Setup IP forwarding

General Discussion
121

Btw also separate settings/configurations are fine, just a preference to have everything together.

This was the vpn client conf:

[Interface]
PrivateKey = ***
Address = 10.59.244.2/24
PreDown = iptables -D INPUT -i eth0 -s 192.168.178.0/24 -j ACCEPT
PostUp = ip route add 192.168.178.0/24 dev eth0 table 51820
PostUp = iptables -A FORWARD -i eth0 -o eth0 -j ACCEPT
PostUp = iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
PostUp = iptables -A INPUT -i eth0 -s 192.168.178.0/24 -j ACCEPT
PostDown = ip route del 192.168.178.0/24 dev eth0 table 51820
PostDown = iptables -D FORWARD -i eth0 -o eth0 -j ACCEPT
PostDown = iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE

[Peer]
PublicKey = ***
PresharedKey = ***
Endpoint = ***.***.***.***:51820
AllowedIPs = 0.0.0.0/0
1 Like
122

Hi @trendy sorry to bother, can you help please?
I’ve little to none knowledge in this :sweat_smile:

123

Ah sorry, I thought you sorted it out.

Could you post the following after you have enabled VPN?

ip -4 addr; ip -4 ro list table all; ip -4 rule
iptables-save
124

No way, I can’t without you :sweat_smile:

root@DietPi:~# ip -4 addr; ip -4 ro list table all; ip -4 rule
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet 192.168.178.42/24 brd 192.168.178.255 scope global eth0
       valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.11.216.1/24 scope global wg0
       valid_lft forever preferred_lft forever
4: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.59.244.2/24 scope global wg0
       valid_lft forever preferred_lft forever
default dev wg0 table 51820 scope link
192.168.178.0/24 dev eth0 table 51820 scope link
default via 192.168.178.1 dev eth0 onlink
10.11.216.0/24 dev wg0 proto kernel scope link src 10.11.216.1
10.59.244.0/24 dev wg0 proto kernel scope link src 10.59.244.2
192.168.178.0/24 dev eth0 proto kernel scope link src 192.168.178.42
local 10.11.216.1 dev wg0 table local proto kernel scope host src 10.11.216.1
broadcast 10.11.216.255 dev wg0 table local proto kernel scope link src 10.11.216.1
local 10.59.244.2 dev wg0 table local proto kernel scope host src 10.59.244.2
broadcast 10.59.244.255 dev wg0 table local proto kernel scope link src 10.59.244.2
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 192.168.178.42 dev eth0 table local proto kernel scope host src 192.168.178.42
broadcast 192.168.178.255 dev eth0 table local proto kernel scope link src 192.168.178.42
0:      from all lookup local
32764:  from all lookup main suppress_prefixlength 0
32765:  not from all fwmark 0xca6c lookup 51820
32766:  from all lookup main
32767:  from all lookup default

root@DietPi:~# iptables-save
# Generated by iptables-save v1.8.9 (nf_tables) on Mon Feb 24 13:44:49 2025
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p udp -m comment --comment "wg-quick(8) rule for wg0" -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A POSTROUTING -p udp -m mark --mark 0xca6c -m comment --comment "wg-quick(8) rule for wg0" -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
COMMIT
# Completed on Mon Feb 24 13:44:49 2025
# Generated by iptables-save v1.8.9 (nf_tables) on Mon Feb 24 13:44:49 2025
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d 10.59.244.2/32 ! -i wg0 -m addrtype ! --src-type LOCAL -m comment --comment "wg-quick(8) rule for wg0" -j DROP
COMMIT
# Completed on Mon Feb 24 13:44:49 2025
# Generated by iptables-save v1.8.9 (nf_tables) on Mon Feb 24 13:44:49 2025
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 192.168.178.0/24 -i eth0 -j ACCEPT
-A FORWARD -i eth0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o wg0 -j ACCEPT
COMMIT
# Completed on Mon Feb 24 13:44:49 2025
# Generated by iptables-save v1.8.9 (nf_tables) on Mon Feb 24 13:44:49 2025
*nat
:PREROUTING ACCEPT [444:85495]
:INPUT ACCEPT [428:84517]
:OUTPUT ACCEPT [1684:156365]
:POSTROUTING ACCEPT [1700:157343]
-A POSTROUTING -s 10.11.216.0/24 -o eth0 -m comment --comment wireguard-nat-rule -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o wg0 -j MASQUERADE
COMMIT
# Completed on Mon Feb 24 13:44:49 2025
125

First you need to sort out the problem that both Wireguard tunnels are using the same device name.

Then we can check the routing and the rules.

126

I’ve added PiVPN to my setup to make it a VPN server too, I’ve just changed the interface name.

Btw 10.11.216.1 is from my VPN server (wg0) and 10.59.244.2 is from VPN client (wg1, now), don’t know if I’ve explained.

127

Try to add these in the Wireguard client config:

PreUp = ip rule add iif lo priority 100 table main
PostDown = ip rule del iif lo priority 100 table main

This is to route all locally generated packets via ISP.
The forwarded packets will go through VPN, so you need to point your lan hosts to use the dietpi as gateway.

128

Hi

Lan devices are already using the dietpi as gateway so this is fine.

If I understand correctly these lines make the dietpi traffic staying local while the lan devices using the dietpi as gateway traffic under vpn right?

EDIT: Is there an order to follow to add these rules? I mean the new ones are safe to append after the respectives PreUp, PostDown already present?

