Log In     Register    

Off Topic
Report problems with the forum itself, or any thing else not specific to Tixati
<<  Back To Forum

outline: personal Wireguard VPN server with port forwarding

by Guest on 2020/03/04 06:45:41 AM    
Want to port forward but your ISP uses carrier grade NAT (also called ISP NAT or double NAT)?

This is more of an outline rather than a tutorial. I will assume you already have a linux server with root user or sudo access. I will also assume that you are a little bit familiar with some basic linux commands and you have some networking knowledge.

1) download and run the wireguard-install script. (Please take note of the IPs and server port you pick. I recommend port 8080 but you are welcome to use the default or pick something else. Another potential good choice is 443 or 80.)
$ curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh && chmod +x wireguard-install.sh && sudo ./wireguard-install.sh

2) Copy the client config to your local computer. (check the folder you ran the script in)

3) after wireguard is running on the server (check with "systemctl status wg-quick@your-value" or htop) test it with: $ wg-quick up /location/of/your-config

4) You should be able to browse the internet using the VPN but the port forwarding isn't set up yet.

5) Now to setup and enable the firewall. I will show you my firewall.sh script as an example. I save the rules as a shell script so if you accidentally block SSH all you have to do is reboot using your VPS/server control panel for the rules to be removed. You can choose to make these rules persistent once you get it working. If you leave it as is make sure to run the script again each time after you reboot. Make sure you change the ports and IPs to match whatever you picked.

#!/bin/bash
# default policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

ip6tables -P INPUT DROP
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD DROP

# loopback interface
iptables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

# drop invalid
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP

# established/related connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELAT
ED -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELA
TED -j ACCEPT

# ping (you can remove if you want)
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCE
PT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEP
T
ip6tables -A INPUT -p icmpv6 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 -j ACCEPT

# SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
ip6tables -A OUTPUT -p tcp --sport 22 -j ACCEPT

# wireguard (udp/8080) - VPN
iptables -A INPUT -p udp --dport 8080 -j ACCEPT
iptables -A OUTPUT -p udp --sport 8080 -j ACCEPT

# allow forwarding for wireguard (because we DROP on FORWARD chain by default. Change "ens3" to "eth0" if you are using the old network interface names)
iptables -A FORWARD -i wg0 -o ens3 -j ACCEPT
iptables -A FORWARD -i ens3 -o wg0 -j ACCEPT
ip6tables -A FORWARD -i wg0 -o ens3 -j ACCEPT
ip6tables -A FORWARD -i ens3 -o wg0 -j ACCEPT

# port forwarding rules
bash /root/port-forward.sh

I save the above as firewall.sh

And here are the port forwarding rules for UDP, TCP, and IPv4 and IPv6. If your server doesn't support IPv6 you can ignore the lines that contain "ip6tables". The example below assumes that you are using port 48319 on Tixati.

# Tixati - TCP 
iptables -t nat -A PREROUTING -d YOUR-SERVER-PUBLIC-IPV4 -p tcp --dport 48319 -j DNAT --to
-dest 10.66.66.2:48319
iptables -t filter -A INPUT -p tcp -d 10.66.66.2 --dport 48319 -j ACCEPT

ip6tables -t nat -A PREROUTING -d YOUR-SERVER-PUBLIC-IPV6 -p tcp --dport 48319
 -j DNAT --to-dest [fd42:69:69::2]:48319
ip6tables -t filter -A INPUT -p tcp -d fd42:69:69::2 --dport 48319 -j ACCEPT

# Tixati - UDP/uTP
iptables -t nat -A PREROUTING -d YOUR-SERVER-PUBLIC-IPV4 -p udp --dport 48319 -j DNAT --to
-dest 10.66.66.2:48319
iptables -t filter -A INPUT -p udp -d 10.66.66.2 --dport 48319 -j ACCEPT

ip6tables -t nat -A PREROUTING -d YOUR-SERVER-PUBLIC-IPV6 -p udp --dport 48319
 -j DNAT --to-dest [fd42:69:69::2]:48319
ip6tables -t filter -A INPUT -p udp -d fd42:69:69::2 --dport 48319 -j ACCEPT

You can include this in firewall.sh or put it in a separate file. In my firewall.sh, I have it run port-forward.sh (See last line)

6) Connect to the VPN and bind Tixati to your VPN interface IP(s). Run a few torrents and check for incoming connections. You do not need to use UPnP for the port forwarding because the port is already forwarded.


If you have any questions or need me to clarify anything, let me know. Again, this is more of an outline rather than a proper tutorial.
by Guest on 2020/03/04 06:58:01 AM    
by Guest on 2020/05/28 05:40:39 AM    
You should fix "#!/bin/basb" and bad line breaks in the iptables commands part.
Thanks, bookmarked just in case.
by Guest on 2020/05/30 03:50:34 AM    
Thank you Guest. But I can't fix it because I can't edit old posts as a guest.
by Guest on 2020/12/28 01:13:41 PM    
hello i tried this but my UDP port still shows open but filtered any way to have it fully open and do you have any email or discord address where i can contact you regarding this
thanks
by Guest on 2021/01/23 06:42:36 AM    
Hello. I'm the original poster. discord: santost pound symbol 7018

Are you able to check using TCP? If the port is open for TCP than UDP likely works too if you ran all the commands. If you got it working with iptables, great but if you need to set it up again from beginning I actually recommend nftables now. nftables is the new and better replacement for iptables. It's okay to still use iptables if you do.

Seeing Open/filtered is normal for UDP. If you got something like no response at all or icmp destination or port unreachable than UDP probably doesn't work.
by Guest on 2021/03/05 08:26:05 AM    
I replaced the server's real public IPv4 address with 1.2.3.4.

root@server:~# wg genkey
gN4lfaGDzwgdFLi+dSDLTSCIKJEvrB7iU3Z/NCQVTkw=

root@server:~# echo "gN4lfaGDzwgdFLi+dSDLTSCIKJEvrB7iU3Z/NCQVTkw=" | wg pubkey
lzpTv+6zqpaD31bQ8BTR6U8goeDTnHg7pHCfyjjcQlc=

root@server:~# cat /etc/wireguard/wg0.conf
[Interface]
PrivateKey = SERVER-PRIVATE-KEY
Address = 10.99.0.1/32
ListenPort = 8080
PostUp = iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; iptables -A INPUT -p tcp --dport 9864 -j ACCEPT; iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 9864 -j DNAT --to-dest 10.99.0.2:9864; iptables -A INPUT -p udp --dport 9864 -j ACCEPT; iptables -t nat -A PREROUTING -d 1.2.3.4 -p udp --dport 9864 -j DNAT --to-dest 10.99.0.2:9864
PostDown = iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; iptables -D INPUT -p tcp --dport 9864 -j ACCEPT; iptables -t nat -D PREROUTING -d 1.2.3.4 -p tcp --dport 9864 -j DNAT --to-dest 10.99.0.2:9864; iptables -D INPUT -p udp --dport 9864 -j ACCEPT; iptables -t nat -D PREROUTING -d 1.2.3.4 -p udp --dport 9864 -j DNAT --to-dest 10.99.0.2:9864

[Peer]
PublicKey = YOUR-PC-PUBLIC-KEY
AllowedIPs = 10.99.0.2/32


Client example config:
[Interface]
PrivateKey = CLIENT-PRIVATE-KEY
Address = 10.99.0.2/32
DNS = 1.1.1.1, 8.8.8.8

[Peer]
PublicKey = YOUR-SERVER-PUBLIC-KEY
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1
Endpoint = 1.2.3.4:8080
PersistentKeepalive = 55




This web site is powered by Super Simple Server