Nat problem with wireguard vpn

Hello all, I have a little problem, i have setup a VyOS server with a wireguard VPN on a VPS.

I have a web server behind the VyOS with 32400 port I would like redirect all packets with 32400 port coming from my VPS to the web server, on the VPS (Green arrow on my diagram) I have make a IPTABLES rules, it’s ok for this part.

On the VyOS I’ve try to nat 32400 port from WG0 interface and with ip 172.16.254.10 to the 172.16.44.50(web server) I think it’s ok because I see the packets (with tcpdump) going to this IP but the server respond to his gateway: 172.16.44.254

I don’t know how to force to respond at the 172.16.254.10, I have try lot of nat configuration but nothing to work.

thanks for your help, my config (without nat rules):

set interfaces ethernet eth0 address '192.168.1.254/24'
set interfaces ethernet eth0 description 'WAN'
set interfaces ethernet eth3 address '172.16.44.254/24'
set interfaces ethernet eth3 policy route 'PBR3-1'
set interfaces loopback lo
set interfaces wireguard wg0 address '172.16.254.10/32'
set interfaces wireguard wg0 peer SRV address '139.X.X.X'
set interfaces wireguard wg0 peer SRV allowed-ips '0.0.0.0/0'
set interfaces wireguard wg0 peer SRV persistent-keepalive '25'
set interfaces wireguard wg0 peer SRV port '64216'
set interfaces wireguard wg0 peer SRV preshared-key 'XXXXXXXXX'
set interfaces wireguard wg0 peer SRV pubkey 'XXXXXXXXX'
set nat source rule 300 outbound-interface 'wg0'
set nat source rule 300 source address '172.16.44.0/24'
set nat source rule 300 translation address 'masquerade'
set nat source rule 350 outbound-interface 'eth3'
set nat source rule 350 translation address 'masquerade'
set nat source rule 999 outbound-interface 'eth0'
set nat source rule 999 translation address 'masquerade'
set policy route PBR3-1 rule 10 destination address '!172.16.0.0/16'
set policy route PBR3-1 rule 10 set table '100'
set policy route PBR3-1 rule 10 source address '172.16.44.0/24'
set protocols static interface-route 172.16.254.0/24 next-hop-interface wg0
set protocols static interface-route 192.168.1.1/32 next-hop-interface eth0
set protocols static route 0.0.0.0/0 next-hop 192.168.1.1
set protocols static table 100 route 0.0.0.0/0 next-hop 172.16.254.1 next-hop-interface 'wg0'
set service dhcp-server shared-network-name ETH-VM authoritative
set service dhcp-server shared-network-name ETH-VM subnet 172.16.44.0/24 default-router '172.16.44.254'
set service dhcp-server shared-network-name ETH-VM subnet 172.16.44.0/24 dns-server '8.8.8.8'
set service dhcp-server shared-network-name ETH-VM subnet 172.16.44.0/24 lease '86400'
set service dhcp-server shared-network-name ETH-VM subnet 172.16.44.0/24 range 3 start '172.16.44.1'
set service dhcp-server shared-network-name ETH-VM subnet 172.16.44.0/24 range 3 stop '172.16.44.250'
set service ssh listen-address '192.168.1.254'
set service ssh port '22'
set system name-server '8.8.8.8'
set system name-server '8.8.4.4'

Hey,

i hope i understand correctly what you want to do. VyOS will masquerade all with the address of eth3 in you nat rule 350.

you can write a rule before with:

set nat source rule 349 outbound-interface eth3
set nat source rule 349 destination address 172.16.44.50/32
set nat source rule 349 translated address 172.16.254.10

with this all traffic to 172.16.44.50 will be SNATed with the source 172.16.254.10
anything else will use rule 350

Hello Rob, I would like to redirect all traffic from 172.16.254.10 with port 32400 to 172.16.44.50 and the respond to the 172.16.254.10 (if the request from IP: 172.16.254.10), I have try your rule and seem don’t work :confused:

On node “VYOS” Delete source nat rule 349 and add next NAT destination rule

set nat destination rule 100 destination port '32400'
set nat destination rule 100 inbound-interface 'wg0'
set nat destination rule 100 protocol 'tcp'
set nat destination rule 100 translation address '172.16.44.50'

Test from client site:

vyos@client:~$ ssh vyos@203.0.113.1 -p 32400
Welcome to VyOS
vyos@203.0.113.1's password: 

Last login: Wed Oct 28 11:10:53 2020 from 172.16.44.254
vyos@web:~$ 

Dump from a webserver site:

vyos@web:~$ sudo tcpdump -ni eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:12:25.843435 IP 172.16.44.254.39218 > 172.16.44.50.32400: Flags [S], seq 3788191962, win 64860, options [mss 1380,sackOK,TS val 3179124000 ecr 0,nop,wscale 6], length 0
11:12:25.843773 IP 172.16.44.50.32400 > 172.16.44.254.39218: Flags [S.], seq 1047398535, ack 3788191963, win 65160, options [mss 1460,sackOK,TS val 2114416920 ecr 3179124000,nop,wscale 6], length 0
11:12:25.923692 IP 172.16.44.254.39218 > 172.16.44.50.32400: Flags [.], ack 1, win 1014, options [nop,nop,TS val 3179124025 ecr 2114416920], length 0
11:12:25.923747 IP 172.16.44.254.39218 > 172.16.44.50.32400: Flags [P.], seq 1:40, ack 1, win 1014, options [nop,nop,TS val 3179124025 ecr 2114416920], length 39
11:12:25.923760 IP 172.16.44.50.32400 > 172.16.44.254.39218: Flags [.], ack 40, win 1018, options [nop,nop,TS val 2114417000 ecr 3179124025], length 0

ah ok, so i misunderstood it in you 1st post what @Viacheslav wrote should work for you

thanks @Viacheslav but seem don’t work, I have already try this nat commands, I see packets on ETH3:


the results on wg0:

Your diagram have a little error, my client is on the pubic IP WG-SERVER, I use Iptables to redirect in the tunnel (i use this method with openvpn in the past and work good).

I don’t really understand where is the problem, 172.16.44.254 seem to do not send request to 172.16.254.10

So do you see SYN-ACK response via eth0 interface or the packets are drops on “vyos” node?

On the ETH0 I see 172.16.254.10 respond to public IP instead wg0

in my scheme I masquerade external client ip on wg-server to wg address space.
I trying to change my lab tomorrow

@Viacheslav tanks :relaxed:

@rand0m can you delete rule 350 in nat?

set nat source rule 350

Do you really need it?

you have identified the problem, indeed it came from this rule, if I delete this rule it’s ok !
I will continue my tests to see if i don’t have side effects.
Just another question, I cannot apply two exception rules on PBR ?

for exemple in my conf I have:

set policy route 'PBR3-1' rule 10 destination address !172.16.0.0/16

but if I had another one (12 for example) only one can be apply

Can you describe what pbr do you mean? Example.

Ok, as you can see in configuration on my first post, I use an PBR
I create a PBR3-1, 3 for the name of my eth and 1 for the first rule.

I have two network 172.16.0.0/16, for my VyOS lab and 192.168.0.0/16 for my ISP router.
If i wan to join a server on the 172.16 network I add this line in my rule :

set policy route 'PBR3-1' rule 10 destination address !172.16.0.0/16

and its works great, now if I a want contact my router on 192.168.1.1 I suppose to create an another rule? Like that:

set policy route 'PBR3-2' rule 10 destination address !192.168.0.0/16

but I do this nothing of the two rule works, so I use an another method I create an another PBR rule :

set policy route 'PBR3-2' rule 10 set table '100'
set policy route 'PBR3-2' rule 10 source address '172.16.44.0/24'
set policy route 'PBR3-2' rule 10 destination address !192.168.0.0/16

and I apply with:

set interfaces ethernet eth3 policy route 'PBR3-2'

I apply this rule only if i really need to connect on my Isp router.
I hope i’m clear (sorry if not)

You can create policy with multiple rule numbers

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.