WireGuard over udp2raw routing issues for the tcp port on server

Question

I have successfully made a connection to wireguard through TCP using udp2raw.

The abstract is:

  My local MAC               Server Via TCP             Wireguard On the Server
127.0.0.1:3333 (UDP) <---> 52.55.198.100:70 (TCP) <----> 52.55.198.100:64731 (UDP)

And I connect to 127.0.0.1:3333 (via the wireguard client on MacOS) now and it works, well not exactly.

The thing is that it didn't work at first, I excluded the server's ip from allowedips.

For this purpose I used:

https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator/

For allowed ips I had:

::/0, 1.0.0.0/8, 2.0.0.0/8, 3.0.0.0/8, 4.0.0.0/6, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 1.1.1.1/32, 1.0.0.1/32

Which is basically the default excluding local ips.

And in Disallowed IPs I added 52.55.198.100 and here was the end result:

0.0.0.0/3, 32.0.0.0/4, 48.0.0.0/6, 52.0.0.0/11, 52.32.0.0/12, 52.48.0.0/14, 52.52.0.0/15, 52.54.0.0/16, 52.55.0.0/17, 52.55.128.0/18, 52.55.192.0/22, 52.55.196.0/23, 52.55.198.0/26, 52.55.198.64/27, 52.55.198.96/30, 52.55.198.101/32, 52.55.198.102/31, 52.55.198.104/29, 52.55.198.112/28, 52.55.198.128/25, 52.55.199.0/24, 52.55.200.0/21, 52.55.208.0/20, 52.55.224.0/19, 52.56.0.0/13, 52.64.0.0/10, 52.128.0.0/9, 53.0.0.0/8, 54.0.0.0/7, 56.0.0.0/5, 64.0.0.0/2, 128.0.0.0/1, ::/0

And here's whole my client's config :

[Interface]
PrivateKey = Gsss
Address = 10.66.66.19/32, fd42:42:42::19/128
DNS = 1.1.1.1, 1.0.0.1
MTU = 1280

[Peer]
PublicKey = Lsss
PresharedKey = fsss
AllowedIPs = 0.0.0.0/3, 32.0.0.0/4, 48.0.0.0/6, 52.0.0.0/11, 52.32.0.0/12, 52.48.0.0/14, 52.52.0.0/15, 52.54.0.0/16, 52.55.0.0/17, 52.55.128.0/18, 52.55.192.0/22, 52.55.196.0/23, 52.55.198.0/26, 52.55.198.64/27, 52.55.198.96/30, 52.55.198.101/32, 52.55.198.102/31, 52.55.198.104/29, 52.55.198.112/28, 52.55.198.128/25, 52.55.199.0/24, 52.55.200.0/21, 52.55.208.0/20, 52.55.224.0/19, 52.56.0.0/13, 52.64.0.0/10, 52.128.0.0/9, 53.0.0.0/8, 54.0.0.0/7, 56.0.0.0/5, 64.0.0.0/2, 128.0.0.0/1, ::/0
Endpoint = 127.0.0.1:3333

It works.

The Problem

Well everything works except I can't access my server anymore when the vpn is on, ssh doesn't work all the website on the server won't load for me, basically I can't access nothing from the server anymore , as soon as I turn on the VPN.

One interesting point is that, if I connect to ssh, then turn the vpn on it won't get disconnected by it and I can continue to use it, I can't open a new ssh however, I guess that's how this is connected right? tcp port 70 got open before this ran and that's why it works still.

I think I probably should add a route to keep only 52.55.198.100:70 excluded not everything else from the server as well. (Somehow keep this one address on my own interface (eth0) and everything else as usual through (wg0))

I have two clients a MacOS and another Ubuntu my main system is MacOS but I would love a solution that would work on Ubuntu as well.

If this can be solved from the server-side I'm open to it as well! Actually prefer that so I don't have to deal with two clients just one server.

Here are my firewall rules on the server (csf)

#!/bin/bash
#/usr/sbin/iptables -t nat -A POSTROUTING -o ens192 -s 10.66.66.1/24 -j MASQUERADE

/usr/sbin/iptables -t nat -A POSTROUTING -o ens192 -j MASQUERADE
/usr/sbin/iptables -A INPUT -i wg0 -j ACCEPT
/usr/sbin/iptables -A FORWARD -i wg0 -j ACCEPT
/usr/sbin/iptables -A FORWARD -o wg0 -j ACCEPT
/usr/sbin/iptables -A FORWARD -i wg0 -o ens192 -m state --state RELATED,ESTABLISHED -j ACCEPT
/usr/sbin/iptables -A FORWARD -i ens192 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT

--- Update

I think the answer is here: https://www.procustodibus.com/blog/2022/02/wireguard-over-tcp/#point-to-internet

But since I have access to MacOS only right now I can't test it.

# route public IP of Endpoint B through LAN gateway
PreUp = ip route add 203.0.113.2 via 192.168.1.1 dev eth0
PostDown = ip route del 203.0.113.2 via 192.168.1.1 dev eth0

What is the alternative of those ip commands for MacOS?

I tried something like this:

route add -host 54.81.143.201 -interface en0

for the above thanks to https://superuser.com/a/756146/1006908 it doesn't solve the problem I just need port 70 (tcp) to be on interface en0, but it makes everything on it.

Workaround:

If I add the route, connect to Wireguard, then remove the route everything including ssh, and websites will work for me.

But it's obviously not sane and it didn't work for Ubuntu at all.

score 2 · Accepted Answer · answered Dec 01 '22 at 13:33

2

You can simply expose host network by adding 192.168.1.0/24 (or similar) in the AllowedIPs configuration of the client.

Then you can connect to your server and rest of the host network using their private ip without any problem. Note that traffic forwarding has to be enabled in server:

PostUp = iptables -A FORWARD -i %i -j ACCEPT
PostUP = iptables -A FORWARD -o %i -j ACCEPT
PostUP = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostUP = ip6tables -A FORWARD -i %i -j ACCEPT
PostUP = ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT
PostDown = iptables -D FORWARD -o %i -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = ip6tables -D FORWARD -i %i -j ACCEPT
PostDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

answered Dec 01 '22 at 13:33

rowman

144
4

Thank you for answering I didn't quite get it, are those PostUp PostDown supposed to be on the server or the client? Your answer is a little too advanced for me I don't really understand it. – Steve Moretz Dec 01 '22 at 13:51
@SteveMoretz put them in the server in the interface section in wg0.conf, they will do traffic forwarding for you in the server. In the client change AllowedIPs and disallow public ip of server. Find proper AllowedIPs string from the website that you had mentioned in your question. Also add host nework to expose it to the client. Feel free to ask anything else – rowman Dec 02 '22 at 15:00
Well as I mentioned I have done this, but that won't let me connect to the server through the tunnel anymore and that's the issue, on ubuntu I could fix the issue by overriding some ports (other than the wireguard port) on the client side so those ports are still running in the tunnel but on MacOS there was no option to do such a thing – Steve Moretz Dec 02 '22 at 17:28
@SteveMoretz have you disallowed public ip of server and allowed private ip domain? I have similar setup and it works – rowman Dec 03 '22 at 18:47
I think the private ip is supposed to be this right? Address = 10.66.66.19/32, I have just allowed it and trying to connect to the server via it's public ip doesn't work I get ERR_CONNECTION_TIMED_OUT and trying to connect on the private ip gives a different error for http://10.66.66.19:72/ I get ERR_CONNECTION_REFUSED – Steve Moretz Dec 03 '22 at 20:37
@SteveMoretz No, that is the ip address of virtual VPN network after connection is amade. You need to use the real private IP address of your server inside the network. You can get it by running `ifconfig` on server terminal and look for the right network interface (`eth0` or similar). If the private IP of your network is 192.168.1.x where x is 1-255 for different computers on the network then uise `192.168.1.0/24` in AllowedIPs. – rowman Dec 05 '22 at 06:26
Thanks for responding back the ifconfig on the server gives: https://gist.github.com/Stevemoretz/f706528e4dd42edc8fd6d6e2c1ceba7f and ens192 is in this case eth0 in your example, 6.8.198.252 but in the gist is the real ip not the private one, I'm sure ens192 is the interface that the internet is on it on the server, but in case I put all the other interfaces in the gist too from ifconfig output – Steve Moretz Dec 05 '22 at 08:04
@SteveMoretz if you put 6.8.198.224/27 inside AllowedIPs and disallow your server public ip, you can connect to the server using private as well as public ip. In addition, you can connect to any other computer which is inside your host network using their private IP 6.198.0.224-255. – rowman Dec 05 '22 at 13:34
Holy crap, it does work indeed where did 6.8.198.224/27 come from though?? my public ip was 6.8.198.252 I don't get where 224 and /27 came from? I still don't understand why this works – Steve Moretz Dec 05 '22 at 13:38
@SteveMoretz OK, good for you. 27 comes from your netmask. your Netmask is 255.255.255.224, which means 11111111.11111111.11111111.11100000. 27 times 1 is repeated. You can change the 0 position in the mask only which translates into ip range of 11100000-11111111 (224-255). Your server is 252, other computers in the network can use other numbers in the range. You can of course read more about this principle in the internet. – rowman Dec 05 '22 at 14:57
Thanks for that description awesome I got it. – Steve Moretz Dec 05 '22 at 19:47

WireGuard over udp2raw routing issues for the tcp port on server

The Problem

1 Answers1