Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
mastodon.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
The original server operated by the Mastodon gGmbH non-profit

Administered by:

Server stats:

355K
active users

mastodon.social: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.4.0-nightly.2025-03-25

Public
ѕєχυαℓ ρσℓутσρє

Unable to forward ports using wireguard

lemmy.sdf.org/post/627318

lemmy.sdf.orgUnable to forward ports using wireguard - SDF ChatterMy goal is to forward port 8096 from my private server to my public server. That, is any traffic at public server’s port 8096 should be tunneled to port 8096 of my private server and back. I’ve set up a wireguard tunnel and ping is working from one device to the other. In this, 10.8.0.1 is the private server and 10.8.0.2 is the public server. Here are my config files (/etc/wireguard/wg0). --- On the public server --- [Interface] Address = 10.8.0.2/24 ListenPort = 51820 PrivateKey = ***************************************** # packet forwarding PreUp = sysctl -w net.ipv4.ip_forward=1 # port forwarding PreUp = firewall-cmd --zone=public --add-port 8096/tcp PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8096 -j DNAT --to-destination 10.8.0.1:8096 PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 8096 -j DNAT --to-destination 10.8.0.1:8096 PostDown = firewall-cmd --zone=public --remove-port 8096/tcp # packet masquerading PreUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE PostDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE [Peer] PublicKey = ***************************************** AllowedIPs = 10.8.0.1 --- On the private server --- [Interface] Address = 10.8.0.1/24 PrivateKey = ***************************************** [Peer] PublicKey = ***************************************** AllowedIPs = 10.8.0.2 Endpoint = <public-server-addr>:51820 PersistentKeepalive = 25 Now, I’m trying to test the connection using netcat. I’m listening from my private server using nc -l 8096 (I’ve made sure that the port is unblocked) and trying to connect from a third device using nc <public-server-addr> 8096 but it’s not working. I have no idea what’s going on here. Some help from experienced people is very appreciated.
Public
Eskuero

It’s been a long time since I did forwarding through wireguard so this might be outdated, missing info or actually doing unneeded stuff but I had this notes saved in some old iptables personal documentation from like 4 years ago that might shed you some light:

Allow first packet to start the connection

iptables -A FORWARD -i eth0 -o wg0 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -i eth0 -o wg0 -p tcp --syn --dport 443 -m conntrack --ctstate NEW -j ACCEPT

Allow already established connections

iptables -A FORWARD -i eth0 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i wg0 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Send whatever arrives via port 80 or 443 to the other side of the wg tunnel

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.3.1
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 192.168.3.1

Modify source address so it can return

iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 80 -d 192.168.3.1 -j SNAT --to-source 192.168.3.2
iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 443 -d 192.168.3.1 -j SNAT --to-source 192.168.3.2
Public
ѕєχυαℓ ρσℓутσρє

If I run iptables directly, it tells me that I have the nf_tables version.

ExploreLive feeds
About