Wireguard VPN Routing

Hello,

I have recently bought GL-SFT1200 (Opal) Travel Router and am so far loving it. However, I have one issue that I need to rectify. So the reason I bought this travel router is because I have a remote cabin uplinked with a Satellite Internet connection. Due to some recent activity we would like to keep track of the items on the property. Hence, we installed a security camera and connected wired to one of Opal’s LAN ports which work successfully locally. However, the uplink we have does not allow us to open ports through their firewall essentially we are Double NAT’d or CGNAT’d. I configured the router to be a client to a Wireguard VPN server back at the main residence and it works great the issue is I need to figure out how to open a port or do a static route so traffic that has a destination to its internal Wireguard IP address can route to the camera or route to it on a port number. I tried looking for this and could not find a solution. I can do OpenVPN also I just started with Wireguard because of it’s faster speeds I also don’t think I can do the cloud option as it would require an open port.

If you need any more context let me know.

Thanks.

I do think it is a question of the server.
Per default, most implementations I’ve seen, are keeping the Wireguard clients separated. If you want to communicate between the WireGuard Clients, inside the tunnel, you need to allow it on the server side.

As far as I can read you are using an Opal as client, but how is the server-side provided?

Thanks so much for getting back to me!
I use the PIVPN script to set it up. It’s just a standard Wireguard setup nothing special here is the configuration I am using to connect the client (Opal) router to the Server:
[Interface]

PrivateKey = REDACTED

Address = 10.137.208.3/24

DNS = 8.8.8.8, 8.8.4.4

[Peer]

PublicKey = REDACTED

PresharedKey = REDACTED

Endpoint = REDACTED

AllowedIPs = 0.0.0.0/0, ::0/0

Yeah. Big issue, here at my side.
I’ve used some script → Worked.
Now I am about to set it up by myself, and I am learning new things, every day.

The main issue with most scripts I’ve see: they are outdated. Some of them got some Wrapper around, so it seems to work.

I think it is an issue with the routing (take a look in PostUp and PostDown in /etc/wireguard/wg0.conf). Yesterday I’ve learned iptables is now nftables since Debian 10. I’m still about to understand writing the rules.
I got a connection, but no traffic will be routed. Maybe at the end of this week I can tell more

edit: I’ve used the linked script at ubuntu/jammy. My own Server is a Debian 11.3 … I do think this is also a reason why it is harder to archive.

Yeah I know I used a script so bad of me! let me look at those and I will report back.

Ok, I see there is no routing at all listed under Interface.

Under the Interface tab I added these two lines:

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

I assume that will add my routing so now I have to figure out how to have that route through the Opal router and hit the device connected to it.

It could be helpful to know on what OS do you install the server. Debian is behaving a little different than ubuntu. I would say ubuntu is easier to start, but Debian is much clearer to analyse.
It even works virtualized as LXC, just mount the /dev/net/tun from the host in the container.

I found my error. Okay, some errors. Here is the actual working Configuration:

root@walter01:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:51820

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  10.7.0.0/24          anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
root@walter01:~# ip r
default via 192.168.21.1 dev eth0 onlink 
10.7.0.0/24 dev wg0 proto kernel scope link src 10.7.0.1 
192.168.21.0/24 dev eth0 proto kernel scope link src 192.168.21.51 

192.168.21.0/24 is my home net
192.168.21.51 is my WireGuard ‘Server’

The server configuration

root@walter01:~# cat /etc/wireguard/wg0.conf 
# Do not alter the commented lines
# They are used by wireguard-install
# ENDPOINT vpn.mydomain.net

[Interface]
Address = 10.7.0.1/24, fddd:2c4:2c4:2c4::1/64
PrivateKey = UGHxxxxx
ListenPort = 51820

# BEGIN_PEER amy
[Peer]
PublicKey = hI8xxxxx
PresharedKey = Ew7xxxxx
AllowedIPs = 10.7.0.2/32, fddd:2c4:2c4:2c4::2/128
# END_PEER amy

The client configuration

root@walter01:~# cat amy.conf 
[Interface]
Address = 10.7.0.2/24, fddd:2c4:2c4:2c4::2/64
DNS = 192.168.21.53
PrivateKey = 4P8xxxxxx

[Peer]
PublicKey = UlExxxxxx
PresharedKey = Ew7xxxxxx
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = vpn.mydomain.net:51820
PersistentKeepalive = 25

192.168.21.53 is my own DNS (PiHole).

As far as I understand, the AllowedIPs = 0.0.0.0/0 will send all traffic over the tunnel. So I don’t need to specify my network.
If you’d like to have the normal traffic over the normal net and only your site, you can specify a host or net, here.

Now I will rewrite the iptbales rules to nftables …

Sorry, I missed that point it’s an LXC Container of Ubuntu Server 20.04 LTS. Let me check on this.

If you put this line just in the shell, does it work? Maybe one by one:

:~# iptables -A FORWARD -i wg0 -j ACCEPT
:~# iptables -A FORWARD -o wg0 -j ACCEPT
:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

(wg0 should exist, see ip a)

It was the first time I was starting to wonder about iptables/nftables, there where some errors.

Yeah currently I have absolutely no routes so let me try this.

is /dev/net/tun available on the ubuntu contianer? (host in the first edit was wrong)

oddly no it isn’t available

EDIT: But doesn’t that only pertain to OpenVPN?

https://pve.proxmox.com/wiki/OpenVPN_in_LXC
This howto helped me a lot. Should even works without proxmox.

Stop container.

Search for the [container].conf (f.ex. /etc/pve/lxc/123.conf)

add:

lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net dev/net none bind,create=dir

allow access to the file at the host:
:~# chown 100000:100000 /dev/net/tun

Start container.

I’m not sure if /dev/net/tun was available in side the container or if I needed to create it

:~# mkdir -p /dev/net
:~# touch /dev/net/tun

I can’t answer this in detail, now. I only know before it doesn’t work for me, afterwards it worked …

Edit: Maybe the TUN device is linked to the BoringTun from https://raw.githubusercontent.com/Nyr/wireguard-install/master/wireguard-install.sh …

On a different note if I redid everything and got everything routed how would I allow a device behind the Opal router (it’s connected with VPN policies so only that device can use the VPN) to be port forwarded through?

Example: User → Server Hosting VPN tunnel → VPN Tunnel → Opal Router → Device that needs to be accessed

EDIT: I have to edit posts now since I am a new user I can’t reply anymore.

Did some testing:

Wireguard, does not support a mesh setup by default, i.e. let the client ping each other. To achieve, need to let the clients knows each other by the public key. This is achieve in our GoodCloud S2S solution.

Openvpn should be fine.

Yeah, I can’t use the GoodCloud S2S as I can’t forward any ports on one side. I wish I could but I can’t

So If I changed to OpenVPN how would I port forward a device to go through the firewall and be accessed on the OpenVPN connection?

Example: User → Server Hosting VPN tunnel → VPN Tunnel → Opal Router → Device that needs to be accessed