
(I actually use both with my phone, Wireguard for normal use (hotspot, mobile) and OpenVPN in hotspots that only allow "web" traffic (TCP 80/443/8080).

Good luck.

User avatar
Scorpion
Posts: 389
Joined: 2018-10-17 11:38
Has thanked: 5 times

Re: Wireguard with NAT (home network)

#5 Post by Scorpion »

Code: Select all

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Can you explain it a little? for example eth0? I don' t have any eth0 right now.
The server use a wi-fi: wlp2s0, and the wireguard connection is wg0.

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: Wireguard with NAT (home network)

#6 Post by reinob »

If your server uses wlp2s0 then of course, replace eth0 with wlp2s0.

The PostUp/PostDown lines set-up the forwarding, so that the wg server will act as a router.
You can have a look here:
https://wiki.archlinux.org/index.php/WireGuard

That's what I used as model, so that I can connect with multiple clients and use my server as a VPN gateway using wireguard.

User avatar
Scorpion
Posts: 389
Joined: 2018-10-17 11:38
Has thanked: 5 times

Re: Wireguard with NAT (home network)

#7 Post by Scorpion »

Client:

Code: Select all

[Interface]
Address = 192.168.2.2
PrivateKey = <client's privatekey>
ListenPort = 21841

[Peer]
PublicKey = <server's publickey>
Endpoint = public_ip:forwarded port with UDP to internal port 5182??????????????
AllowedIPs = 0.0.0.0/0, ::/0 # To forward all the traffic

# This is for if you're behind a NAT and
# want the connection to be kept alive.
PersistentKeepalive = 25
"Endpoint" line:
Is the internal port 5182 the default? Since I did not set a custom port.
Now it doesn' t work.

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: Wireguard with NAT (home network)

#8 Post by reinob »

Scorpion wrote:

Code: Select all

Endpoint = public_ip:forwarded port with UDP to internal port 5182??????????????
"Endpoint" line:
Is the internal port 5182 the default? Since I did not set a custom port.
At the client, you use endpoint = <your-public-ip>:<PORT1>
Then, at your router, you forward PORT1 (UDP!) to your wireguard server, to the wireguard is listening to there (PORT2).
At your server, you configure wireguard to listen on PORT2.

You can use PORT1 = PORT2 = 5182, or PORT1 = 443 and PORT2 = 51820 or whatever you like.
The important bit is that the router forwards PORT1 on the public interface to PORT2 of wireguard server.
Now it doesn' t work.
OK, what does the client show when you do "wg-quick up your-config".

If it doesn't work, try stopping the server and do the following:
at the server:

Code: Select all

$ nc -u -l -p <PORT2>
at the client:

Code: Select all

$ nc -u -p <PORT1>
If the client can successfully connect via PORT1 to your router and from there to PORT2 of your server, then whatever you type on the client should appear on the server (after CRLF, not after each character).

If that works, then at least the networking is fine. Then you fix your wg config.
If that doesn't work, a combination of one or more of { client, server, router, network } is not working as expected..

User avatar
Scorpion
Posts: 389
Joined: 2018-10-17 11:38
Has thanked: 5 times

Re: Wireguard with NAT (home network)

#9 Post by Scorpion »

Now I changed the server wg0.conf listen port to 5182. (PORT1 = PORT2 = 5182)
Server

Code: Select all

nc -u -l -p 5182
nc: Address already in use
Client wg0.conf:

Code: Select all

[Interface]
ListenPort = 21841 # What about this port?
Client:

Code: Select all

nc -u -p PORT1
no destination
Now the connection works.
I did a DNS leak test and I found 2 ips similar at the one of the public network in DNS servers.

With tor:
If I use tor will my ISP see my activities? The leak test is fine also without wireguard.
How can I test if if there is some leak?

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: Wireguard with NAT (home network)

#10 Post by reinob »

@Scorpion,

Glad that it's working fine. Please note that the test with netcat ("nc") was supposed to happen after stopping the wireguard server. It failed because the port was already being used by wireguard. Anyway..
Scorpion wrote: I did a DNS leak test and I found 2 ips similar at the one of the public network in DNS servers.

With tor:
If I use tor will my ISP see my activities? The leak test is fine also without wireguard.
How can I test if if there is some leak?
With tor you obfuscate the routing. Together with encryption it means basically [ in theory, but of course in practice it is not the case ] nobody can see which pages you visit.
No more, but also no less.

