Configuring my Wireguard Server to redirect incoming traffic

I am ok with using linux, most of my networking is done through PFsense. and have been hitting my head against this wall for most of the day

At home I have a dynamic IP and would like a static IP for a few projects so I have set up a Wireguard server in Linode with a static IP. For outgoing connections from my network to websites this works wonderfully.

My issue is with incoming connections I have a few services which I would like to leave with a static IP and I cannot for the life of me find a solution to do the below

Wireguard server > PFsense > webserver

I have tested from PFsense to the web server and that works but I can’t seem to get the traffic from Wireguard to PFsense.

Does anyone have any experience with this kind of config?

Welcome !

… so, it’s kind of hard to tell without more info… people commonly forget what gets routed are packets not connections… and connections require packets going in both directions.

if you curl -v --connect-to www.mywebsite.com:443:123.123.123.123:443 https://www.mywebsite.com

where 123.123.123.123 is your public linode ip

You can then run tcpdump on Linode and/or on pfSense to check your port forwarding and firewall rules - and see where the packets are getting lost.

If your reply packets aren’t going over wireguard towards linode, then it’s likely that you’re not marking connections in pfSense propertly on ingress, and so reply packets are just getting NAT-ed to your isp provided IP address and are getting dropped before reaching linode.

(anyway, that’s my guess, … please test what happens with the initial SYN / SYN,ACK packets, and make sure they’re traveling along expected links)

Hey there and welcome to the forum

For this to work, you’ll need to do some stuff manually.

First make sure to be able to access your webserver from within your Linode by allowing access to the server on the wireguard VPN and the firewall part of psense.

Then you need to add a masquerade / port forward option for anything that comes in on port 80 and 443. That you can do with iptables and the preup part of the wireguard config on the server. Hope this gives you a small outline of what to do!

EDIT: Dammit @risk was faster

is there anyway you can post sanitized configs from the wireguard linode server?

My guess is “allowed ips” is not pointing correctly.

@PhaseLockedLoop The Legend has some guides on configuring wiireguard as well that may help troubleshoot.

I’m gonna second this.

Ok sharing my config below im trying to test with my plex server just want to verify this end is set up correctly first

plex server is at 10.0.6.7 on my local network

this wireguard connection is set up as gateway on my pfsense router with the gateway ip of 10.1.0.2 and this is set up to forward traffic to the plex server like with my normal plex forwarding rule.

here is my wg conf - my keys

[Interface]
Address = 10.1.0.1/24
ListenPort = 51830
PrivateKey = 
PostUp = /etc/wireguard/up.sh
PostDown = /etc/wireguard/down.sh

[Peer]
PublicKey = 
AllowedIPs = 10.1.0.2/24
PersistentKeepAlive = 25

and my post up script

#!/bin/bash
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i wg0 -j ACCEPT
iptables -A FORWARD -i eth0 -o wg0 -p tcp --syn --dport 32400 -m conntrack --ct>
iptables -A FORWARD -i eth0 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED ->
iptables -A FORWARD -i wg0 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED ->
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 32400 -j DNAT --to-destina>
iptables -t nat -A POSTROUTING -s 10.1.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -i wg0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT
iptables -P FORWARD DROP

Can you indulge me and try adding

iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE

right underneath the line above, and restart wireguard on Linode.

Do you happen to have any firewall rules left over that prevent traffic to/from private IP address ranges in pfSense. IIRC it comes with some rfc1918 bogon filters in the default install

Thank you good sir this resolved the issue i was banging my head against all day yesterday!

Hmm, if that worked then it’s either allowed IPs on pfSense Wireguard interface, or you’re missing reply-to in pfSense forwarding rules.

… or both.

Allowed ip’s for the peer in PFsense are set to 0.0.0.0/0 and disable reply to is currently not enabled on the FW

so what’s this then, is this on Linode?

When you’re testing are you trying to access plex from linode, or from e.g. your phone or some other random internet ip?

this basically means that incoming packets with destination IP outside of that range, … wouldn’t show up coming out of the wireguard interface

this ip is the ip of the gateway of my PFsense router I was testing with my phone on 4g

Screenshot 2022-04-20 at 13.12.111162×807 218 KB

… and I assume you’re asking pfSense to NAT stuff coming from plex going out over wireguard?

yes it port forwards with nat to the server where plex is

Could you try adding your internal IPv4 addresses to that?

ie.

[Peer]
PublicKey = 
AllowedIPs = 10.1.0.2/24, 192.168.100.0/24
PersistentKeepAlive = 25

I could but I would prefer this connection to function like an internet connection where the traffic comes into PFsense and that does the internal routing of the traffic.

Then do the specific IPs of the server you want to outbound. without it in the list, it doesn’t talk.

Can I ask why you would like me to do this?

Allowed IPs goes both ways. If the IP you want accessing out isn’t in the list, the packet isn’t accepted.

This issue was solved earlier with the below line

iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE