You are not logged in.
- Topics: Active | Unanswered
#1 2019-04-08 15:31:25
- cmm11
- Member
- Registered: 2018-02-18
- Posts: 51
[Solved] Wireguard / iptables - can't access websites from client
Hello i'm using Arch, wireguard, unbound, iptables on a dedicated server.
I've setup wireguard configs for server and android phone and when i do "sudo wg" on the server i can see the handshake occurs and they do connect, however i can't access any websites on the phone.
I'm new to iptables so i suspect i've maybe overlooked something or made a mess of my rules.
Any help is always appreciated.
# wireguard server .conf
[Interface]
Address = 10.200.200.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE
ListenPort = 51820
PrivateKey = ***
[Peer]
PublicKey = ***
PresharedKey = ***
AllowedIPs = 10.200.200.2/32
Endpoint = ***:48207# wireguard client .conf
[Interface]
Address = 10.200.200.2/24
PrivateKey = ***
DNS = 10.200.200.1
[Peer]
PublicKey = ***
PresharedKey = ***
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = ***:51820# /etc/unbound/unbound.conf
server:
use-syslog: yes
username: "unbound"
directory: "/etc/unbound"
trust-anchor-file: trusted-key.key
interface: 0.0.0.0
access-control: 127.0.0.1 allow
do-daemonize: no
root-hints: root.hints
private-address: 10.200.200.0/24
forward-zone:
name: "."
forward-addr: 1.1.1.1
forward-addr: 1.0.0.1# /etc/iptables/iptables.rules
# Generated by iptables-save v1.8.2 on Mon Apr 8 14:17:23 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp --dport 22 -j ACCEPT
-A UDP -p udp --dport 51820 -j ACCEPT
-A TCP -p tcp --dport 53 -j ACCEPT
-A UDP -p udp --dport 53 -j ACCEPT
COMMIT
# Completed on Mon Apr 8 14:17:23 2019# /etc/sysctl.d/30-ipfoward.conf
net.ipv4.ip_forward=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1Last edited by cmm11 (2019-04-08 18:00:04)
$20 Free Credit Hetzner - https://hetzner.cloud/?ref=fuVilhv403fA
Offline
#2 2019-04-08 17:51:23
- cmm11
- Member
- Registered: 2018-02-18
- Posts: 51
Re: [Solved] Wireguard / iptables - can't access websites from client
Update - So i did -
sudo iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPTand it appears to be working, correct ip is shown on the phone, however it seems to be still using google DNS not cloudflare which unbound has been set to use.
Update2 - Adding
"access-control: 10.200.200.0/24 allow to my unbound.conf sorted my issue about DNS.
Last edited by cmm11 (2019-04-08 17:59:50)
$20 Free Credit Hetzner - https://hetzner.cloud/?ref=fuVilhv403fA
Offline