Port forwarding on WireGuard seems unsupported in 388.1

[EricSWE]

Router: RT-AX86U
WRT-Merlin: 388.1
VPN-service: Mullvad.net

I have set VPN-client configuration for WireGuard in WRT-Merlin and successfully connected. I'm running a Rpi 4 connected through LAN port 3 on the RT-AX86U and the Rpi runs Transmission. Port was showing on Transmission as closed so I then opened port in RT-AX86U and also opened it in Mullvad settings for that connection. Disabling Mullvad made the port open again.

I then switched to OpenVPN-protocol, still Mullvad as provider, and that fixed the problem. The Rpi is behind Mullvad VPN service and the port shows in Transmission as open.

As you can see switching from WireGuard to OpenVPN fixed my problem but I suspect that WRT-Merlin (or ASUS OEM firmware) can't forward ports when using WireGuard from the router.

This post is not really a question as I'm satisfied with using OpenVPN but if for developing/bug searching purposes you need me to post further information or try other things, let me know!

/Proud WRT-Merlin user since 2018

 

[EricSWE]

Ping @RMerlin

 

[RMerlin]

I can't help you, I don't use WireGuard.

 

[EricSWE]

I can't help you, I don't use WireGuard.

No need to help me. I switched to OpenVPN-protocol and port forwarding works fine on that. I just wanted to report what might be a bug, haven't found a way to report bugs.

 

[RMerlin]

Port forwarding with a VPN need to be manually configured (and your provider also needs to support it). It's not supported by the webui.

 

[SubaruGuy]

I have the same issue with wireguard on Merlin 388.1
I use TorGuard and have ports open, when use with TorGuard windows app works fine using wireguard, when try on router it refuses connection.

 

[EricSWE]

Port forwarding with a VPN need to be manually configured (and your provider also needs to support it). It's not supported by the webui.

Fully aware. I configured the port forwarding in the router and the port forwarding doesn't get applied for WireGuard but it does get applied for OpenVPN. Both protocols run from router with WRT-Merlin 388.1. This might not be a the fault of WRT-Merlin but ASUS-WRT firmware but I havent bothered to revert to ASUS-WRT to try it out.

 

[EricSWE]

I have the same issue with wireguard on Merlin 388.1
I use TorGuard and have ports open, when use with TorGuard windows app works fine using wireguard, when try on router it refuses connection.

It seems evident that port forwarding in the router only gets applied to OpenVPN-client and not WireGuard-client.

 

[abir1909]

This is very interesting as I have the same issue with TorGuard. Only works with OpenVPN not with Wireguard.
There were couple firmware updates since that post, has anything changed?
Also, @RMerlin mentioned that it should be configured manually, do you know how to do it at firewall-start script?

 

[Aiadi]

This should really be supported via webui.

 

[abir1909]

This should really be supported via webui.

The webui only supports OpenVPN

 

[DocUmibozu]

Merlin doesn't use wireguard, best shot is try via cli or, if you want a webui, report to asus

 

[abir1909]

Merlin doesn't use wireguard, best shot is try via cli or, if you want a webui, report to asus

agreed. but what are the lines I should add add to firewall-start in order to forward wireguard port?

 

[ZebMcKayhan]

agreed. but what are the lines I should add add to firewall-start in order to forward wireguard port?

Well, you could try something like:
nat-start:

iptables -t nat -I PREROUTING -p tcp -i wgc1 --dport 8001 -j DNAT --to-destination 192.168.1.200:8080 
iptables -t nat -I PREROUTING -p udp -i wgc1 --dport 8001 -j DNAT --to-destination 192.168.1.200:8080

firewall-start:

iptables -I FORWARD -p tcp -d 192.168.1.200 --dport 8080 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p udp -d 192.168.1.200 --dport 8080 -m state --state NEW -j ACCEPT

Example will forward incoming packets on port 8001 on interface wgc1 and forward to 192.168.1.200 port 8080, both tcp and udp. Remove if you only need one of them. Adjust to your needs.

 

[abir1909]

Well, you could try something like:
nat-start:

iptables -t nat -I PREROUTING -p tcp -i wgc1 --dport 8001 -j DNAT --to-destination 192.168.1.200:8080
iptables -t nat -I PREROUTING -p udp -i wgc1 --dport 8001 -j DNAT --to-destination 192.168.1.200:8080

firewall-start:

iptables -I FORWARD -p tcp -d 192.168.1.200 --dport 8080 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -p udp -d 192.168.1.200 --dport 8080 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Example will forward incoming packets on port 8001 on interface wgc1 and forward to 192.168.1.200 port 8080, both tcp and udp. Remove if you only need one of them. Adjust to your needs.

Let me try and advise. Thanks

 

[ZebMcKayhan]

Let me try and advise. Thanks

Please note that for this to work, the ip forwarded to needs to be set to use the vpn interface in vpndirector.

 

[Jeffrey Young]

Well, you could try something like:
nat-start:

iptables -t nat -I PREROUTING -p tcp -i wgc1 --dport 8001 -j DNAT --to-destination 192.168.1.200:8080
iptables -t nat -I PREROUTING -p udp -i wgc1 --dport 8001 -j DNAT --to-destination 192.168.1.200:8080

firewall-start:

iptables -I FORWARD -p tcp -d 192.168.1.200 --dport 8080 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p udp -d 192.168.1.200 --dport 8080 -m state --state NEW -j ACCEPT

Example will forward incoming packets on port 8001 on interface wgc1 and forward to 192.168.1.200 port 8080, both tcp and udp. Remove if you only need one of them. Adjust to your needs.

Don't forget to put delete rules in before the insert rules. Elsewise, your tables are going to have tons of duplicates as these scripts tend to get fired multiple times.

 

[abir1909]

Well, you could try something like:
nat-start:

iptables -t nat -I PREROUTING -p tcp -i wgc1 --dport 8001 -j DNAT --to-destination 192.168.1.200:8080
iptables -t nat -I PREROUTING -p udp -i wgc1 --dport 8001 -j DNAT --to-destination 192.168.1.200:8080

firewall-start:

iptables -I FORWARD -p tcp -d 192.168.1.200 --dport 8080 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p udp -d 192.168.1.200 --dport 8080 -m state --state NEW -j ACCEPT

Example will forward incoming packets on port 8001 on interface wgc1 and forward to 192.168.1.200 port 8080, both tcp and udp. Remove if you only need one of them. Adjust to your needs.

unfortunately no luck. i am also not sure i am doing it 100% right.
i added the lines to both firewall-start and created nat-start. i changed the port to the one i am using and also change to wgc2 and port showing closed. have to run more tests.

 

[abir1909]

Please note that for this to work, the ip forwarded to needs to be set to use the vpn interface in vpndirector.

I was able to open the port on the fireguard vpn using the following lines only in firewall-start

ifconfig br0:0 192.168.1.xxx up
iptables -t nat -A PREROUTING -i wgc2 -p udp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx
iptables -t nat -A PREROUTING -i wgc2 -p tcp --dport 55xxx -j DNAT --to-destination 192.168.1.xxx

@Jeffrey Young do I still need to put the delete rules with the above lines?

 

[abir1909]

one more thing, does wireguard have kill switch?