1

Temat: Wireguard VPN i problem z firewall

Witam
Mam problem z połączeniem
Mój dostawca nie udostępnia mi bezpośrednio IP z portem tylko mam IP z portem zewnętrznym x.x.x.x:25102 który wpada u mnie na WAN na port 8062.

Serwer uruchamiam na routerze 192.168.1.1 i nasłuchuje dla uproszczenia na porcie 25102

Postępuję zgodnie z instrukcją https://eko.one.pl/?p=openwrt-wireguard ale nie mogę się połączyć. Prawdopodobnie brakuje mi jakiegoś przekierowania na firewallu. Jakiego?

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdf5:9936:2b06::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr 'a0:63:91:7d:23:bf'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'pppoe'
        option password 'HASLO'
        option ipv6 'auto'
        option username 'LOGIN'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr 'a0:63:91:7d:23:c0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'
        option ar8xxx_mib_type '0'
        option ar8xxx_mib_poll_interval '500'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 0t'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'OEm/j/386M7S*********0rxmIyodlxPnU='
        option listen_port '25102'
        list addresses '10.9.0.1/24'

config wireguard_wg0
        option public_key 'bAbL/XFWWT1**************3vbX4='
        option route_allowed_ips '1'
        list allowed_ips '0.0.0.0/0'
        option persistent_keepalive '25'
        option description 'android'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'wg'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option network 'wg0'

config forwarding
        option src 'wg'
        option dest 'wan'

config forwarding
        option src 'wan'
        option dest 'wg'

config forwarding
        option src 'wg'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'wg'

config redirect
        option src 'wan'
        option src_dport '8062'
        option target 'DNAT'
        option name '8062'
        option dest_ip '192.168.1.1'
        option dest 'lan'
        option dest_port '25102'

config rule
        option src 'wan'
        option target 'ACCEPT'
        option proto 'tcp'
        option dest_port '25102'
        option name 'wireguard_wan'

2

Odp: Wireguard VPN i problem z firewall

Coś kombinujesz. Jak wszystko ci wpada na port 8062 to nie robisz żadnego redirecta tylko otworzenie portu na wanie na 8062 i stawiasz wireguard na porcie 8062 (jeżeli chcesz mieć "serwer" - bo jak nie to nic nie robisz).

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

3

Odp: Wireguard VPN i problem z firewall

Zmieniłem port serwera na 8062 i nadal z zewnątrz się nie łączy.
VPN na pewno działa bo zmieniłem IP w aplikacji na telefonie na 192.168.1.1 i łączyłem się po sieci LAN, więc klucze są OK.
Co mogę jeszcze zmienić?

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdf5:9936:2b06::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr 'a0:63:91:7d:23:bf'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'pppoe'
        option password 'xxxxxx'
        option ipv6 'auto'
        option username 'xxxxxxxxxxxxl'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr 'a0:63:91:7d:23:c0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'
        option ar8xxx_mib_type '0'
        option ar8xxx_mib_poll_interval '500'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 0t'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'MLABi2Oagb*********DRwbAXA='
        option listen_port '8062'
        list addresses '10.9.0.1/24'

config wireguard_wg0
        option public_key 'bAbL/XFWW***********0CefzS3vbX4='
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option description 'android'
        list allowed_ips '10.9.0.3/32'
root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule
        option src 'wan'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '8062'
        option name 'wireguard'

config zone
        option name 'wg'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option network 'wg0'

config forwarding
        option src 'wg'
        option dest 'wan'

config forwarding
        option src 'wan'
        option dest 'wg'

config forwarding
        option src 'wg'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'wg'

4

Odp: Wireguard VPN i problem z firewall

Podaj adres IP to sprawdzimy czy ten port 25102 faktycznie jest przekierowany na ciebie.

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

5 (edytowany przez Loozak 2021-04-21 10:24:57)

Odp: Wireguard VPN i problem z firewall

91.231.*.*:25102

6

Odp: Wireguard VPN i problem z firewall

Na razie mam connection refused. Wyłącz wireguarda, postaw dropbeara na porcie 8062 i zobaczymy czy się zgłosi na zewnątrz.

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

7 (edytowany przez Loozak 2021-04-21 10:24:40)

Odp: Wireguard VPN i problem z firewall

A popatrz na lustrzany port który sobie przekieruję na raspberry w sieci LAN
91.231.*.*:25100

działa

8

Odp: Wireguard VPN i problem z firewall

openmediavault jest, tak działa.

