Setup IP forwarding

guniens · 1 November 2023 13:05

I don’t have the file/folder /etc/rc.local so I edited (uncommented) the net.ipv4.ip_forward=1 option in /etc/sysctl.conf. Is this fine?

trendy:

For the PostDown use

iptables -D FORWARD -i eth0 -o eth0 -j ACCEPT
iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT
iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE

I’ve added them as PostDown field, [Interface] section. I’ve put all lines in a single line separated by ;, is this fine?

trendy · 1 November 2023 14:08

Yes

Yes, you can run iptables-save to check.

guniens · 1 November 2023 14:32

I tried setting the RPi4 as gateway for a device on lan and works but I can’t seem to reach some websites, google and co. and italian websites are fine others like reddit not.

I’ve set the RPi4 as gateway and the router as dns, on some devices setting the RPi4 as dns too doesn’t connect to internet at all. I suppose it’s because the RPi4 doesn’t host a dns service right? Was going to install pihole anyway if that fixes the problem.

Another problem is that Plex isn’t working on lan while the RPi4 is connected to the VPN.

trendy · 2 November 2023 06:09

Most probably

It can fix it.

This is expected, the routing table of VPN doesn’t include the local network.
ip route add 192.168.178.0/24 dev eth0 table 51820

guniens · 2 November 2023 06:52

So I just install pihole/Adguard home and then set the RPi4 as DNS server on the devices?

This goes in the post up of wireguard interface?

trendy · 2 November 2023 08:23

Or you can advertise the DNS of the VPN provider if you don’t want to go down this road.

I think pre up is also fine.

guniens · 2 November 2023 08:47

Can you please explain? VPN’s has this DNS = 9.9.9.9, 149.112.112.112 .

I tried putting it in PreUp and put PreUp before PostDown but Plex wasn’t working with VPN on.
I tried putting it in PostDown after others PostDown commands and Plex was working with VPN on but not with VPN off.

EDIT: I tried putting it in PreDown and put PreDown before PostDown and Plex is working with either VPN on and off. Is this fine?

trendy · 2 November 2023 12:12

Use these DNSs

This is a command for when the tunnel comes up. The difference of pre and post is whether will be executed before or after the VPN is up.
For the down you need to add it as ip route del 192.168.178.0/24 dev eth0 table 51820 in post down.

guniens · 2 November 2023 12:28

You mean using thse DNSs on the devices which use the RPi4 as gateway?

So I leave the ip route add 192.168.178.0/24 dev eth0 table 51820 in the PreDown and put the ip route del 192.168.178.0/24 dev eth0 table 51820 in the PostDown?

Forgive my ignorance but this is completly new to me

trendy · 2 November 2023 13:45

Exactly!

The add in PreUP the delete in PostDown.

guniens · 2 November 2023 14:09

Got it.
What about pihole? Say I want to install on the RPi4 and set the RPi4 as the DNS server too on devices which use it as gateway, do I need to remove the DNS option in the wireguard conf?

Got it! the ip route del 192.168.178.0/24 dev eth0 table 51820 in the PostDown must go after other PostDown commands (iptables) or doesn’t matter?

Btw I still can’t access Plex on the device which uses the RPi4 as gateway.

trendy · 2 November 2023 14:20

You’ll need to change it to the IP of the Pihole. Otherwise the VPN will work without additional DNS.

It doesn’t matter.

Post here the following with VPN up:
ip -4 addr; ip -4 ro list table all; ip -4 ru; iptables-save -c
What is the IP of the plex and the device which uses the RPi as gateway?

guniens · 2 November 2023 14:48

If the Pihole is running on the same RPi4 what do I need to put the RPi4’s local IP or RPi4’s VPN IP?
Can DNS option be removed completly from the wireguard conf?

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet 192.168.178.42/24 brd 192.168.178.255 scope global dynamic eth0
       valid_lft 857897sec preferred_lft 857897sec
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.59.244.2/24 scope global wg0
       valid_lft forever preferred_lft forever
192.168.178.0/24 dev eth0 table 51820 scope link
default dev wg0 table 51821 scope link
default via 192.168.178.1 dev eth0
10.59.244.0/24 dev wg0 proto kernel scope link src 10.59.244.2
192.168.178.0/24 dev eth0 proto kernel scope link src 192.168.178.42
local 10.59.244.2 dev wg0 table local proto kernel scope host src 10.59.244.2
broadcast 10.59.244.255 dev wg0 table local proto kernel scope link src 10.59.244.2
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 192.168.178.42 dev eth0 table local proto kernel scope host src 192.168.178.42
broadcast 192.168.178.255 dev eth0 table local proto kernel scope link src 192.168.178.42
0:      from all lookup local
32764:  from all lookup main suppress_prefixlength 0
32765:  not from all fwmark 0xca6d lookup 51821
32766:  from all lookup main
32767:  from all lookup default
# Generated by iptables-save v1.8.9 (nf_tables) on Thu Nov  2 15:45:14 2023
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
[30:8057] -A PREROUTING -p udp -m comment --comment "wg-quick(8) rule for wg0" -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
[7:868] -A POSTROUTING -p udp -m mark --mark 0xca6d -m comment --comment "wg-quick(8) rule for wg0" -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
COMMIT
# Completed on Thu Nov  2 15:45:14 2023
# Generated by iptables-save v1.8.9 (nf_tables) on Thu Nov  2 15:45:14 2023
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
[0:0] -A PREROUTING -d 10.59.244.2/32 ! -i wg0 -m addrtype ! --src-type LOCAL -m comment --comment "wg-quick(8) rule for wg0" -j DROP
COMMIT
# Completed on Thu Nov  2 15:45:14 2023

Plex is running on the same RPi4 (192.168.178.42) and the device is 192.168.178.20.

trendy · 2 November 2023 17:27

Any IP that the DNS service is binding.

Yes.

I don’t see much output in iptables. Maybe you are running some other different firewall like nftables?
Also another thing I noticed is that in the last ip -4 rule output the custom tables changed number and this will break the route.

guniens · 2 November 2023 21:24

I haven’t configured any firewall. What I need to do to fix it?

trendy · 3 November 2023 09:42

You may have not configured anything, but it is possible that some other software you used to run the VPN did. How did you configure the VPN?

guniens · 3 November 2023 10:06

I’ve installed WireGuard via dietpi-software, client option, dropped the conf and started/stopped the VPN with sysctl start/stop first and then with wg-quick up/down.

trendy · 3 November 2023 10:39

@MichaIng are there any nftables or ip rules inserted when bringing up wireguard?

Joulinar · 3 November 2023 10:58

nope, this should be done from the client config file. On clients, we install tool set only without further configuration. (best to my knowledge)

guniens · 3 November 2023 11:15

Please @trendy and @Joulinar help me figuring this out, I think it’s almost done but I lack the knowledge to fix this
Only problems left are:

Setting the RPi4 as dns server on a device doesn’t allow me to connect to some websites but will try again once pihole is installed. Curretly I’ve removed the DNS option from wireguard conf and use the router as dns server and RPi4 as gateway on devices.
Can access plex in lan even when vpn is up but cannot access on a device which uses the RPi4 as gateway.