Jump to content
TorGuard
  • 0

port forwarding through wireguard to docker --hlep

Rate this question


SporadicThought
 Share

Question

I'm not sure how to configure iptables to allow port 12345 through Wireguard and hit my qBittorrent docker container. I have an active port forward in my TorGuard control panel.

Here's the setup

 

This is the config on iptables-restore (runs at boot):

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

 

Additional info:

# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add ##.##.###.##/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] nft -f /dev/fd/63

# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    600    0        0 wlp2s0
##.##.###.0     *               255.255.255.0   U     0      0        0 wg0
192.168.1.0     *               255.255.255.0   U     600    0        0 wlp2s0

 

Start Docker:

# systemctl start docker
# iptables --list
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain DOCKER (2 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere    

 

Info after # docker-compose up. I see the rule to accept 12345 is configured for the container

# docker network inspect torrents_default
[
    {
        "Name": "torrents_default",
        "Id": "OMITTED",
        "Created": "OMITTED",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.20.0.0/16",
                    "Gateway": "172.20.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": true,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "OMITTED": {
                "Name": "jackett",
                "EndpointID": "OMITTED",
                "MacAddress": "OMITTED",
                "IPv4Address": "172.20.0.2/16",
                "IPv6Address": ""
            },
            "OMITTED": {
                "Name": "flaresolverr",
                "EndpointID": "OMITTED",
                "MacAddress": "OMITTED",
                "IPv4Address": "172.20.0.3/16",
                "IPv6Address": ""
            },
            "OMITTED": {
                "Name": "qbittorrent",
                "EndpointID": "OMITTED",
                "MacAddress": "OMITTED",
                "IPv4Address": "172.20.0.4/16",
                "IPv6Address": ""
            }
        },
        "Options": {},
        "Labels": {
            "com.docker.compose.network": "default",
            "com.docker.compose.project": "torrents",
            "com.docker.compose.version": "1.29.2"
        }
    }
]

 

# iptables --list
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain DOCKER (2 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             172.20.0.2           tcp dpt:9117
ACCEPT     tcp  --  anywhere             172.20.0.3           tcp dpt:8191
ACCEPT     tcp  --  anywhere             172.20.0.4           tcp dpt:12345
ACCEPT     tcp  --  anywhere             172.20.0.4           tcp dpt:http-alt

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere  
# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    600    0        0 wlp2s0
10.13.120.0     *               255.255.255.0   U     0      0        0 wg0
172.17.0.0      *               255.255.0.0     U     0      0        0 docker0
172.20.0.0      *               255.255.0.0     U     0      0        0 br-9d4196d52322
192.168.1.0     *               255.255.255.0   U     600    0        0 wlp2s0

 

# TorGuard WireGuard Config
[Interface]
PrivateKey = OMITTED
ListenPort = 51820
DNS = 1.1.1.1
Address = 12.12.123.12/24

[Peer]
PublicKey = OMITTED
AllowedIPs = 0.0.0.0/0
Endpoint = 123.123.123.123:1443
PersistentKeepalive = 25

 

So I'm supposing that I have to allow port 12345 into the default INPUT chain?

I was able to download a torrent, but there is 0 uploaded data from it. I also am unable to access qBittorrent on localhost and have to use it's ip address instead.

Any suggestions or feedback on this config is welcome.

Screenshot from 2021-07-29 22-10-14.png

Link to comment
Share on other sites

5 answers to this question

Recommended Posts

  • 1

you probably should not use AllowedIPs = 0.0.0.0, instead, set torguards internal vpn DNS in your interface configuration

DNS = 10.9.0.1,10.8.0.1

and in your peer 

AllowedIPs = 10.9.0.1/32,10.8.0.1/32 #, 10.13.63.0/0,10.13.128.0/0 etc, whatever you need additionaly

For the routes itself, it depends of what you do, normally I would use PostUp and PostDown for it, you probably know better which routes you need, this is just example:

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -A POSTROUTING -o %i -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -D POSTROUTING -o %i -j MASQUERADE

 

something like this can be done too:

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -A POSTROUTING -o %i -j MASQUERADE; iptables -A FORWARD -o %i -j ACCEPT; iptables -A FORWARD -i %i -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -A FORWARD -i eth0 -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -D POSTROUTING -o %i -j MASQUERADE; iptables -D FORWARD -o %i -j ACCEPT; iptables -D FORWARD -i %i -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -D FORWARD -i eth0 -o %i -j ACCEPT

 

Hope it works for you, I can confirm that port forwarding works without issues.

 

  • Thanks 1
Link to comment
Share on other sites

  • 1
16 hours ago, SporadicThought said:

Thanks for taking the time to show me some examples. I do not know how iptables-nat works or what masquerading is exactly, but now I know to start looking into them. Looks like I'm essentially turning my network into a router, which is exactly my aim here.

You are welcome. Here is some basic explanation about what ip masquerade is, I guess the explanation is quite simple and understandable. For iptables, best is if you use manual of your binary, simply run:

man iptables

It is actually good practice to read from man tables then from the link, as you might have older devices with older iptables versions which might have different options/features.

For help about commands and options, run:

iptables --help

PostDown is actually the same like PostUp, where you use instead of add (-A) a delete (-D). eth0 is your network interface and %i is a variable for the wireguard interface which is used. PostUp/Down commands are separated by ";"

For the rest I guess you simply need to play with it to get, I also believe you can always ask torguard for assistance too or simply on network related linux boards, like openwrt or any other.

I am sure you will enjoy it ;), as it is not really that complicated like one would believe. 

  • Thanks 1
Link to comment
Share on other sites

  • 0

Crap. I just realized I forgot a rule in iptables. I just added:

sudo iptables -I INPUT -i lo -j ACCEPT


let's see what happens.

Link to comment
Share on other sites

  • 0
On 7/30/2021 at 11:47 AM, 19807409 said:

you probably should not use AllowedIPs = 0.0.0.0, instead, set torguards internal vpn DNS in your interface configuration

DNS = 10.9.0.1,10.8.0.1

and in your peer 

AllowedIPs = 10.9.0.1/32,10.8.0.1/32 #, 10.13.63.0/0,10.13.128.0/0 etc, whatever you need additionaly

For the routes itself, it depends of what you do, normally I would use PostUp and PostDown for it, you probably know better which routes you need, this is just example:

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -A POSTROUTING -o %i -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -D POSTROUTING -o %i -j MASQUERADE

 

something like this can be done too:

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -A POSTROUTING -o %i -j MASQUERADE; iptables -A FORWARD -o %i -j ACCEPT; iptables -A FORWARD -i %i -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -A FORWARD -i eth0 -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -D POSTROUTING -o %i -j MASQUERADE; iptables -D FORWARD -o %i -j ACCEPT; iptables -D FORWARD -i %i -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -D FORWARD -i eth0 -o %i -j ACCEPT

 

Hope it works for you, I can confirm that port forwarding works without issues.

 

Thanks for taking the time to show me some examples. I do not know how iptables-nat works or what masquerading is exactly, but now I know to start looking into them. Looks like I'm essentially turning my network into a router, which is exactly my aim here.

  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...