As for DNS. Tor doesn't route UDP, so it will not directly take care of routing DNS. Your queries will go to whatever DNS server you have configured, but will be seen as coming from an exit node, and not from your computer.

That may be OK for you.. or not. You seem to worry about "leaks" without defining what a leak is (to/for you).

User avatar
Scorpion
Posts: 389
Joined: 2018-10-17 11:38
Has thanked: 5 times

Re: Wireguard with NAT (home network)

#11 Post by Scorpion »

With wireguard and without tor:
I did a DNS leak test and I found 2 ips similar at the one of the public network in DNS servers.
https://www.dnsleaktest.com
That is for my ISP (of the server).

I did it again from the server with tor and it found a lot of IP but not from my IPS.
From the server (with wireguard) I will check again.

User avatar
Scorpion
Posts: 389
Joined: 2018-10-17 11:38
Has thanked: 5 times

Re: Wireguard with NAT (home network)

#12 Post by Scorpion »

Leak for me is that somebody can see: which pages I visit, ip/location, personal informations, tracking protection and censorship.
Now I updated the server and I have this problem:

Code: Select all

wg-quick up wg0
[#] ip link add wg0 type wireguard
RTNETLINK answers: Operation not supported
Unable to access interface: Protocol not supported
[#] ip link delete dev wg0
Cannot find device "wg0"
I compiled wireguard from the source how can I remove it? I used make install but make uninstall:

Code: Select all

make uninstall
make: *** No rule to make target 'uninstall'.  Stop.

User avatar
Scorpion
Posts: 389
Joined: 2018-10-17 11:38
Has thanked: 5 times

Re: Wireguard with NAT (home network)

#13 Post by Scorpion »

Now I' m using the 4.18.0-0.bpo.1-amd64 kernel again and it is fine.
With wireguard and tor I got the same result that I got with only tor.
The site https://www.dnsleaktest.com found a lot of IPs (not of my ISP).
Without tor it found 3 IPs of my ISP.
It states:
The owners of the servers above have the ability to associate your personal IP address with the names of all the sites you connect to and store this data indefinitely. This does not mean that they do log or store it indefinitely but they may and you need to trust whatever their policy says.
Last edited by Scorpion on 2019-01-02 17:24, edited 2 times in total.

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: Wireguard with NAT (home network)

#14 Post by reinob »

Scorpion wrote: With wireguard and tor I got the same result that I got with only tor.
I don't think it makes sense to combine vpn and tor. If you actually did it, how did you do that?
You can e.g. use vpn (wg) client -> server and then the server uses tor to forward traffic to internet.
But without knowing what you've done, it's hard to say anything.
Scorpion wrote: The site https://www.dnsleaktest.com found a lot of IPs (not of my ISP).
Without tor it found 3 IPs of my ISP.
It states:
The owners of the servers above have the ability to associate your personal IP address with the names of all the sites you connect to and store this data indefinitely. This does not mean that they do log or store it indefinitely but they may and you need to trust whatever their policy says.
Without tor, and assuming that means "with wireguard", then that test will show the DNS servers which were used by your computer. I'm not sure what you mean with "3 IPs of my ISP". If you were using the wireguard server to do the DNS lookup then you should only see that 1 IP and not 3.

Anyway, from your post it's not clear whether you have a problem/question, so we'll leave it here.

User avatar
Scorpion
Posts: 389
Joined: 2018-10-17 11:38
Has thanked: 5 times

Re: Wireguard with NAT (home network)

#15 Post by Scorpion »

I don't think it makes sense to combine vpn and tor. If you actually did it, how did you do that?
You can e.g. use vpn (wg) client -> server and then the server uses tor to forward traffic to internet.
But without knowing what you've done, it's hard to say anything.
I used tor as a browser on the client.
Without tor, and assuming that means "with wireguard", then that test will show the DNS servers which were used by your computer. I'm not sure what you mean with "3 IPs of my ISP". If you were using the wireguard server to do the DNS lookup then you should only see that 1 IP and not 3.
Yes that is what I meant. When using wireguard it states:
Hello public_ip from my_location. And then you can take the test.
Now I took the test again and it found 2 IPs from 2 servers owned by my ISP, that are different from my public_ip which is another server of my ISP.
Is it normal?

It was a question and it seems that the answer is:
You can e.g. use vpn (wg) client -> server and then the server uses tor to forward traffic to internet.
It would be nice being able to remove and reinstall wireguard so I can use the 4.18.0-0.bpo.3-amd64 kernel.

Post Reply