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

9

Odp: Wireguard VPN i problem z firewall

Dropbear postawiony na 8062

10

Odp: Wireguard VPN i problem z firewall

No to sorry, ja mam cały czas connection refused. Zrób iptables -v -L i zobacz czy coś jest na liczniku przy regule otwierającej port 8062. Jeżeli nie ma to dostawca jednak ci nie przekierował 25102 na 8062...

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

11

Odp: Wireguard VPN i problem z firewall

Ten fragment?


Chain zone_wan_input (1 references)
pkts bytes target     prot opt in     out     source               destination
   17  2175 input_wan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom wan input rule chain */
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:bootpc /* !fw3: Allow-DHCP-Renew */
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request /* !fw3: Allow-Ping */
    0     0 ACCEPT     igmp --  any    any     anywhere             anywhere             /* !fw3: Allow-IGMP */
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:8062 /* !fw3: wireguard */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
   17  2175 zone_wan_src_REJECT  all  --  any    any     anywhere             anywhere             /* !fw3 */

12

Odp: Wireguard VPN i problem z firewall

Ej, ale otworzyłeś 8062/udp, a ssh to tcp. Zmień na tcp i zrestartuj firewall.

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

13

Odp: Wireguard VPN i problem z firewall

Dostawca otworzył mi ten port bo mogę go przekierować na np. openmediavault

Chyba że blokuje samego wireguarda

14

Odp: Wireguard VPN i problem z firewall

Cezary napisał/a:

Ej, ale otworzyłeś 8062/udp, a ssh to tcp. Zmień na tcp i zrestartuj firewall.

Jest TCP

15

Odp: Wireguard VPN i problem z firewall

Yes, teraz ssh się zgłasza. To zmień znów na udp, włącz wireguarda i spróbuj się połączyć ale z nie lanu tylko kompletnie innej sieci, np. przez smartfona.

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

16

Odp: Wireguard VPN i problem z firewall

UDP, serwer Wireguard na porcie 8062, nie z LANu tylko z innej sieci
Brak połączenia

17

Odp: Wireguard VPN i problem z firewall

Standardowo - czy masz coś na licznikach w iptables?

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

18

Odp: Wireguard VPN i problem z firewall

Jest to:

root@OpenWrt:~# iptables -v -L
Chain INPUT (policy ACCEPT 1532 packets, 528K bytes)
 pkts bytes target     prot opt in     out     source               destination
  142 11290 ACCEPT     all  --  lo     any     anywhere             anywhere             /* !fw3 */
 3656  830K input_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom input rule chain */
  805 87862 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
   44  2520 syn_flood  tcp  --  any    any     anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */
 1303  212K zone_lan_input  all  --  br-lan any     anywhere             anywhere             /* !fw3 */
   16  1820 zone_wan_input  all  --  pppoe-wan any     anywhere             anywhere             /* !fw3 */
    0     0 zone_wg_input  all  --  wg0    any     anywhere             anywhere             /* !fw3 */

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 488K  232M forwarding_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom forwarding rule chain */
 488K  232M ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
  942  111K zone_lan_forward  all  --  br-lan any     anywhere             anywhere             /* !fw3 */
    0     0 zone_wan_forward  all  --  pppoe-wan any     anywhere             anywhere             /* !fw3 */
    0     0 zone_wg_forward  all  --  wg0    any     anywhere             anywhere             /* !fw3 */
    0     0 reject     all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  142 11290 ACCEPT     all  --  any    lo      anywhere             anywhere             /* !fw3 */
 2868  560K output_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom output rule chain */
 2503  527K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
    7  2296 zone_lan_output  all  --  any    br-lan  anywhere             anywhere             /* !fw3 */
  358 30704 zone_wan_output  all  --  any    pppoe-wan  anywhere             anywhere             /* !fw3 */
    0     0 zone_wg_output  all  --  any    wg0     anywhere             anywhere             /* !fw3 */

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_wg_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_wg_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_wg_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain reject (3 references)
 pkts bytes target     prot opt in     out     source               destination
    7   335 REJECT     tcp  --  any    any     anywhere             anywhere             /* !fw3 */ reject-with tcp-reset
    9  1485 REJECT     all  --  any    any     anywhere             anywhere             /* !fw3 */ reject-with icmp-port-unreachable

