sysctl -n net.ipv4.ip_forward
1
table inet mullvad {
chain prerouting {
type filter hook prerouting priority -199; policy accept;
iif != "wg-mullvad" ct mark 0x00000f41 meta mark set 0x6d6f6c65
ip saddr mullvad_server_ip udp sport 123 meta mark set 0x6d6f6c65
}
chain output {
type filter hook output priority filter; policy drop;
oif "lo" accept
ct mark 0x00000f41 accept
udp sport 68 ip daddr 255.255.255.255 udp dport 67 accept
ip daddr mullvad_server_ip udp dport 123 meta mark 0x6d6f6c65 accept
oif "wg-mullvad" udp dport 53 ip daddr wireguard_ip accept
oif "wg-mullvad" tcp dport 53 ip daddr wireguard_ip accept
udp dport 53 reject
tcp dport 53 reject with tcp reset
oif "wg-mullvad" accept
ip daddr 10.0.0.0/8 accept
ip daddr 172.16.0.0/12 accept
ip daddr 192.168.0.0/16 accept
ip daddr 169.254.0.0/16 accept
ip daddr 255.255.255.255 accept
ip daddr 224.0.0.0/24 accept
ip daddr 239.0.0.0/8 accept
udp sport 67 udp dport 68 accept
reject
}
chain input {
type filter hook input priority filter; policy drop;
iif "lo" accept
ct mark 0x00000f41 accept
udp sport 67 udp dport 68 accept
ip saddr mullvad_server_ip udp sport 123 ct state established accept
iif "wg-mullvad" accept
ip daddr our_client_wireguard_ip drop
ip saddr 10.0.0.0/8 accept
ip saddr 172.16.0.0/12 accept
ip saddr 192.168.0.0/16 accept
ip saddr 169.254.0.0/16 accept
udp sport 68 ip daddr 255.255.255.255 udp dport 67 accept
}
chain forward {
type filter hook forward priority filter; policy drop;
udp sport 68 ip daddr 255.255.255.255 udp dport 67 accept
udp sport 67 udp dport 68 accept
oif "wg-mullvad" udp dport 53 ip daddr wireguard_ip accept
oif "wg-mullvad" tcp dport 53 ip daddr wireguard_ip accept
udp dport 53 reject
tcp dport 53 reject with tcp reset
oif "wg-mullvad" accept
iif "wg-mullvad" ct state established accept
ip daddr 10.0.0.0/8 accept
ip daddr 172.16.0.0/12 accept
ip daddr 192.168.0.0/16 accept
ip daddr 169.254.0.0/16 accept
ip daddr 255.255.255.255 accept
ip daddr 224.0.0.0/24 accept
ip daddr 239.0.0.0/8 accept
reject
}
}
table ip mullvadmangle4 {
chain mangle {
type route hook output priority mangle; policy accept;
oif "wg-mullvad" udp dport 53 ip daddr wireguard_ip accept
oif "wg-mullvad" tcp dport 53 ip daddr wireguard_ip accept
meta cgroup 5087041 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
}
chain nat {
type nat hook postrouting priority srcnat; policy accept;
oif "wg-mullvad" ct mark 0x00000f41 drop
oif != "lo" ct mark 0x00000f41 masquerade
}
}
mullvad_server_ip
is the public IP of the server
wireguard_ip
is the 10.0.0.0/8
subnet of the server itself
our_client_wireguard_ip
is the 10.0.0.0/8
subnet IP given to us by the server
I am using Mullvad VPN with their official desktop client app available on GitHub mullvad/mullvadvpn-app
The goal is to share the VPN with a 2nd desktop wired directly to a secondary NIC on the 1st desktop. Essentially using the 1st desktop to act as a router with NAT masquerade.
Already have successful link between the two with static IP configuration allowing test nginx page hosted from 1st desktop to be loaded on 2nd desktop.
Desktop 1 is 192.168.1.1
Desktop 2 is 192.168.1.2 with 192.168.1.1 as gateway
I know this could be done different ways but I am strictly trying to modify this existing nftables ruleset just enough to get the forwarding to work.
I’ve read similar topics suggesting to set a static route on the 2nd desktop but this defeats the purpose of a plug and play solution. As the Wireguard 10.0.0.0/8
subnet addresses can change.