Wireguard port forwarding

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
Mari0s
DD-WRT Novice


Joined: 09 May 2020
Posts: 5

PostPosted: Sun Apr 17, 2022 9:23    Post subject: Wireguard port forwarding Reply with quote
hello,

I have TP-Link ARCHER-C7 with DD-wrt on it and its behind DSL router, the dd-wrt router is running as wireguard VPN client, where the VPN service is provided from Torguard.

all connected devices are getting internet through VPN and working well.

The issue is i have a telephony server which require an open port 8246,

when i test port forwarding with Torguard Windows client app on PC it works well, but not when connecting through DD-WRT wireguard.



The port is forwarded from DSL router to DD-wrt and even tried putting dd-wrt on DMZ once.

The port is forwarded from DD-wrt to the telephony server, tried both the port forwarding under 'NAT/qos' option and setting firewall script:


Code:
ext_port=8246
int_port=8246
int_ip=192.168.0.106
iptables -t nat -I PREROUTING -p tcp -d $(nvram get oet1_ipaddr) --dport $ext_port -j DNAT --to $int_ip:$int_port
iptables -I FORWARD -p tcp -d $int_ip --dport $int_port -j ACCEPT


Please help, i appreciate any guidance.


Sponsor
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Sun Apr 17, 2022 10:14    Post subject: Reply with quote
The port must also be forwarded at the Torguard server. The app probably do that.

You can exclude the Telephony from the VPN and let it out directly on the WAN with PBR.

In ether case, packets must go out the same route it came in.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sun Apr 17, 2022 11:56    Post subject: Reply with quote
Per Yngve Berg wrote:
The port must also be forwarded at the Torguard server. The app probably do that.

You can exclude the Telephony from the VPN and let it out directly on the WAN with PBR.

In ether case, packets must go out the same route it came in.


To elaborate on this (excellent) answer, if you decide to go the port forward route then Disable SFE on setup page (it adds a lot of latency ) and disable CVE mitigation.

From the recent guide:
Quote:
Test this script from the command line and if it works: Administration/Commands and Save as Firewall
Furthermore Disable CVE mitigation in the GUI and probably disable SFE (Shortcut Forwarding Engine) on Setup page.


Check if the port forward rules are hit (e.g. if you have setup Torguard correctly to forward the port on their servers) with:
iptables -vnL -t nat
iptables -vnL FORWARD

But actually a better approach might be to use Policy Based routing to exclude the telephony server from the VPN, you can use the IP or even the port to route via the WAN.
It is explained in the Guides Smile

(note depending on router and setup and in rare cases, the WAN might not be available after a restart of the router and you have to hit Apply on the WireGuard setup page)

P.S. when you post always mention not only router model but also build number so that we can give optimal support Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Mari0s
DD-WRT Novice


Joined: 09 May 2020
Posts: 5

PostPosted: Mon Apr 18, 2022 14:19    Post subject: Reply with quote
Thank you all for trying to help.

Sorry i forgot mentioning that am using DD-WRT r48646.
I don't want to exclude the PBX server as the main idea is to bypass ISP's deep packet inspection firewall.

I made a hard reset and started from scratch, this time i changed the configuration from 'client' to 'WAP' to benefit for one subnet for all devices, what i did:

*after hard reset followed this guide to setup wap.

*Then follower your well written and much appreciated guide hereto setup WG on client.

*added the following Firewall script:

Code:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
iptables -I FORWARD -i br0 -p udp -d 192.168.1.155 --dport 8246 -j ACCEPT
iptables -I FORWARD -i br0 -p tcp -d 192.168.1.155 --dport 8246 -j ACCEPT
iptables -t nat -I PREROUTING -i br0 -p tcp --dport 8246 -j DNAT --to-destination 192.168.1.155
iptables -t nat -I PREROUTING -i br0 -p udp --dport 8246 -j DNAT --to-destination 192.168.1.155


*did the changes:

  • Disabled CVE-2019-14899 Mitigation.
  • Disabled Firewall inbound.
  • Disabled SPI Firewall.
  • from ISP router set WG router on DMZ.
  • tried forwarding the required Port from ISP router to DD-WRT router.


*iptables -nvL:

Code:

Chain INPUT (policy ACCEPT 21099 packets, 2536K bytes)
 pkts bytes target     prot opt in     out     source               destination
   72 48926 ACCEPT     all  --  oet1   *       0.0.0.0/0            0.0.0.0/0            state NEW
 6374 3099K ACCEPT     udp  --  br0    *       0.0.0.0/0            0.0.0.0/0            udp dpt:1337

Chain FORWARD (policy ACCEPT 17251 packets, 2844K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  br0    *       0.0.0.0/0            192.168.1.155        tcp dpt:8246
    0     0 ACCEPT     udp  --  br0    *       0.0.0.0/0            192.168.1.155        udp dpt:8246
    0     0 ACCEPT     all  --  oet1   *       0.0.0.0/0            0.0.0.0/0            state NEW

Chain OUTPUT (policy ACCEPT 20289 packets, 4435K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_1 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_10 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_11 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_12 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_13 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_14 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_15 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_16 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_17 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_18 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_19 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_2 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_20 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_3 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_4 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_5 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_6 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_7 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_8 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain advgrp_9 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_1 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_10 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_11 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_12 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_13 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_14 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_15 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_16 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_17 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_18 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_19 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_2 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_20 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_3 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_4 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_5 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_6 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_7 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_8 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain grp_9 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain lan2wan (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain logaccept (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain logdrop (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain logreject (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with tcp-reset

Chain trigger_out (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain upnp (0 references)
 pkts bytes target     prot opt in     out     source               destination


What is missing to make it work as am not good in NAT and iptables, i know Torguard side is ok as the forwarding works on windows machine using Torguard app instead of the router.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon Apr 18, 2022 16:13    Post subject: Reply with quote
Running a VPN on a WAP is complicating things, impossible it is not but normal traffic will use the ISP router and will not go out of the tunnel (the Advanced setup guide has solutions for this though)

First check if you have internet via the tunnel from your clients and also from the telephony server.

All the things you are doing regarding port forwarding does not seem very useful.

You want port forwarding via the tunnel and not via the WAN so using a DMZ, changing firewall etc. will not help.

First you have to be sure that the port forwarding on Torguards side is setup correctly.
That it works with an app does not mean much.
See: https://trash-guides.info/Misc/How-to-setup-Torguard-for-port-forwarding/

If that works you have a port forward from Torguards external IP address (the address you see with e.g. ipleak.net) to your wireguard (oet) interface e.g. 10.100.x.x

Then you have to port forward from your wireguard (oet) interface to your telephony server.
A port forward consists of an address translation e.g. from the example of the guide:
Code:
iptables -t nat -I PREROUTING -p tcp -d $(nvram get oet1_ipaddr) --dport $ext_port -j DNAT --to $int_ip:$int_port

and an opening of the firewall:
Code:
iptables -I FORWARD -p tcp -d $int_ip --dport $int_port -j ACCEPT


You have to fill in the right addresses and port and also the right protocol or better enable it for both udp and tcp.

I have done this for my own provider Mullvad without a problem but on a normal gateway router and not an a WAP, but theoretically that should not matter.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum