RT-AX58U wireguard iptables config for site to site with wg_manager vs wg-quick

dominatorstang

Occasional Visitor
Because I am behind a CGNAT then I am using a VPS to host services from my local server with a wireguard tunnel connecting them. I used mochman's script to setup the tunnel between a ubuntu VM I have on my local network and a ubuntu vm on my VPS. The local VM is actually just relaying traffic to different IP's and ports on my local network.

But now I would like to use one of my ASUS routers for the tunnel instead of my local VM. My first choice is my RT-AX58U that is being used as an AP only. My second choice is my RT-AC86U that is being used as only a router and internet gateway. Now I have tried on both of these routers, my same configuration I use on the local ubuntu wireguard wg-quick, and they are connecting. But they do not router traffic correctly and I can not longer access the Asus devices web interface when the tunnel is up. It makes sense that it would be my iptables settings, but I am not sure how I should have them set. I did also read through https://github.com/ZebMcKayhan/WireguardManager#site-2-site and created some files to see that the iptables config certainly looks very different from mine.


Code:
[Interface]
PrivateKey = removed
Address = 10.1.0.2/24

PostUp = iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.104:80; iptables -t nat -A POSTROUTING -p tcp --dport 80 -j MASQUERADE
PostDown = iptables -t nat -D PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.104:80; iptables -t nat -D POSTROUTING -p tcp --dport 80 -j MASQUERADE

PostUp = iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 192.168.1.104:443; iptables -t nat -A POSTROUTING -p tcp --dport 443 -j MASQUERADE
PostDown = iptables -t nat -D PREROUTING -p tcp --dport 443 -j DNAT --to-destination 192.168.1.104:443; iptables -t nat -D POSTROUTING -p tcp --dport 443 -j MASQUERADE

PostUp = iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.104:8080; iptables -t nat -A POSTROUTING -p tcp --dport 8080 -j MASQUERADE
PostDown = iptables -t nat -D PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.104:8080; iptables -t nat -D POSTROUTING -p tcp --dport 8080 -j MASQUERADE

PostUp = iptables -t nat -A PREROUTING -p tcp --dport 8443 -j DNAT --to-destination 192.168.1.104:8443; iptables -t nat -A POSTROUTING -p tcp --dport 8443 -j MASQUERADE
PostDown = iptables -t nat -D PREROUTING -p tcp --dport 8443 -j DNAT --to-destination 192.168.1.104:8443; iptables -t nat -D POSTROUTING -p tcp --dport 8443 -j MASQUERADE

PostUp = iptables -t nat -A PREROUTING -p tcp --dport 5800 -j DNAT --to-destination 192.168.1.104:5800; iptables -t nat -A POSTROUTING -p tcp --dport 5800 -j MASQUERADE
PostDown = iptables -t nat -D PREROUTING -p tcp --dport 5800 -j DNAT --to-destination 192.168.1.104:5800; iptables -t nat -D POSTROUTING -p tcp --dport 5800 -j MASQUERADE


[Peer]
PublicKey = removed
AllowedIPs = 0.0.0.0/0
Endpoint = removed
PersistentKeepalive = 25
 

ZebMcKayhan

Very Senior Member
Because I am behind a CGNAT then I am using a VPS to host services from my local server with a wireguard tunnel connecting them. I used mochman's script to setup the tunnel between a ubuntu VM I have on my local network and a ubuntu vm on my VPS. The local VM is actually just relaying traffic to different IP's and ports on my local network.

But now I would like to use one of my ASUS routers for the tunnel instead of my local VM. My first choice is my RT-AX58U that is being used as an AP only. My second choice is my RT-AC86U that is being used as only a router and internet gateway. Now I have tried on both of these routers, my same configuration I use on the local ubuntu wireguard wg-quick, and they are connecting. But they do not router traffic correctly and I can not longer access the Asus devices web interface when the tunnel is up. It makes sense that it would be my iptables settings, but I am not sure how I should have them set. I did also read through https://github.com/ZebMcKayhan/WireguardManager#site-2-site and created some files to see that the iptables config certainly looks very different from mine.


Code:
[Interface]
PrivateKey = removed
Address = 10.1.0.2/24

PostUp = iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.104:80; iptables -t nat -A POSTROUTING -p tcp --dport 80 -j MASQUERADE
PostDown = iptables -t nat -D PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.104:80; iptables -t nat -D POSTROUTING -p tcp --dport 80 -j MASQUERADE

PostUp = iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 192.168.1.104:443; iptables -t nat -A POSTROUTING -p tcp --dport 443 -j MASQUERADE
PostDown = iptables -t nat -D PREROUTING -p tcp --dport 443 -j DNAT --to-destination 192.168.1.104:443; iptables -t nat -D POSTROUTING -p tcp --dport 443 -j MASQUERADE

PostUp = iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.104:8080; iptables -t nat -A POSTROUTING -p tcp --dport 8080 -j MASQUERADE
PostDown = iptables -t nat -D PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.104:8080; iptables -t nat -D POSTROUTING -p tcp --dport 8080 -j MASQUERADE

PostUp = iptables -t nat -A PREROUTING -p tcp --dport 8443 -j DNAT --to-destination 192.168.1.104:8443; iptables -t nat -A POSTROUTING -p tcp --dport 8443 -j MASQUERADE
PostDown = iptables -t nat -D PREROUTING -p tcp --dport 8443 -j DNAT --to-destination 192.168.1.104:8443; iptables -t nat -D POSTROUTING -p tcp --dport 8443 -j MASQUERADE

PostUp = iptables -t nat -A PREROUTING -p tcp --dport 5800 -j DNAT --to-destination 192.168.1.104:5800; iptables -t nat -A POSTROUTING -p tcp --dport 5800 -j MASQUERADE
PostDown = iptables -t nat -D PREROUTING -p tcp --dport 5800 -j DNAT --to-destination 192.168.1.104:5800; iptables -t nat -D POSTROUTING -p tcp --dport 5800 -j MASQUERADE


[Peer]
PublicKey = removed
AllowedIPs = 0.0.0.0/0
Endpoint = removed
PersistentKeepalive = 25
I dont understand really what you are after or what your issue is. Sounds like you are in the middle of something.

Ok, you are using a vps service to create a site-2-site and would like your Asus router to participate. This should not be any problem. I would use the AC86U for this as it is routing already.

Wgm normally takes care of firewall rules so you dont have to care about them for the lan behind the asus router.

Im seing AllowedIPs 0.0.0.0/0 in your config, why? Did you create this config? This should normally be destinations reachable over the tunnel. 0.0.0.0/0 means all internet traffic goes over the tunnel. Was this your intention?

As you are connecting more than 2 networks, perhaps this is better suited?
https://github.com/ZebMcKayhan/WireguardManager/blob/main/README.md#site-2-multisite--mesh
 

dominatorstang

Occasional Visitor
Sorry, I probably did not word it very well. I am doing a site to site, but only to gain an IPv4 IP address that allows me to host services to the internet. So hosting things like plex and nextcloud on my local network server can be accessed from the VPS IP address.

The configuration I posted works perfectly for this when running it on Ubunutu, I have nextcloud running on 192.168.1.104 and the traffic gets directed in and out of nexcloud over the internet just fine, or from my local network directly to nextcloud just fine too. I am not really wanting all traffic to go over the tunnel from the service, just traffic that originated from the tunnel.

Now when I put this configuration on my local network AC86U or AX58U, it does not appear to be routing the traffic and I can no longer access the web interface of the ASUS device. SSH still works fine so i stop the tunnel and then the web interface loads again.

I will be happy to have it functioning properly on either of the two routers, I only chose the AX58U since I felt its processing power was not being fully utilized currently since my AC68U's handle most of my WiFi being N and AC. Just trying to split things out too. AC86U doing the adware blocking, one AC68U doing MQTT broker, and AX58U for wireguard.
 

ZebMcKayhan

Very Senior Member
I am not really wanting all traffic to go over the tunnel from the service, just traffic that originated from the tunnel.
Well, there are ways to set it up like this, marking packages using connmark but if all traffic is ok with you thats probably easiest.

Now when I put this configuration on my local network AC86U or AX58U, it does not appear to be routing the traffic and I can no longer access the web interface of the ASUS device. SSH still works fine so i stop the tunnel and then the web interface loads again.
How did you import your file in wgm? As a server or as a client?
Where is your firewall in all this? What location will be responsible for blocking unsolicited inbound connections? The vps machine? Or the local Wireguard instance?

I would probably import this as a client in wgm so you get the firewall on your side. You could use policy routing so only the services you share are using the tunnel for all data.
Then you will need to setup port forward for the specific services you share.
 
Last edited:

dominatorstang

Occasional Visitor
The local network is behind a CGNAT so I imported it as a client that is reaching out to the VPS to create the tunnel. I do also have a file called forwarded_ports that have to maintain for the ubuntu wireguard instance when I add more ports, along with adding them in the .conf file with a destination ip.

"forwarded_ports" file
80/tcp,443/tcp,8080/tcp,8443/tcp,5800/tcp

I did try following https://github.com/ZebMcKayhan/WireguardManager#site-2-site to create the home and cabin files and then was trying to use the firewall settings and such from the cabin config, but I just was not getting it correctly.

I currenlty have all ports open on the VPS network management side. Mochman's script ends up handling the firewall for me on the VPS side and I did not notice it doing anything on the local Ubuntu side with a firewall, just updating my forwarded_ports and .conf file when I add new ports and ip destinations. Surprisingly the Ubuntu instance does very well at letting my services traffic stay local or go through the tunnel as needed to access over the internet, both while the tunnel stays up.
 
Last edited:

dominatorstang

Occasional Visitor
Looks like the script is taking care of my firewall on both sides. I get the same output when running ufw status on each.
Here are all the rules that have been added.
ufw allow 22/tcp
ufw allow 55108
ufw allow 443/tcp
ufw allow 80/tcp
ufw allow 8123/udp
ufw allow 5128/tcp
ufw allow 8080/tcp
ufw allow 8443/tcp
ufw allow 9443/tcp
ufw allow 5800/tcp


[email protected]:~# ufw status
Status: active

To Action From
-- ------ ----
22/tcp ALLOW Anywhere
55108 ALLOW Anywhere
443/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
8123/udp ALLOW Anywhere
5128/tcp ALLOW Anywhere
8080/tcp ALLOW Anywhere
8443/tcp ALLOW Anywhere
9443/tcp ALLOW Anywhere
5800/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
55108 (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
8123/udp (v6) ALLOW Anywhere (v6)
5128/tcp (v6) ALLOW Anywhere (v6)
8080/tcp (v6) ALLOW Anywhere (v6)
8443/tcp (v6) ALLOW Anywhere (v6)
9443/tcp (v6) ALLOW Anywhere (v6)
5800/tcp (v6) ALLOW Anywhere (v6)

Here is the conf file on the VPS side
[Interface]
PrivateKey = removed
ListenPort = 55108
Address = 10.1.0.1/24

PostUp = iptables -t nat -A PREROUTING -p tcp -i ens3 --match multiport --dports 443,80,5128,8080,8443,9443,5800 -j DNAT --to-destination 10.1.0.2
PostUp = iptables -t nat -A POSTROUTING -o ens3 -j SNAT --to-source 10.0.0.145
PostUp = iptables -t nat -A PREROUTING -p udp -i ens3 --match multiport --dports 8123 -j DNAT --to-destination 10.1.0.2;

PostDown = iptables -t nat -D PREROUTING -p tcp -i ens3 --match multiport --dports 443,80,5128,8080,8443,9443,5800 -j DNAT --to-destination 10.1.0.2
PostDown = iptables -t nat -D POSTROUTING -o ens3 -j SNAT --to-source 10.0.0.145
PostDown = iptables -t nat -D PREROUTING -p udp -i ens3 --match multiport --dports 8123 -j DNAT --to-destination 10.1.0.2;

[Peer]
PublicKey = removed
AllowedIPs = 10.1.0.2/32
 
Last edited:

ZebMcKayhan

Very Senior Member
The local network is behind a CGNAT so I imported it as a client that is reaching out to the VPS to create the tunnel.
Ok, and this way your internet data went through the vps? Or did it not work?
If you import it in wgm as a client you will have the firewall between your lan and the vps. So if the vps handles the firewall this may not be the best choise after all.

I did try following https://github.com/ZebMcKayhan/WireguardManager#site-2-site to create the home and cabin files and then was trying to use the firewall settings and such from the cabin config, but I just was not getting it correctly.
But you dont have a site-2-site, you only have a peer2peer, but with internet connection. You said you already had a config file, try to import it as a server instead:
Code:
E:Option ==> import File.conf type=server

You also said you experienced some wierd issues so you might need to remove all post/pre up/down from the file before importing. And if you still experience issue you might exchange the AllowedIPs to only vps wireguard ip then add the 0.0.0.0/0 after the import.

At this point you should be able to freely access the vps over the tunnel, but not to internet.

To take care of internet routing:
https://github.com/ZebMcKayhan/Wire...n/README.md#route-site-2-site-internet-access

You will need to setup rules for all your services ips to use internet via the tunnel.

Depending on how your vps is routing data you might need more changes. Preferably your vps should forward a specific port packet directly to your service ip but if its not you might need to forward it again on your router but thats unnessisary in my opinion, change the vps to do this right!
 

dominatorstang

Occasional Visitor
My firewall rules are certainly one I have not addressed yet and I guess could be a big part of my problem. The port forwarding is another I do not know how to address properly. It just used the file on ubuntu, but I am not yet sure how to properly handle it on the AX58U.

I had tried server before with my config file, but it does not grab the IP of my VPS from the conf file and try to connect to it. To double check, I just removed wg_manager and reinstalled it and then tried again as server, but still almost acts like it waits on a connection... I should probably make sure and mention that I am running it on the RT-AX58U with 386.7_2 firmware. I like testing it on the AX58U as I currenlty have it as an extra AP that I can reboot without disrupting my home network. Previous testing on the main router AC86U has had the same results though.
1669498837812.png

1669499766389.png


bringing it in as a client I get
1669499635197.png

1669499667400.png


wg21.conf and wg11.conf are identical, containing the below.
[Interface]
PrivateKey = removed
Address = 10.1.0.2/24

PostUp = iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.104:80; iptables -t nat -A POSTROUTING -p tcp --dport 80 -j MASQUERADE
PostDown = iptables -t nat -D PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.104:80; iptables -t nat -D POSTROUTING -p tcp --dport 80 -j MASQUERADE

PostUp = iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 192.168.1.104:443; iptables -t nat -A POSTROUTING -p tcp --dport 443 -j MASQUERADE
PostDown = iptables -t nat -D PREROUTING -p tcp --dport 443 -j DNAT --to-destination 192.168.1.104:443; iptables -t nat -D POSTROUTING -p tcp --dport 443 -j MASQUERADE

PostUp = iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.104:8080; iptables -t nat -A POSTROUTING -p tcp --dport 8080 -j MASQUERADE
PostDown = iptables -t nat -D PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.104:8080; iptables -t nat -D POSTROUTING -p tcp --dport 8080 -j MASQUERADE

PostUp = iptables -t nat -A PREROUTING -p tcp --dport 8443 -j DNAT --to-destination 192.168.1.104:8443; iptables -t nat -A POSTROUTING -p tcp --dport 8443 -j MASQUERADE
PostDown = iptables -t nat -D PREROUTING -p tcp --dport 8443 -j DNAT --to-destination 192.168.1.104:8443; iptables -t nat -D POSTROUTING -p tcp --dport 8443 -j MASQUERADE

