0

I wanted to expose an IPcam to Internet using WireGuard tunnel, diagram looks like this:

Client --β€”> ServerA -β€”-(wireguard)---> ServerB ---(LAN)--β€”> Cam

I've set proper DNAT and SNAT rules; but only TCP works, UDP doesn't. πŸ€”

ServerA rules:

table inet filter { chain prerouting { type nat hook prerouting priority 0; policy accept; ##IPcam - forwards to ServerB iifname eth0 tcp dport 5541 dnat ip to 192.168.2.2:5541 iifname eth0 udp dport 5541 dnat ip to 192.168.2.2:5541 } chain postrouting { type nat hook postrouting priority 0; policy accept; oifname eth0 masquerade ##IPcam oifname wg2 ip daddr 192.168.2.2 tcp dport 5541 snat to 192.168.2.1 oifname wg2 ip daddr 192.168.2.2 udp dport 5541 snat to 192.168.2.1 } }

ServerB rules:

table inet filter { chain prerouting { type nat hook prerouting priority 0; policy accept; ##IPcam - Forwards to actual cam iifname wg0 tcp dport 5541 dnat ip to 192.168.5.63:554 iifname wg0 udp dport 5541 dnat ip to 192.168.5.63:554 } chain postrouting { type nat hook postrouting priority 0; policy accept; oifname eth0 masquerade } }

When streaming using TCP it works perfectly, but UDP does not work.

// tcp works mpv --rtsp-transport=tcp rtsp://serverA:5541/Streaming/Channels/1 // udp not work mpv --rtsp-transport=udp rtsp://serverA:5541/Streaming/Channels/1

Even though rules for UDP and TCP are same, why TCP work but UDP fails?

ChatGPT spitting out garbage, any help would be highly appreciated. πŸ™

Improve this question
5
  • 3
    Since you're using VPN: don't NAT, just forward transparently. Commented Dec 29, 2024 at 10:39
  • @Zac67 Not using VPN, ServerA have public ip where ServerB and Cam does not, WireGuard is being used as tunnel to expose ServerA Commented Dec 29, 2024 at 11:40
  • 3
    Wireguard is VPN. It provides tunneling for private addresses, so there's absolutely no reason to NAT. Commented Dec 29, 2024 at 11:49
  • So, how exactly do I expose IPcam or ServerB when they're behind NAT? ServerA only have public ip and on different location. Anyway, if u can't help, don't do suggestion. Commented Dec 29, 2024 at 12:00
  • 1
    You want to use a public address of ServerA to access IPcams connected to ServerB from the Internet? Then you need NAT, maybe, only on ServerA. ServerB should not need any NAT setup for that. In general, for the awfully most lot of cases, NAT is only needed in the points where private network needs to interact with public Internet. In your case this is ServerA, which can and should, and seems to be expected to become a part of your private network, along with having a public address. It's a job for Wireguard, a VPN β€” Virtual Private Network building block. Commented Dec 29, 2024 at 13:13

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.