[Solved] Wireguard / iptables - can't access websites from client

cmm11 · 2019-04-08 15:31:25

Hello i'm using Arch, wireguard, unbound, iptables on a dedicated server.

I've setup wireguard configs for server and android phone and when i do "sudo wg" on the server i can see the handshake occurs and they do connect, however i can't access any websites on the phone.
I'm new to iptables so i suspect i've maybe overlooked something or made a mess of my rules.
Any help is always appreciated.

# wireguard server .conf

[Interface]
Address = 10.200.200.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE
ListenPort = 51820
PrivateKey = ***

[Peer]
PublicKey = ***
PresharedKey = ***
AllowedIPs = 10.200.200.2/32
Endpoint = ***:48207

# wireguard client .conf

[Interface]
Address = 10.200.200.2/24
PrivateKey = ***
DNS = 10.200.200.1

[Peer]
PublicKey = ***
PresharedKey = ***
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = ***:51820

# /etc/unbound/unbound.conf

server:
  use-syslog: yes
  username: "unbound"
  directory: "/etc/unbound"
  trust-anchor-file: trusted-key.key
  interface: 0.0.0.0
  access-control: 127.0.0.1 allow
  do-daemonize: no
  root-hints: root.hints
  private-address: 10.200.200.0/24
forward-zone:
  name: "."
  forward-addr: 1.1.1.1
  forward-addr: 1.0.0.1

# /etc/iptables/iptables.rules

# Generated by iptables-save v1.8.2 on Mon Apr  8 14:17:23 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp --dport 22 -j ACCEPT
-A UDP -p udp --dport 51820 -j ACCEPT
-A TCP -p tcp --dport 53 -j ACCEPT
-A UDP -p udp --dport 53 -j ACCEPT
COMMIT
# Completed on Mon Apr  8 14:17:23 2019

# /etc/sysctl.d/30-ipfoward.conf

net.ipv4.ip_forward=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1

Last edited by cmm11 (2019-04-08 18:00:04)

cmm11 · 2019-04-08 17:51:23

Update - So i did -

sudo iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

and it appears to be working, correct ip is shown on the phone, however it seems to be still using google DNS not cloudflare which unbound has been set to use.
Update2 - Adding

"access-control: 10.200.200.0/24 allow

to my unbound.conf sorted my issue about DNS.

Last edited by cmm11 (2019-04-08 17:59:50)

Arch Linux

#1 2019-04-08 15:31:25

[Solved] Wireguard / iptables - can't access websites from client

#2 2019-04-08 17:51:23

Re: [Solved] Wireguard / iptables - can't access websites from client

Board footer