PostUp = iptables -t nat -A PREROUTING -p tcp --dport 5800 -j DNAT --to-destination 192.168.1.104:5800; iptables -t nat -A POSTROUTING -p tcp --dport 5800 -j MASQUERADE
PostDown = iptables -t nat -D PREROUTING -p tcp --dport 5800 -j DNAT --to-destination 192.168.1.104:5800; iptables -t nat -D POSTROUTING -p tcp --dport 5800 -j MASQUERADE


[Peer]
PublicKey = removed
AllowedIPs = 0.0.0.0/0
Endpoint = 141.148.179.220:55108
PersistentKeepalive = 25

As server or client I loose the web interface on the router which I guess is because it is using port 80 and/or 443, and I call them out on the conf, but am not handling the traffic correctly.
 

ZebMcKayhan

Very Senior Member
had tried server before with my config file, but it does not grab the IP of my VPS from the conf file and try to connect to it. To double check, I just removed wg_manager and reinstalled it and then tried again as server, but still almost acts like it waits on a connection...
How could you tell? As your .conf file contains an endpoint it should try to connect to the other peer.

From your pictures there are some issues with your post/pre up/down commands. Try to remove them and import the config file as a server. Then start the server and execute the commands manually to figure out whats wrong. The commands looks iffy, they should probably be rewritten to suite the router iptables and also include input interface to take care of your port 80 issues. Put them in wg21-up.sh and wg21-down.sh instead.
 

dominatorstang

Occasional Visitor
The commands looks iffy, they should probably be rewritten to suite the router iptables and also include input interface to take care of your port 80 issues. Put them in wg21-up.sh and wg21-down.sh instead.
Okay, I seen that information you pointed out in your writeup. I will give that a try. Thank you!
 

ZebMcKayhan

Very Senior Member
I would still advice against using your AP for this. As you are not using your gateway you will need to masquarade all data so replies finds its way back (as your iptables commands already does). This means all communication appears to come from your AP and you have no ability to monitor access intruders and such on your service machine.

But I understand to use it to try and get it to work, but once there I would opt to move this to your gateway and remove the masquarade commands. And even better, make dnat on your vps directly to your server and remove dnat on your gateway completally. But you will need a way to control your services internet acces, similar to what I have in my guide.
 

Martineau

Part of the Furniture
My firewall rules are certainly one I have not addressed yet and I guess could be a big part of my problem. The port forwarding is another I do not know how to address properly. It just used the file on ubuntu, but I am not yet sure how to properly handle it on the AX58U.

I like testing it on the AX58U as I currenlty have it as an extra AP that I can reboot without disrupting my home network.
View attachment 45783
View attachment 45786
FYI

Currently I rarely have the opportunity to use my testing hardware (RT-AX86U/RT-AX58U) as a main router, so to test IPv6 etc. I am forced to use them as downstream ROUTERs (rather than APs) for Wireguard Manager development without disrupting the main network.

NOTE: The upstream main router needs to forward the necessary ports (51820/1150n) to access the Wireguard 'server' Peers e.g. wg21/wg22 etc. using its GUI.

You can identify the iptables errors for the start wg21 command by executing the command in verbose debug mode
Code:
start wg21 debug

Similarly, I'm not sure of the reason for the [: missing ] error when using command peer import wg0.conf type=server so you should execute the command whilst in FULL verbose debug mode (if you have the time/inclination to provide diagnostics)
Code:
e  = Exit Script [?]

E:Option ==> debug
Code:
E:Debug mode enabledOption ==> peer import wg0.conf type=server
then either PM me the output, or post the output say via 'https://pastebin.com/'.
 

dominatorstang

Occasional Visitor
Thank you ZebMcKayhan and Martineau, I am going to have to come back to this a little later. I am certain the direction you both are leading me will get it working in the manner I am wanting, but I have a few other big projects I need to complete first so I can then focus properly into this one.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top