129

Hi again!

Just tried, with client vpn on:

  • the dietpi is still under vpn’s isp (not my isp)
  • my pc connected to the dietpi (server) vpn have no internet access
130

Can you post again the same commands with the VPN up (with these commands)?

131

Updated vpn client conf on the dietpi:

[Interface]
PrivateKey = 
Address = 10.59.244.2/24

PreUp = ip rule add iif lo priority 100 table main

PreDown = iptables -D INPUT -i eth0 -s 192.168.178.0/24 -j ACCEPT

PostUp = ip route add 192.168.178.0/24 dev eth0 table 51820
PostUp = iptables -A FORWARD -i eth0 -o eth0 -j ACCEPT
PostUp = iptables -A FORWARD -i eth0 -o wg-rhome -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostUp = iptables -t nat -A POSTROUTING -o wg-rhome -j MASQUERADE
PostUp = iptables -A INPUT -i eth0 -s 192.168.178.0/24 -j ACCEPT

PostDown = ip route del 192.168.178.0/24 dev eth0 table 51820
PostDown = iptables -D FORWARD -i eth0 -o eth0 -j ACCEPT
PostDown = iptables -D FORWARD -i eth0 -o wg-rhome -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o wg-rhome -j MASQUERADE
PostDown = ip rule del iif lo priority 100 table main

[Peer]
PublicKey = 
PresharedKey = 
Endpoint = 
AllowedIPs = 0.0.0.0/0

With vpn client on the dietpi on:

root@DietPi:~# ip -4 addr; ip -4 ro list table all; ip -4 rule
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet 192.168.178.42/24 brd 192.168.178.255 scope global eth0
       valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.11.216.1/24 scope global wg0
       valid_lft forever preferred_lft forever
5: wg-rhome: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.59.244.2/24 scope global wg-rhome
       valid_lft forever preferred_lft forever
default dev wg-rhome table 51820 scope link
192.168.178.0/24 dev eth0 table 51820 scope link
default via 192.168.178.1 dev eth0 onlink
10.11.216.0/24 dev wg0 proto kernel scope link src 10.11.216.1
10.59.244.0/24 dev wg-rhome proto kernel scope link src 10.59.244.2
192.168.178.0/24 dev eth0 proto kernel scope link src 192.168.178.42
local 10.11.216.1 dev wg0 table local proto kernel scope host src 10.11.216.1
broadcast 10.11.216.255 dev wg0 table local proto kernel scope link src 10.11.216.1
local 10.59.244.2 dev wg-rhome table local proto kernel scope host src 10.59.244.2
broadcast 10.59.244.255 dev wg-rhome table local proto kernel scope link src 10.59.244.2
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 192.168.178.42 dev eth0 table local proto kernel scope host src 192.168.178.42
broadcast 192.168.178.255 dev eth0 table local proto kernel scope link src 192.168.178.42
0:      from all lookup local
98:     from all lookup main suppress_prefixlength 0
99:     not from all fwmark 0xca6c lookup 51820
100:    from all iif lo lookup main
32766:  from all lookup main
32767:  from all lookup default

root@DietPi:~# iptables-save
# Generated by iptables-save v1.8.9 (nf_tables) on Wed Feb 26 07:54:55 2025
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p udp -m comment --comment "wg-quick(8) rule for wg-rhome" -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A POSTROUTING -p udp -m mark --mark 0xca6c -m comment --comment "wg-quick(8) rule for wg-rhome" -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
COMMIT
# Completed on Wed Feb 26 07:54:55 2025
# Generated by iptables-save v1.8.9 (nf_tables) on Wed Feb 26 07:54:55 2025
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d 10.59.244.2/32 ! -i wg-rhome -m addrtype ! --src-type LOCAL -m comment --comment "wg-quick(8) rule for wg-rhome" -j DROP
COMMIT
# Completed on Wed Feb 26 07:54:55 2025
# Generated by iptables-save v1.8.9 (nf_tables) on Wed Feb 26 07:54:55 2025
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 192.168.178.0/24 -i eth0 -j ACCEPT
-A FORWARD -i eth0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o wg-rhome -j ACCEPT
COMMIT
# Completed on Wed Feb 26 07:54:55 2025
# Generated by iptables-save v1.8.9 (nf_tables) on Wed Feb 26 07:54:55 2025
*nat
:PREROUTING ACCEPT [25:3676]
:INPUT ACCEPT [25:3676]
:OUTPUT ACCEPT [158:13446]
:POSTROUTING ACCEPT [135:11168]
-A POSTROUTING -s 10.11.216.0/24 -o eth0 -m comment --comment wireguard-nat-rule -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o wg-rhome -j MASQUERADE
COMMIT
# Completed on Wed Feb 26 07:54:55 2025
132

Aha I see. Make this change and reboot.

PostUp = ip rule add iif lo priority 100 table main
133

Hi!

We’re mosty there, with client vpn on:

  • the dietpi shows my isp
  • the devices using the dietpi as gateway show the vpn isp
  • the devices using the dietpi as vpn server show the client vpn isp and not mine, this is wrong
134

Add also these and restart:

PostUp = ip rule add from 10.11.216.0/24 priority 101 table main
PostDown = ip rule del from 10.11.216.0/24 priority 101 table main
135

Hi

Works like a charm :heart_eyes:

Thank you so much!

1 Like