iptables rules for WireGuard VPN on NAT OpenVZ VPS running Debian 10?
I'm trying to setup WireGuard VPN (TunSafe for that matter) on my NAT OpenVZ VPS running Debian 10. I have an ansible playbook I created to set it up on 'regular' KVM VPSes that I used. The issue I have is with the iptables rules that are needed to route/forward the traffic between the client and the server properly; they don't seem to work.
On my KVM VPSes, I'm using the iptables rule iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
which would translate to iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE
for OpenVZ I figured. However, iptables on my OpenVZ NAT VPS complains 'Chain 'MASQUERADE' does not exist'.
I already switched to the legacy version of iptables instead of nf using update-alternatives –config iptables
but the error remains. And indeed, if I run iptables -L
I see only three chains: INPUT, FORWARD and OUTPUT...
In the meantime I found this set of iptables rules that makes the VPN connection work:
#Forwarding
iptables -A FORWARD -i venet0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o venet0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
#Hardening?
iptables -A INPUT -i tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i tun0 -j DROP
However, apart from being 5 rules instead of just 1 simple rule, I'm not sure if the rules above are too permissive.
Since I'm no iptables hero myself, I was hoping someone could help me out here in figuring out the correct set of iptables rules to get WireGuard running on my NAT VPS.
Thanks!
Comments
Check module MASQ:
dont forget :
Ah, that explains. Kernel limitation I guess.
Yep, already did the ip_forward Thanks for the hint though!
Alternate use module ipt_SNAT :
And then use iptables like :
EX :
SNAT module also seems to be missing
Do I have any other options left ?
Thanks!
BGP peer, more complex
Might be a bit of overkill for my setup
Did you enable netfilter ?
https://webhorizon.net
I don't think I can. This is an OpenVZ VPS. Or am I mistaken?
The provider can https://lowendspirit.com/openvz-7-virtuozzo-7-enable-netfilter-as-standard
https://webhorizon.net
If it's IH https://clients.inceptionhosting.com/index.php?rp=/knowledgebase/29/Enable-NFS-or-FUSE-or-Netfilter-for-Docker-Support.html
https://webhorizon.net
Aah, now we're getting somewhere. Netfilter was the magic keyword I needed apparently and I think this is the solution to my issues:
https://clients.inceptionhosting.com/index.php?rp=/knowledgebase/36/Iptables-csf-ufw-firewalld-or-vpn-software-problems.html
Executed the command. Let's wait and see.
Thanks!!
So, what did we learn today? RTFM!
Thanks for pointing me in the right direction @isunbejo @Abdullah