Tuesday, October 31, 2023

Wireguard Port Forwarding

Hi misc@,

I can't get port forwarding through Wireguard working.
I have a server at home (HOME) and a VPS (VPS).
Both run OpenBSD 7.4-release.
I want to run an HTTP Server at HOME,
but forward it through Wireguard to VPS.
Later I want to add other services, but let's keep it simple for now.

On my previous setup I did it with SSH Port Forwarding,
but it started getting annoying once I had to forward more than 3 ports.

From the VPS I can do
$ curl http://192.168.64.2:80
but I can't do
$ curl http://45.76.90.128:80
from my PC.

HOME $ ifconfig wg0
> wg0: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420
> index 4 priority 0 llprio 3
> wgport 49074
> wgpubkey JmI9(CENSORED)
> wgpeer ubkQ(CENSORED)
> wgendpoint 45.76.90.128 51820
> tx: 21420, rx: 86308
> last handshake: 59 seconds ago
> wgaip 0.0.0.0/0
> groups: wg
> inet 192.168.64.2 netmask 0xffffff00 broadcast 192.168.64.255

VPS $ ifconfig wg0
> wg0: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420
> index 4 priority 0 llprio 3
> wgport 51820
> wgpubkey ubkQ(CENSORED)
> wgpeer JmI9(CENSORED)
> wgendpoint (HOMEIP) 48909
> tx: 90536, rx: 21824
> last handshake: 32 seconds ago
> wgaip 192.168.64.2/32
> groups: wg
> inet 192.168.64.1 netmask 0xffffff00 broadcast 192.168.64.255

HOME /etc/hostname.wg0
> wgkey txk/(CENSORED)
> wgpeer ubkQ(CENSORED) wgendpoint 45.76.90.128 51820 wgaip 0.0.0.0/0
> inet 192.168.64.2/24
> up


VPS /etc/hostname.wg0
> wgkey 8Hg2(CENSORED)
> wgpeer JmI9(CENSORED) wgaip 192.168.64.2/32
> inet 192.168.64.1/24
> wgport 51820
> up
HOME /etc/pf.conf
> set skip on lo
>
> block return # block stateless traffic
> pass # establish keep-state
>
> # By default, do not permit remote connections to X11
> block return in on ! lo0 proto tcp to port 6000:6010
>
> # Port build user does not need network
> block return out log proto {tcp udp} user _pbuild
>
> pass out on egress inet from (wg0:network) nat-to (vio0:0)
VPS /etc/pf.conf
> set skip on lo
>
> block all
> pass out
>
> # Wireguard
> pass in on wg0
> pass in inet proto udp from any to any port 51820
> pass out on egress inet from (wg0:network) nat-to (vio0:0)
>
> pass in on egress proto tcp from any to any port ssh
> pass in on vio0 proto tcp from any to any port 80 rdr-to 192.168.64.2
When I run httpd on 127.0.0.1 of VPS,
and change 192.168.64.2 to 127.0.0.1 in pf.conf it works perfectly.

HOME /etc/httpd.conf:
> server match "*" {
> listen on 192.168.64.2 port 80
> root "/htdocs/test"
> }

Don't worry about the keys, I'm gonna recreate them when it works.

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)