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination
   44  2520 RETURN     tcp  --  any    any     anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 /* !fw3 */
    0     0 DROP       all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_lan_dest_ACCEPT (5 references)
 pkts bytes target     prot opt in     out     source               destination
    7  2296 ACCEPT     all  --  any    br-lan  anywhere             anywhere             /* !fw3 */

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
  942  111K forwarding_lan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom lan forwarding rule chain */
  942  111K zone_wan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3: Zone lan to wan forwarding policy */
    0     0 zone_wg_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3: Zone lan to wg forwarding policy */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_lan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_lan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1303  212K input_lan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom lan input rule chain */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
 1303  212K zone_lan_src_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_lan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination
    7  2296 output_lan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom lan output rule chain */
    7  2296 zone_lan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1303  212K ACCEPT     all  --  br-lan any     anywhere             anywhere             ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_wan_dest_ACCEPT (3 references)
 pkts bytes target     prot opt in     out     source               destination
    8   344 DROP       all  --  any    pppoe-wan  anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
 1292  141K ACCEPT     all  --  any    pppoe-wan  anywhere             anywhere             /* !fw3 */

Chain zone_wan_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 reject     all  --  any    pppoe-wan  anywhere             anywhere             /* !fw3 */

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 forwarding_wan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom wan forwarding rule chain */
    0     0 zone_lan_dest_ACCEPT  esp  --  any    any     anywhere             anywhere             /* !fw3: Allow-IPSec-ESP */
    0     0 zone_lan_dest_ACCEPT  udp  --  any    any     anywhere             anywhere             udp dpt:isakmp /* !fw3: Allow-ISAKMP */
    0     0 zone_wg_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3: Zone wan to wg forwarding policy */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_wan_dest_REJECT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_wan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
   16  1820 input_wan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom wan input rule chain */
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:bootpc /* !fw3: Allow-DHCP-Renew */
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request /* !fw3: Allow-Ping */
    0     0 ACCEPT     igmp --  any    any     anywhere             anywhere             /* !fw3: Allow-IGMP */
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:8062 /* !fw3: wireguard */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
   16  1820 zone_wan_src_REJECT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_wan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination
  358 30704 output_wan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom wan output rule chain */
  358 30704 zone_wan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_wan_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination
   16  1820 reject     all  --  pppoe-wan any     anywhere             anywhere             /* !fw3 */

Chain zone_wg_dest_ACCEPT (4 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    wg0     anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
    0     0 ACCEPT     all  --  any    wg0     anywhere             anywhere             /* !fw3 */

Chain zone_wg_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 forwarding_wg_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom wg forwarding rule chain */
    0     0 zone_wan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3: Zone wg to wan forwarding policy */
    0     0 zone_lan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3: Zone wg to lan forwarding policy */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_wg_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_wg_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 input_wg_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom wg input rule chain */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
    0     0 zone_wg_src_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_wg_output (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 output_wg_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom wg output rule chain */
    0     0 zone_wg_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_wg_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  wg0    any     anywhere             anywhere             ctstate NEW,UNTRACKED /* !fw3 */

19

Odp: Wireguard VPN i problem z firewall

Co podajesz na kliencie jako peer? Bo masz podać 91.231.60.3 z portem 25102

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

20

Odp: Wireguard VPN i problem z firewall

Peer punkt końcowy
91.231.60.3:25102

21

Odp: Wireguard VPN i problem z firewall

Nie miałeś żadnego pakietu który złapał się na regule. Tak jak by android nic nie wysłał. Możesz użyć innego klienta? OpenWrt/linuksa?

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

22

Odp: Wireguard VPN i problem z firewall

Czy aby na pewno dostawca udostępnił ci port TCP/UDP czy może tylko TCP?

23

Odp: Wireguard VPN i problem z firewall

xury napisał/a:

Czy aby na pewno dostawca udostępnił ci port TCP/UDP czy może tylko TCP?

Jak to sprawdzić najprościej ?

24

Odp: Wireguard VPN i problem z firewall

Napisał bym żebyś wystawił jakąś usługę na udp, ale to sprawdziłeś.

Postaw sobie openvpn na tcp i zobaczy czy się do niego podłączysz. Jeżeli tak to przestaw na udp i też zobacz...

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

25

Odp: Wireguard VPN i problem z firewall

Ok, ruszyło na TCP

Jednak to był problem

Dzięki wielkie za pomoc