WireGuard & UFW : UFW blocks traffic on wg0, even if a rule allows it

Question

I run Wireguard on Debian with the additional interface wg0. With this ufw rule, I would expect that ufw would pass my traffic:

ufw allow in on wg0 to any

But instead, ufw is blocking the traffic:

[14674.950320] [UFW BLOCK] IN=wg0 OUT=eth0 MAC= SRC=10.0.0.2 DST=54.xx.xx.xx LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=54263 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 
[14675.451891] [UFW BLOCK] IN=wg0 OUT=eth0 MAC= SRC=fd00:0000:0000:0000:0000:0000:0000:0002 DST=2a05:xxx LEN=84 TC=0

Has anyone an idea whats going on here?

score 4 · Accepted Answer · answered Jul 25 '22 at 17:17

The log shows two interfaces: IN=wg0 OUT=eth0. That means it's routed/forwarded traffic and not traffic with the node as destination, where OUT= would be empty. It translates in the backend (iptables) to the filter/FORWARD chain instead of the filter/INPUT chain.

The UFW syntax to control routed traffic is:

ufw [--dry-run] route [delete] [insert NUM] [prepend] allow|deny|reject|limit [in|out on INTERFACE] [log|log-all]

(not clearly apparent, but both in and out can be used at the same time)

So to allow the traffic that was blocked in OP's case:

ufw route allow in on wg0 out on eth0

or for any forwarded traffic coming from wg0 whatever the destination interface, just:

ufw route allow in on wg0

Thank you @A.B! ``ufw route allow in on wg0`` did the trick for me! — Gill-Bates, Jul 26 '22 at 08:27

WireGuard & UFW : UFW blocks traffic on wg0, even if a rule allows it

1 Answers1