Dietpi-Vpn Issue with network traffic

So sorry if I bother you: the situation is the following I added these routing rules and now the connection to my behind server via ssh works but I can’t surf the internet so when from my phone I connect via wireguard to the behind server it works and I can I ssh into behindpi but I can’t navigate :frowning:

all this when i’m connected to proton’s vpn via dietpi-vpn

 /var/lib/dietpi/dietpi-vpn/up.sh   

ip route add default via 192.168.1.1 table 100
ip rule add iif lo sport 51820 lookup 100 prio 15010
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wg0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P FORWARD DROP

  /var/lib/dietpi/dietpi-vpn/down.sh                                                                                        

ip route del default via 192.168.1.1 table 100
ip rule del iif lo sport 51820 lookup 100 prio 15010
iptables -t nat -D POSTROUTING -o tun0 -j MASQUERADE
iptables -D FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -D FORWARD -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -D FORWARD -i wg0 -o tun0 -j ACCEPT
iptables -D FORWARD -i tun0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P FORWARD ACCEPT


What are the allowed IPs on the client devices?

is this?

root@DietPi:~# cat /etc/wireguard/wg0.conf
[Interface]
PrivateKey = censured=
Address = 10.6.0.1/24
MTU = 1420
ListenPort = 51820
### begin oneplus7 ###
[Peer]
PublicKey = +TgC4tto0l+Mj/gUvGG1RPtL94gozvBopDOGkKGbRyc=
PresharedKey = 8TN0Ui8TY3+uvXifKg3++ZXbNLgNqoRVEw70bw9nfy4=
AllowedIPs = 10.6.0.2/32
### end oneplus7 ###

Like this, but on the Oneplus7 device.

Also locally I have a dns server on behind I can continue to use it right?

the ip is 10.6.0.2

root@DietPi:~# pivpn -c
::: Connected Clients List :::
Name          Remote IP              Virtual IP      Bytes Received      Bytes Sent      Last Seen
oneplus7      37.161.71.5:38752      10.6.0.2        16MiB               279MiB          Apr 03 2023 - 23:13:51

Try to add these in the up/down scripts

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

...

iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

No unfortunately it doesn’t work or rather it makes me connect via ssh but I don’t surf from my phone :frowning:

if not something about my configuration, ask me for the commands and I’ll show you everything

Add also

iptables -A FORWARD -o eth0 -i wg0 -j ACCEPT
iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT

To allow the traffic from wg to the DNS server .1.35
Keep the masquerades as well, most likely the dns has default gateway to the .1.1, which doesn’t know about the wg subnet.

Still not working agrr

Install tcpdump on the dietpi and the dns (if you can). Verify that the packets are received and sent properly.
tcpdump -i wg0 -vn -c 10 host 10.6.0.2 from roadwarrior
tcpdump -i eth0 -vn -c 10 host 192.168.1.35 to dns
tcpdump -i tun0 -vn -c 10 host 8.8.4.4 to the internet
-c 10 will stop capturing at 10 packets. You can change the host which filters the results.

root@DietPi:~# tcpdump -i wg0 -vn -c 10 host 10.6.0.2
tcpdump: listening on wg0, link-type RAW (Raw IP), snapshot length 262144 bytes
10:01:44.250255 IP (tos 0x0, ttl 255, id 39139, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.44010 > 192.168.1.35.22: Flags [SEW], cksum 0xf6ee (correct), seq 1540618455, win 65535, options [mss 1240,sackOK,TS val 1200831769 ecr 0,nop,wscale 9], length 0
10:01:44.250510 IP (tos 0x10, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.35.22 > 10.6.0.2.44010: Flags [S.E], cksum 0xcc01 (incorrect -> 0x6f75), seq 1734323317, ack 1540618456, win 64296, options [mss 1380,sackOK,TS val 2131556691 ecr 1200831769,nop,wscale 7], length 0
10:01:44.253494 IP (tos 0x0, ttl 255, id 39140, offset 0, flags [DF], proto TCP (6), length 52)
    10.6.0.2.44010 > 192.168.1.35.22: Flags [.], cksum 0x98bb (correct), ack 1, win 128, options [nop,nop,TS val 1200831800 ecr 2131556691], length 0
10:01:44.253499 IP (tos 0x2,ECT(0), ttl 255, id 39141, offset 0, flags [DF], proto TCP (6), length 74)
    10.6.0.2.44010 > 192.168.1.35.22: Flags [P.], cksum 0x8fd5 (correct), seq 1:23, ack 1, win 128, options [nop,nop,TS val 1200831800 ecr 2131556691], length 22: SSH: SSH-2.0-libssh_0.9.3
10:01:44.253809 IP (tos 0x10, ttl 64, id 35517, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.1.35.22 > 10.6.0.2.44010: Flags [.], cksum 0xcbf9 (incorrect -> 0x972b), ack 23, win 503, options [nop,nop,TS val 2131556694 ecr 1200831800], length 0
10:01:44.266840 IP (tos 0x12,ECT(0), ttl 64, id 35518, offset 0, flags [DF], proto TCP (6), length 582)
    192.168.1.35.22 > 10.6.0.2.44010: Flags [P.], cksum 0xce0b (incorrect -> 0xd6ae), seq 1:531, ack 23, win 503, options [nop,nop,TS val 2131556707 ecr 1200831800], length 530: SSH: SSH-2.0-dropbear_2020.81
10:01:44.270030 IP (tos 0x0, ttl 255, id 39142, offset 0, flags [DF], proto TCP (6), length 52)
    10.6.0.2.44010 > 192.168.1.35.22: Flags [.], cksum 0x966f (correct), ack 531, win 131, options [nop,nop,TS val 1200831817 ecr 2131556707], length 0
10:01:44.271847 IP (tos 0x2,ECT(0), ttl 255, id 39143, offset 0, flags [DF], proto TCP (6), length 1076)
    10.6.0.2.44010 > 192.168.1.35.22: Flags [P.], cksum 0x0b0c (correct), seq 23:1047, ack 531, win 131, options [nop,nop,TS val 1200831818 ecr 2131556707], length 1024
10:01:44.313363 IP (tos 0x10, ttl 64, id 35519, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.1.35.22 > 10.6.0.2.44010: Flags [.], cksum 0xcbf9 (incorrect -> 0x90cc), ack 1047, win 502, options [nop,nop,TS val 2131556754 ecr 1200831818], length 0
10:01:44.316466 IP (tos 0x2,ECT(0), ttl 255, id 39144, offset 0, flags [DF], proto TCP (6), length 100)
    10.6.0.2.44010 > 192.168.1.35.22: Flags [P.], cksum 0xe54c (correct), seq 1047:1095, ack 531, win 131, options [nop,nop,TS val 1200831863 ecr 2131556754], length 48
10 packets captured
14 packets received by filter
0 packets dropped by kernel
root@DietPi:~# 


root@DietPi:~# tcpdump -i eth0 -vn -c 10 host 192.168.1.35
tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
10:01:58.861083 IP (tos 0x10, ttl 64, id 42055, offset 0, flags [DF], proto TCP (6), length 164)
    192.168.1.35.22 > 192.168.1.13.53450: Flags [P.], cksum 0x8417 (incorrect -> 0x222b), seq 1493322062:1493322186, ack 1292554984, win 501, length 124
10:01:58.861591 IP (tos 0x0, ttl 47, id 27264, offset 0, flags [DF], proto UDP (17), length 139)
    190.2.138.15.1194 > 192.168.1.35.39738: UDP, length 111
10:01:58.907674 IP (tos 0x0, ttl 128, id 27886, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.1.13.53450 > 192.168.1.35.22: Flags [.], cksum 0x78b5 (correct), ack 124, win 8190, length 0
10:01:58.940090 IP (tos 0x0, ttl 254, id 11774, offset 0, flags [DF], proto UDP (17), length 124)
    37.117.191.196.44742 > 192.168.1.35.51820: UDP, length 96
10:01:58.940096 IP (tos 0x0, ttl 254, id 11778, offset 0, flags [DF], proto UDP (17), length 124)
    37.117.191.196.44742 > 192.168.1.35.51820: UDP, length 96
10:01:58.940100 IP (tos 0x0, ttl 254, id 11779, offset 0, flags [DF], proto UDP (17), length 124)
    37.117.191.196.44742 > 192.168.1.35.51820: UDP, length 96
10:01:58.940104 IP (tos 0x0, ttl 254, id 11780, offset 0, flags [DF], proto UDP (17), length 124)
    37.117.191.196.44742 > 192.168.1.35.51820: UDP, length 96
10:01:58.940816 IP (tos 0x0, ttl 64, id 34929, offset 0, flags [DF], proto UDP (17), length 113)
    192.168.1.35.39738 > 190.2.138.15.1194: UDP, length 85
10:01:58.940966 IP (tos 0x0, ttl 64, id 34930, offset 0, flags [DF], proto UDP (17), length 113)
    192.168.1.35.39738 > 190.2.138.15.1194: UDP, length 85
10:01:58.941091 IP (tos 0x0, ttl 64, id 34931, offset 0, flags [DF], proto UDP (17), length 113)
    192.168.1.35.39738 > 190.2.138.15.1194: UDP, length 85
10 packets captured
15 packets received by filter
0 packets dropped by kernel
root@DietPi:~# 


root@DietPi:~# tcpdump -i tun0 -vn -c 10 host 8.8.4.4
tcpdump: listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
root@DietPi:~# 

Alright, so 1.35 is the dietpi itself on the lan. Which DNS server is it running? Pihole or something else? If it is Pihole, so you have configured it to accept queries from all interfaces and all sources?
As for the last tcpdump to 8.8.4.4 which had no packets, did you try to initiate any traffic to that destination while running the tcpdump?

Yes its on the same dietpi the DNS (192.168.1.35)
I have Adguard i dont know how to modifiy probaably this file? “/mnt/dietpi_userdata/adguardhome/AdGuardHome.yaml”

dns:
  bind_hosts:
    - 0.0.0.0
  port: 53
  anonymize_client_ip: false
  protection_enabled: true
  blocking_mode: default
  blocking_ipv4: ""
  blocking_ipv6: ""
  blocked_response_ttl: 10
  parental_block_host: family-block.dns.adguard.com
  safebrowsing_block_host: standard-block.dns.adguard.com
  ratelimit: 20
  ratelimit_whitelist: []
  refuse_any: true
  upstream_dns:
    - https://dns10.quad9.net/dns-query
  upstream_dns_file: /mnt/dietpi_userdata/adguardhome/dietpi-unbound.conf
  bootstrap_dns:
    - 9.9.9.10
    - 149.112.112.10
    - 2620:fe::10
    - 2620:fe::fe:10
  all_servers: true
  fastest_addr: false
  fastest_timeout: 1s
  allowed_clients: []
  disallowed_clients: []
  blocked_hosts:
    - version.bind
    - id.server
    - hostname.bind
  trusted_proxies:
    - 127.0.0.0/8
    - ::1/128
  cache_size: 4194304
  cache_ttl_min: 0
  cache_ttl_max: 0
  cache_optimistic: false
  bogus_nxdomain: []
  aaaa_disabled: false
  enable_dnssec: false
  edns_client_subnet:
    custom_ip: ""
    enabled: false
    use_custom: false
  max_goroutines: 300
  handle_ddr: true
  ipset: []
  ipset_file: ""
  filtering_enabled: true
  filters_update_interval: 24
  parental_enabled: false
  safesearch_enabled: false
  safebrowsing_enabled: false
  safebrowsing_cache_size: 1048576
  safesearch_cache_size: 1048576
  parental_cache_size: 1048576
  cache_time: 30
  rewrites: []
  blocked_services: []
  upstream_timeout: 10s
  private_networks: []
  use_private_ptr_resolvers: true
  local_ptr_upstreams: []
  use_dns64: false
  dns64_prefixes: []
  serve_http3: false
  use_http3_upstreams: false

“As for the last tcpdump to 8.8.4.4 which had no packets, did you try to initiate any traffic to that destination while running the tcpdump?”

yes but nothing happen :frowning:

Let’s tackle the issues independently.
Run this on dietpi
iptables-save -c

a lot of shit

root@DietPi:~# iptables-save -c
# Generated by iptables-save v1.8.7 on Tue Apr  4 15:04:35 2023
*mangle
:PREROUTING ACCEPT [95934:25239205]
:INPUT ACCEPT [95783:25231644]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [83925:14699598]
:POSTROUTING ACCEPT [83946:14700757]
COMMIT
# Completed on Tue Apr  4 15:04:35 2023
# Generated by iptables-save v1.8.7 on Tue Apr  4 15:04:35 2023
*filter
:INPUT ACCEPT [95783:25231644]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [83925:14699598]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
[0:0] -A FORWARD -j DOCKER-USER
[0:0] -A FORWARD -j DOCKER-ISOLATION-STAGE-1
[0:0] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o docker0 -j DOCKER
[0:0] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
[0:0] -A FORWARD -i docker0 -o docker0 -j ACCEPT
[0:0] -A FORWARD -d 10.6.0.0/24 -i eth0 -o wg0 -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment wireguard-forward-rule -j ACCEPT
[0:0] -A FORWARD -s 10.6.0.0/24 -i wg0 -o eth0 -m comment --comment wireguard-forward-rule -j ACCEPT
[0:0] -A FORWARD -i wg0 -j ACCEPT
[0:0] -A FORWARD -i wg0 -o eth0 -j ACCEPT
[0:0] -A FORWARD -i eth0 -o wg0 -j ACCEPT
[0:0] -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9000 -j ACCEPT
[0:0] -A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 3000 -j ACCEPT
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
[0:0] -A DOCKER-ISOLATION-STAGE-1 -j RETURN
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -j RETURN
[0:0] -A DOCKER-USER -j RETURN
COMMIT
# Completed on Tue Apr  4 15:04:35 2023
# Generated by iptables-save v1.8.7 on Tue Apr  4 15:04:35 2023
*nat
:PREROUTING ACCEPT [2579:315801]
:INPUT ACCEPT [2428:308240]
:OUTPUT ACCEPT [11476:847143]
:POSTROUTING ACCEPT [6936:458858]
:DOCKER - [0:0]
[720:49016] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
[324:19612] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
[0:0] -A POSTROUTING -s 10.6.0.0/24 -o eth0 -m comment --comment wireguard-nat-rule -j MASQUERADE
[0:0] -A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 9000 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 3000 -j MASQUERADE
[3900:340212] -A POSTROUTING -o eth0 -j MASQUERADE
[0:0] -A DOCKER -i docker0 -j RETURN
[0:0] -A DOCKER ! -i docker0 -p tcp -m tcp --dport 9002 -j DNAT --to-destination 172.17.0.2:9000
[0:0] -A DOCKER ! -i docker0 -p tcp -m tcp --dport 3000 -j DNAT --to-destination 172.17.0.3:3000
COMMIT
# Completed on Tue Apr  4 15:04:35 2023

Okay nothing is blocked on the firewall ingress.
Let’s see if dns works. Run tcpdump -i any -n -s 0 port 53 and host 10.6.0.2
Then try to browse to some site from your phone.

root@DietPi:~# tcpdump -i any -n -s 0 port 53 and host 10.6.0.2
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
16:11:13.633265 wg0   In  IP 10.6.0.2.45400 > 192.168.1.35.53: 50605+ A? clients4.google.com. (37)
16:11:13.633273 wg0   In  IP 10.6.0.2.5168 > 192.168.1.35.53: 64194+ Type65? clients4.google.com. (37)
16:11:13.635716 wg0   Out IP 192.168.1.35.53 > 10.6.0.2.5168: 64194 1/1/0 CNAME clients.l.google.com. (111)
16:11:13.636395 wg0   Out IP 192.168.1.35.53 > 10.6.0.2.45400: 50605 2/0/0 CNAME clients.l.google.com., A 142.250.180.142 (77)
16:11:15.619944 wg0   In  IP 10.6.0.2.12307 > 192.168.1.35.53: 34754+ A? www.reddit.com. (32)
16:11:15.619948 wg0   In  IP 10.6.0.2.21152 > 192.168.1.35.53: 757+ Type65? www.reddit.com. (32)
16:11:15.819931 wg0   Out IP 192.168.1.35.53 > 10.6.0.2.12307: 34754 2/0/0 CNAME reddit.map.fastly.net., A 146.75.53.140 (83)
16:11:15.876815 wg0   Out IP 192.168.1.35.53 > 10.6.0.2.21152: 757 1/1/0 CNAME reddit.map.fastly.net. (125)
16:11:30.098351 wg0   In  IP 10.6.0.2.38480 > 192.168.1.35.53: 65452+ A? www.google.com. (32)
16:11:30.098358 wg0   In  IP 10.6.0.2.40621 > 192.168.1.35.53: 2449+ Type65? www.google.com. (32)
16:11:30.099963 wg0   Out IP 192.168.1.35.53 > 10.6.0.2.40621: 2449 1/0/0 Type65 (57)
16:11:30.101314 wg0   Out IP 192.168.1.35.53 > 10.6.0.2.38480: 65452 1/0/0 A 142.251.209.36 (48)
16:11:55.458051 wg0   In  IP 10.6.0.2.61046 > 192.168.1.35.53: 36822+ AAAA? ssl.google-analytics.com. (42)
16:11:55.458212 wg0   In  IP 10.6.0.2.12361 > 192.168.1.35.53: 18096+ A? ssl.google-analytics.com. (42)
16:11:55.459731 wg0   Out IP 192.168.1.35.53 > 10.6.0.2.61046: 36822 1/0/0 AAAA :: (70)
16:11:55.460038 wg0   Out IP 192.168.1.35.53 > 10.6.0.2.12361: 18096 1/0/0 A 0.0.0.0 (58)
16:12:06.281208 wg0   In  IP 10.6.0.2.22436 > 192.168.1.35.53: 3145+ A? a.nel.cloudflare.com. (38)
16:12:06.281215 wg0   In  IP 10.6.0.2.28252 > 192.168.1.35.53: 59547+ Type65? a.nel.cloudflare.com. (38)
16:12:06.454777 wg0   Out IP 192.168.1.35.53 > 10.6.0.2.22436: 3145 1/0/0 A 35.190.80.1 (54)
16:12:06.458212 wg0   Out IP 192.168.1.35.53 > 10.6.0.2.28252: 59547 0/1/0 (89)

Looks good as well. Now try this and try again to browse to icanhazip.com

tcpdump -i any -vn host 104.18.114.97 or host 104.18.115.97

root@DietPi:~# tcpdump -i any -vn host 104.18.114.97 or host 104.18.115.97
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
17:15:23.880020 wg0   In  IP (tos 0x0, ttl 255, id 64711, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.44514 > 104.18.115.97.443: Flags [SEW], cksum 0x9184 (correct), seq 1793318690, win 65535, options [mss 1240,sackOK,TS val 2383038828 ecr 0,nop,wscale 9], length 0
17:15:23.880147 tun1  Out IP (tos 0x0, ttl 254, id 64711, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.44514 > 104.18.115.97.443: Flags [SEW], cksum 0x9184 (correct), seq 1793318690, win 65535, options [mss 1240,sackOK,TS val 2383038828 ecr 0,nop,wscale 9], length 0
17:15:24.906714 wg0   In  IP (tos 0x0, ttl 255, id 64712, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.44514 > 104.18.115.97.443: Flags [S], cksum 0x8e41 (correct), seq 1793318690, win 65535, options [mss 1240,sackOK,TS val 2383039855 ecr 0,nop,wscale 9], length 0
17:15:24.906852 tun1  Out IP (tos 0x0, ttl 254, id 64712, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.44514 > 104.18.115.97.443: Flags [S], cksum 0x8e41 (correct), seq 1793318690, win 65535, options [mss 1240,sackOK,TS val 2383039855 ecr 0,nop,wscale 9], length 0
17:15:26.122962 wg0   In  IP (tos 0x0, ttl 255, id 52067, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.47050 > 104.18.115.97.443: Flags [S], cksum 0x11e4 (correct), seq 2082421660, win 65535, options [mss 1240,sackOK,TS val 2383041071 ecr 0,nop,wscale 9], length 0
17:15:26.123072 tun1  Out IP (tos 0x0, ttl 254, id 52067, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.47050 > 104.18.115.97.443: Flags [S], cksum 0x11e4 (correct), seq 2082421660, win 65535, options [mss 1240,sackOK,TS val 2383041071 ecr 0,nop,wscale 9], length 0
17:15:26.186743 wg0   In  IP (tos 0x0, ttl 255, id 49741, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.47042 > 104.18.115.97.443: Flags [S], cksum 0x131e (correct), seq 3817067205, win 65535, options [mss 1240,sackOK,TS val 2383041135 ecr 0,nop,wscale 9], length 0
17:15:26.186885 tun1  Out IP (tos 0x0, ttl 254, id 49741, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.47042 > 104.18.115.97.443: Flags [S], cksum 0x131e (correct), seq 3817067205, win 65535, options [mss 1240,sackOK,TS val 2383041135 ecr 0,nop,wscale 9], length 0
17:15:26.960756 wg0   In  IP (tos 0x0, ttl 255, id 64713, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.44514 > 104.18.115.97.443: Flags [S], cksum 0x8641 (correct), seq 1793318690, win 65535, options [mss 1240,sackOK,TS val 2383041903 ecr 0,nop,wscale 9], length 0
17:15:26.960843 tun1  Out IP (tos 0x0, ttl 254, id 64713, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.44514 > 104.18.115.97.443: Flags [S], cksum 0x8641 (correct), seq 1793318690, win 65535, options [mss 1240,sackOK,TS val 2383041903 ecr 0,nop,wscale 9], length 0
17:15:30.991099 wg0   In  IP (tos 0x0, ttl 255, id 64714, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.44514 > 104.18.115.97.443: Flags [S], cksum 0x7681 (correct), seq 1793318690, win 65535, options [mss 1240,sackOK,TS val 2383045935 ecr 0,nop,wscale 9], length 0
17:15:30.991195 tun1  Out IP (tos 0x0, ttl 254, id 64714, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.44514 > 104.18.115.97.443: Flags [S], cksum 0x7681 (correct), seq 1793318690, win 65535, options [mss 1240,sackOK,TS val 2383045935 ecr 0,nop,wscale 9], length 0
17:15:38.987380 wg0   In  IP (tos 0x0, ttl 255, id 64715, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.44514 > 104.18.115.97.443: Flags [S], cksum 0x5740 (correct), seq 1793318690, win 65535, options [mss 1240,sackOK,TS val 2383053936 ecr 0,nop,wscale 9], length 0
17:15:38.987513 tun1  Out IP (tos 0x0, ttl 254, id 64715, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.44514 > 104.18.115.97.443: Flags [S], cksum 0x5740 (correct), seq 1793318690, win 65535, options [mss 1240,sackOK,TS val 2383053936 ecr 0,nop,wscale 9], length 0
17:15:42.574816 wg0   In  IP (tos 0x0, ttl 255, id 13806, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.42268 > 104.18.114.97.443: Flags [SEW], cksum 0x2034 (correct), seq 173425891, win 65535, options [mss 1240,sackOK,TS val 2523182837 ecr 0,nop,wscale 9], length 0
17:15:42.574929 tun1  Out IP (tos 0x0, ttl 254, id 13806, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.42268 > 104.18.114.97.443: Flags [SEW], cksum 0x2034 (correct), seq 173425891, win 65535, options [mss 1240,sackOK,TS val 2523182837 ecr 0,nop,wscale 9], length 0
17:15:42.576982 wg0   In  IP (tos 0x0, ttl 255, id 57424, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.42284 > 104.18.114.97.443: Flags [SEW], cksum 0x7ae6 (correct), seq 3273470295, win 65535, options [mss 1240,sackOK,TS val 2523182839 ecr 0,nop,wscale 9], length 0
17:15:42.577084 tun1  Out IP (tos 0x0, ttl 254, id 57424, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.42284 > 104.18.114.97.443: Flags [SEW], cksum 0x7ae6 (correct), seq 3273470295, win 65535, options [mss 1240,sackOK,TS val 2523182839 ecr 0,nop,wscale 9], length 0
17:15:43.597251 wg0   In  IP (tos 0x0, ttl 255, id 57425, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.42284 > 104.18.114.97.443: Flags [S], cksum 0x77ac (correct), seq 3273470295, win 65535, options [mss 1240,sackOK,TS val 2523183857 ecr 0,nop,wscale 9], length 0
17:15:43.597261 wg0   In  IP (tos 0x0, ttl 255, id 13807, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.42268 > 104.18.114.97.443: Flags [S], cksum 0x1cf8 (correct), seq 173425891, win 65535, options [mss 1240,sackOK,TS val 2523183857 ecr 0,nop,wscale 9], length 0
17:15:43.597409 tun1  Out IP (tos 0x0, ttl 254, id 57425, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.42284 > 104.18.114.97.443: Flags [S], cksum 0x77ac (correct), seq 3273470295, win 65535, options [mss 1240,sackOK,TS val 2523183857 ecr 0,nop,wscale 9], length 0
17:15:43.597496 tun1  Out IP (tos 0x0, ttl 254, id 13807, offset 0, flags [DF], proto TCP (6), length 60)```

Add this one

-A POSTROUTING -s 10.6.0.0/24 -o tun0 -m comment --comment wireguard2openvpn-nat-rule -j MASQUERADE