Help remotely connecting using wireguard while NordVPN is running on PI

FYI… When I removed the DROPS my container worked perfectly The container uses SSDP to communicate during discovery. (.However, I dont want to leave it like that, as I want to ensure all my traffic in and out of my LAN is secure.

maybe @trendy has an idea.

Docker adds a new interface so you need to allow traffic in forward chain too.

Can you help with what specifically I need to add to the forward chain? Thanks again trendy.

I cannot know what specifically needs to be added. You need to see from the logs what is blocked and allow it.

Where do i find the logs for iptables? I tried syslogs kern.log… I dont see anything related to iptable blocking.

I dont know how the Docker Forward Rules work. I do know that when I remove the following 4 lines, discovery works: Will I be able to allow traffic in the forward section, if I’ve dropped wlan/eth0 already in the input section? Sorry for the rudimentary questions, this stuff is definitively not my expertise.

-A INPUT -i wlan0 -m comment --comment nordvpn -j DROP
-A INPUT -i eth0 -m comment --comment nordvpn -j DROP
-A OUTPUT -o wlan0 -m comment --comment nordvpn -j DROP
-A OUTPUT -o eth0 -m comment --comment nordvpn -j DROP

My CURRENT IPTABLES

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A INPUT -i wlan0 -m connmark --mark 0xe1f1 -m comment --comment nordvpn -j ACCEPT
-A INPUT -i eth0 -m connmark --mark 0xe1f1 -m comment --comment nordvpn -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 51821 -j ACCEPT
-A INPUT -i wlan0 -m comment --comment nordvpn -j DROP
-A INPUT -i eth0 -m comment --comment nordvpn -j DROP
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A OUTPUT -o wlan0 -m mark --mark 0xe1f1 -m comment --comment nordvpn -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A OUTPUT -o wlan0 -m connmark --mark 0xe1f1 -m comment --comment nordvpn -j ACCEPT
-A OUTPUT -d 192.168.1.0/24 -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 51821 -j ACCEPT
-A OUTPUT -o eth0 -m mark --mark 0xe1f1 -m comment --comment nordvpn -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A OUTPUT -o eth0 -m connmark --mark 0xe1f1 -m comment --comment nordvpn -j ACCEPT
-A OUTPUT -o wlan0 -m comment --comment nordvpn -j DROP
-A OUTPUT -o eth0 -m comment --comment nordvpn -j DROP
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN

Change the wireguard listen port (for your inbound external tunnel) away from your NordVPN port…

Can’t have two competing VPN’s on the same port

Wireguard Interface: (wg0)         ---udp connection on port 51820
NordVPN Interface:  (nordlynx)   ---udp connection also on port 51820

Wireguard Interface: (wg0)         ---udp connection on port 51880
NordVPN Interface:  (nordlynx)   ---udp connection also on port 51820

Setup your external clients to use the new port

Hey Warhawk. I have wireguard on 51821 and Nord on 51820. My wireguard connections and my Nord connections have been working great for many months.

I recently added Docker. Docker added a number of entries to the iptables. Nord and Wireguard still work great for inbound/outbound traffic. However, I’m trying to run a docker container that does an SSDP network discovery. It can’t find what its looking for on my network until i remove the Drops of my wlan0 and eth0 interfaces. I dont want to remove those, as I want to ensure that all my traffice goes through a VPN. I want to figure out how to get my docker rules fixed so that I can do a local network discovery, but still force all inbound and outbound traffic through wireguard or Nord.

Thanks

Docker is creating a rule to block VPN traffic because Docker sets the policy for the FORWARD chain to DROP Docker and iptables | Docker Documentation

Add these in the firewall configuration:

sudo iptables -A OUTPUT -j LOG
sudo iptables -A INPUT -j LOG
sudo iptables -A FORWARD -j LOG

Make sure they are placed above the -j DROP rules. Then you can see in dmesg what was dropped and open accordingly.