Wrong iptables for wg, accessing servers IP

#1

Some additions to my last msgs here:

Doing more research, I noticed a serious bug regarding the fw:
Trying to access my email (POP) server, which is also on the wg-server, I noticed following wrong rules:
First rule is already wrong:
Thu Jun 30 15:52:27 2022 kern.warn kernel: [454382.914405] TRACE: mangle:FORWARD:rule:5 IN=br-lan OUT=wg0 MAC=xx:xx:xx:xx:xx:xx:xx:xx:37:0a:44:93:08:00 SRC=192.168.8.221 DST=my.wg.server.ip LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=6125 DF PROTO=TCP SPT=50866 DPT=110 SEQ=235051918 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405640103030201010402) MARK=0xe3f00

Last rule:
Thu Jun 30 15:52:30 2022 kern.warn kernel: [454385.969623] TRACE: filter:ROUTE_POLICY:rule:1 IN=br-lan OUT=wg0 MAC=xx:xx:xx:xx:xx:xx:xx:xx:37:0a:44:93:08:00 SRC=192.168.8.221 DST=my.wg.server.ip LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=6156 DF PROTO=TCP SPT=50866 DPT=110 SEQ=235051918 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405640103030201010402) MARK=0xe3f00

THIS DOES NOT WORK. Packets to wg-servers public adrs can not be routed thru tunnel. Must be outside of wg-tunnel. As I wrote in linked thread, only noticed when VPN-policies used.

Router as Wireguard client blocks LAN reachability to same Wireguard server the router is connected to
#2

Any comments from GLi ? At least, confirmation of bug will be appreciated. I think, I gave sufficient, detailed info. Recreation of bug should be easy.

#3

I think this exit regardless of the vpn policy. When you connect to the wg server, you cannot access the public IP of the server from the wg tunnel.

Can you help to double confirm this relate to vpn policy?

#4

I have no problem, when vpn_policy switched off. When I switch on following policy, I can not access my wg server.

wg_policy
wg_policy1600×900 136 KB

#5

I’m running into the same thing, and also found it is irrespective of VPN policy being enabled.

#6

It not need to use VPN policy, when wireguard client connect to wireguard server ok.

the wireguard client package can reach to the wireguard server.

as:

  1. wg server, IP is 10.0.0.1
  2. wg client, IP is 10.0.0.2

in the wireguard client route system. ping 10.0.0.1, have respond, is the wireguard server route system not accept the pkg from 10.0.0.2.

so in the wireguard server route system, config the firewall, accept the pkg. if the wireguard server network interface is: wg0

can execute command:

iptables -I INPUT -i wg0 -j ACCEPT

now, the wireguard server network interface “wg0” can accept the pkg.

int the wireguard client, execute:

ping 10.0.0.1

can get the respond, ping ok