I would like to route my private IP traffic from a Fire TV (the device does not matter much, at the moment I'm testing with an Ubuntu VPN at the moment and wireguard) over my private VPS server because of peering speed problems from my internet provider to Amazon Prime TV.
The setup is like that: PC (all traffic) > Router > Wireguard > VPS > Internet
I thought that setting up PIVPN should be the easiest way. I'm using firewalld and not ufw like pivvpn is suggesting. Due to that this part of autoconfiguration does not work.
I used the wizard and transferred the config file to the client and set up wireguard on the client. I opened the udp port 51820 on the server and the wireguard connection is working (that part was easy). I can ping both endpoints of the tunnel from the client and the public ip of the server.
Furthermore I changed net.ipv4.ip_forward = 0 to net.ipv4.ip_forward = 1 and the same for IPV6 with net.ipv6.conf.all.forwarding=1.
cat /proc/sys/net/ipv4/ip_forward
1
wg show
wg0
public key: <my key>
private key: (hidden)
listening port: 45706
fwmark: 0xca6c
peer: <my key>
preshared key: (hidden)
endpoint: <public server ip>:51820
allowed ips: 0.0.0.0/0, ::/0
latest handshake: 4 minutes, 37 seconds ago
transfer: 93.15 KiB received, 227.65 KiB sent
Ping on client to public server
ping <public server ip>
PING <public server ip> (<public server ip>) 56(84) bytes of data.
64 bytes from <public server ip>: icmp_seq=1 ttl=64 time=18.4 ms
Ping on client for own wireguard ip
ping 10.143.176.2
PING 10.143.176.2 (10.143.176.2) 56(84) bytes of data.
64 bytes from 10.143.176.2: icmp_seq=1 ttl=64 time=0.031 ms
Ping on client for server wireguard ip
ping 10.143.176.1
PING 10.143.176.1 (10.143.176.1) 56(84) bytes of data.
64 bytes from 10.143.176.1: icmp_seq=1 ttl=64 time=21.9 ms
Client config
[Interface]
PrivateKey = <my private key>
Address = 10.143.176.2/24,fd11:5ee:bad:c0de::2/64
DNS = 9.9.9.9, 149.112.112.112
[Peer]
PublicKey = <my public key>
PresharedKey = <pre shared key>
Endpoint = <myserverip>:51820
AllowedIPs = 0.0.0.0/0, ::0/0
Server config
[Interface]
PrivateKey = <myprivate key>
Address = 10.143.176.1/24,fd11:5ee:bad:c0de::1/64
MTU = 1420
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens18 -j MASQUERADE; iptables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens18 -j MASQUERADE; iptables -D FORWARD -o %i -j ACCEPT
### begin firetv ###
[Peer]
PublicKey = <my public key>
PresharedKey = <my preshared key>
AllowedIPs = 10.143.176.2/32,fd11:5ee:bad:c0de::2/128
### end firetv ###
Output on server when starting that up:
wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.143.176.1/24 dev wg0
[#] ip -6 address add fd11:5ee:bad:c0de::1/64 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens18 -j MASQUERADE; iptables -A FORWARD -o wg0 -j ACCEPT
What I don't get running is the forwarding from server tunnel endpoint to the internet. First thing is that most guides seem to use iptables and / or UFW. UFW is deactivated on my server but iptables is active and there are entries which are partially created by firewalld (which I'm using) and partially by toosl which are directly acessing the iptables - not sure if that is causing problems. I also tried to deactivate firewalld temporary but that did not help.
Iptables:
udo iptables -L -v -n
Chain INPUT (policy ACCEPT 161K packets, 205M bytes)
pkts bytes target prot opt in out source destination
20 1296 ACCEPT all -- * * 10.143.176.0/24 0.0.0.0/0 /* wireguard subnet */
0 0 ACCEPT all -- * * 0.0.0.0/0 10.143.176.0/24 /* wireguard subnet */
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
677 45957 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
677 45957 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
677 45957 ACCEPT all -- wg0 ens18 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * wg0 0.0.0.0/0 0.0.0.0/0 /* wireguard subnet */
0 0 ACCEPT all -- * * 10.143.176.0/24 0.0.0.0/0 /* wireguard subnet */
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
677 45957 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
677 45957 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
I would assume they are even to much rules in my understanding for my purpose this two are not needed:
0 0 ACCEPT all -- * * 0.0.0.0/0 10.143.176.0/24 /* wireguard subnet */
0 0 ACCEPT all -- * wg0 0.0.0.0/0 0.0.0.0/0 /* wireguard subnet */
firewalld zones: mywg Interface WG0
mysite: sudo firewall-cmd --zone=mysite --add-rich-rule='rule family="ipv4" source address="10.143.176.0/24" masquerade' sudo firewall-cmd --zone=mysite --add-source=/32 UDP Port 51820 open
Direct rules: ipv4 filter foeward -o wg0 -j ACCEPT -m comment --comment 'wireguard subnet' ipv4 filter forward -i wg0 -o ens18 -j ACCEPT ipv4 filter forward -s 10.143.176.0/24 -j ACCEPT -m comment --comment 'wireguard subnet' ipv4 filter input -s 10.143.176.0/24 -j ACCEPT -m comment --comment 'wireguard subnet' ipv5 filter input -d 10.143.176.0/24 -j ACCEPT -m comment --comment 'wireguard subnet'
sudo iptables -L -v -n -t nat
Chain PREROUTING (policy ACCEPT 5482 packets, 1423K bytes)
pkts bytes target prot opt in out source destination
809 43992 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2410 packets, 170K bytes)
pkts bytes target prot opt in out source destination
1329 81808 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 2410 packets, 170K bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
Pyvpn config file (not sure if that matters after initial setup that should not be relevant):
PLAT=Ubuntu
OSCN=jammy
USING_UFW=0
IPv4dev=ens18
IPv6dev=ens18
install_user=admin
install_home=/home/admin
VPN=wireguard
pivpnPORT=51820
pivpnDNS1=9.9.9.9
pivpnDNS2=149.112.112.112
pivpnHOST=<my vpn public ip>
pivpnPROTO=udp
pivpnMTU=1420
pivpnDEV=wg0
pivpnNET=10.143.176.0
subnetClass=24
pivpnenableipv6=1
pivpnNETv6="fd11:5ee:bad:c0de::"
subnetClassv6=64
ALLOWED_IPS="0.0.0.0/0, ::0/0"
UNATTUPG=0
INSTALLED_PACKAGES=(grepcidr qrencode)
INPUT_CHAIN_EDITED=1
FORWARD_CHAIN_EDITED=1
Any help would be appreciated.
I would like to route my private IP traffic from a Fire TV (the device does not matter much, at the moment I'm testing with an Ubuntu VPN at the moment and wireguard) over my private VPS server because of peering speed problems from my internet provider to Amazon Prime TV.
The setup is like that: PC (all traffic) > Router > Wireguard > VPS > Internet
