Posted: Sun Apr 17, 2022 9:23 Post subject: Wireguard port forwarding
hello,
I have TP-Link ARCHER-C7 with DD-wrt on it and its behind DSL router, the dd-wrt router is running as wireguard VPN client, where the VPN service is provided from Torguard.
all connected devices are getting internet through VPN and working well.
The issue is i have a telephony server which require an open port 8246,
when i test port forwarding with Torguard Windows client app on PC it works well, but not when connecting through DD-WRT wireguard.
The port is forwarded from DSL router to DD-wrt and even tried putting dd-wrt on DMZ once.
The port is forwarded from DD-wrt to the telephony server, tried both the port forwarding under 'NAT/qos' option and setting firewall script:
Joined: 18 Mar 2014 Posts: 12904 Location: Netherlands
Posted: Sun Apr 17, 2022 11:56 Post subject:
Per Yngve Berg wrote:
The port must also be forwarded at the Torguard server. The app probably do that.
You can exclude the Telephony from the VPN and let it out directly on the WAN with PBR.
In ether case, packets must go out the same route it came in.
To elaborate on this (excellent) answer, if you decide to go the port forward route then Disable SFE on setup page (it adds a lot of latency ) and disable CVE mitigation.
From the recent guide:
Quote:
Test this script from the command line and if it works: Administration/Commands and Save as Firewall
Furthermore Disable CVE mitigation in the GUI and probably disable SFE (Shortcut Forwarding Engine) on Setup page.
Check if the port forward rules are hit (e.g. if you have setup Torguard correctly to forward the port on their servers) with:
iptables -vnL -t nat
iptables -vnL FORWARD
But actually a better approach might be to use Policy Based routing to exclude the telephony server from the VPN, you can use the IP or even the port to route via the WAN.
It is explained in the Guides
(note depending on router and setup and in rare cases, the WAN might not be available after a restart of the router and you have to hit Apply on the WireGuard setup page)
Sorry i forgot mentioning that am using DD-WRT r48646.
I don't want to exclude the PBX server as the main idea is to bypass ISP's deep packet inspection firewall.
I made a hard reset and started from scratch, this time i changed the configuration from 'client' to 'WAP' to benefit for one subnet for all devices, what i did:
*after hard reset followed this guide to setup wap.
*Then follower your well written and much appreciated guide hereto setup WG on client.
Chain trigger_out (0 references)
pkts bytes target prot opt in out source destination
Chain upnp (0 references)
pkts bytes target prot opt in out source destination
What is missing to make it work as am not good in NAT and iptables, i know Torguard side is ok as the forwarding works on windows machine using Torguard app instead of the router.
Joined: 18 Mar 2014 Posts: 12904 Location: Netherlands
Posted: Mon Apr 18, 2022 16:13 Post subject:
Running a VPN on a WAP is complicating things, impossible it is not but normal traffic will use the ISP router and will not go out of the tunnel (the Advanced setup guide has solutions for this though)
First check if you have internet via the tunnel from your clients and also from the telephony server.
All the things you are doing regarding port forwarding does not seem very useful.
You want port forwarding via the tunnel and not via the WAN so using a DMZ, changing firewall etc. will not help.
If that works you have a port forward from Torguards external IP address (the address you see with e.g. ipleak.net) to your wireguard (oet) interface e.g. 10.100.x.x
Then you have to port forward from your wireguard (oet) interface to your telephony server.
A port forward consists of an address translation e.g. from the example of the guide: