0

I setup wireguard on a VPS to use it as a VPN to enable portforwarding for various uses like gaming and NAS setup.

I want to open port 45000, 56000 and 40000 for now. I am on Ubuntu 22.4 on 27fiber VPS.

Given below is the UFW rules I have added

To Action From -- ------ ---- 45000 ALLOW Anywhere 80/tcp ALLOW Anywhere 443/tcp ALLOW Anywhere 21/tcp ALLOW Anywhere 20/tcp ALLOW Anywhere 22/tcp ALLOW Anywhere 45000/udp ALLOW Anywhere 45000/tcp ALLOW Anywhere 40000:60007/tcp ALLOW Anywhere 45000 (v6) ALLOW Anywhere (v6) 80/tcp (v6) ALLOW Anywhere (v6) 443/tcp (v6) ALLOW Anywhere (v6) 21/tcp (v6) ALLOW Anywhere (v6) 20/tcp (v6) ALLOW Anywhere (v6) 22/tcp (v6) ALLOW Anywhere (v6) 45000/udp (v6) ALLOW Anywhere (v6) 45000/tcp (v6) ALLOW Anywhere (v6) 40000:60007/tcp (v6) ALLOW Anywhere (v6) 10.7.0.2 56000/tcp ALLOW FWD Anywhere 10.7.0.2 45000/tcp ALLOW FWD Anywhere 10.7.0.2 56000/udp ALLOW FWD Anywhere 10.7.0.2 45000/udp ALLOW FWD Anywhere

This is my wg0 config

# Do not alter the commented lines # They are used by wireguard-install # ENDPOINT 181.xxx.32.x14 [Interface] Address = 10.7.0.1/24, fddd:xxxxxx::1/64 PrivateKey = xxx ListenPort = 51xx0 # BEGIN_PEER pcs [Peer] PublicKey = xxx PresharedKey = xxx AllowedIPs = 10.7.0.2/32, fddd:xxxx::2/128 # END_PEER pcs

This is the /etc/ufw before.rules data

# # rules.before # # Rules that should be run before the ufw command line added rules. Custom # rules should be added to one of these chains: # ufw-before-input # ufw-before-output # ufw-before-forward # # Don't delete these required lines, otherwise there will be errors *filter :ufw-before-input - [0:0] :ufw-before-output - [0:0] :ufw-before-forward - [0:0] :ufw-not-local - [0:0] # End required lines # allow all on loopback -A ufw-before-input -i lo -j ACCEPT -A ufw-before-output -o lo -j ACCEPT # quickly process packets for which we already have a connection -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # drop INVALID packets (logs these in loglevel medium and higher) -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny -A ufw-before-input -m conntrack --ctstate INVALID -j DROP # ok icmp codes for INPUT -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT # ok icmp code for FORWARD -A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT -A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT -A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT -A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT # allow dhcp client to work -A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT # # ufw-not-local # -A ufw-before-input -j ufw-not-local # if LOCAL, RETURN -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN # if MULTICAST, RETURN -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN # if BROADCAST, RETURN -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN # all other non-local packets are dropped -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny -A ufw-not-local -j DROP # allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above # is uncommented) -A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT # allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above # is uncommented) -A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT # don't delete the 'COMMIT' line or these rules won't be processed COMMIT *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -i ens3 -p tcp --dport 56000 -j DNAT --to-destination 10.7.0.2 -A POSTROUTING -o ens3 -j MASQUERADE -A PREROUTING -i ens3 -p tcp --dport 55000 -j DNAT --to-destination 10.7.0.2 -A POSTROUTING -o ens3 -j MASQUERADE COMMIT

And this is the etc/default ufw file data

# /etc/default/ufw # # Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback # accepted). You will need to 'disable' and then 'enable' the firewall for # the changes to take affect. IPV6=yes # Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if # you change this you will most likely want to adjust your rules. DEFAULT_INPUT_POLICY="ACCEPT" # Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if # you change this you will most likely want to adjust your rules. DEFAULT_OUTPUT_POLICY="ACCEPT" # Set the default forward policy to ACCEPT, DROP or REJECT. Please note that # if you change this you will most likely want to adjust your rules DEFAULT_FORWARD_POLICY="ACCEPT" # Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please # note that setting this to ACCEPT may be a security risk. See 'man ufw' for # details DEFAULT_APPLICATION_POLICY="SKIP" # By default, ufw only touches its own chains. Set this to 'yes' to have ufw # manage the built-in chains too. Warning: setting this to 'yes' will break # non-ufw managed firewall rules MANAGE_BUILTINS=no # # IPT backend # # only enable if using iptables backend IPT_SYSCTL=/etc/ufw/sysctl.conf # Extra connection tracking modules to load. IPT_MODULES should typically be # empty for new installations and modules added only as needed. See # 'CONNECTION HELPERS' from 'man ufw-framework' for details. Complete list can # be found in net/netfilter/Kconfig of your kernel source. Some common modules: # nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support # nf_conntrack_netbios_ns: NetBIOS (samba) client support # nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT # nf_conntrack_ftp, nf_nat_ftp: active FTP support # nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side) # nf_conntrack_sane: sane support IPT_MODULES=""

Issues I used this tool https://www.yougetsignal.com/tools/open-ports/ to check for open ports and the ports are closed. I tried restarting UFW too no luck. Please help me with the Config.

Improve this question
4
  • have you enabled packet forwarding? Commented Sep 9, 2023 at 3:40
  • net.ipv4.ip_forward = 1 Yes enabled Commented Sep 9, 2023 at 5:27
  • please update the question and add the business related part about the question. please also add more Infos, see here: How to Ask Commented Sep 9, 2023 at 5:48
  • I don't see any source NATing for packets being forwarded through the wg tunnel, when those packets arrive at your internal server it'll try to reply directly, rather then back through the tunnel. I would add -A POSTROUTING -o wg0 -j MASQUERADE where you have the other NAT rules. You also have MASQUERADE on the physical interface twice, that's not necessary, you can delete one of those Commented Dec 30, 2023 at 15:26

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.