@trendy @Joulinar
I have tried to open up these ports with the iptables I mentioned before, but connection is still refused when connected to VPN.
Since you are using the nfs client you need to reverse the flows.
PostUp = iptables -I OUTPUT 1 -s 192.168.1.0/24 -d 192.168.1.0/24 -p udp -m multiport --dports 111,892,2049 -m state --state NEW,ESTABLISHED -j ACCEPT
PostUp = iptables -I OUTPUT 1 -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m multiport --dports 111,892,2049 -m state --state NEW,ESTABLISHED -j ACCEPT
PostUp = iptables -I INPUT 1 -s 192.168.1.0/24 -d 192.168.1.0/24 -p udp -m multiport --sports 111,892,2049 -m state --state ESTABLISHED -j ACCEPT
PostUp = iptables -I INPUT 1 -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m multiport --sports 111,892,2049 -m state --state ESTABLISHED -j ACCEPT
Also the sequence matters, so you need them before the rule which allows only WG interface allow only traffic.
Ah, thanks!
Why before the rule which only allows WG traffic? Doesn’t the WG iptables overule this?
Anyway, it didn’t solve the issue, but I learned something new 
These ports are used when the VPN is down.
root@DietPi:~# rpcinfo -p 192.168.1.101
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100005 1 udp 892 mountd
100005 1 tcp 892 mountd
100005 2 udp 892 mountd
100005 2 tcp 892 mountd
100005 3 udp 892 mountd
100005 3 tcp 892 mountd
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100021 1 udp 39904 nlockmgr
100021 3 udp 39904 nlockmgr
100021 4 udp 39904 nlockmgr
100021 1 tcp 39607 nlockmgr
100021 3 tcp 39607 nlockmgr
100021 4 tcp 39607 nlockmgr
100024 1 udp 33760 status
100024 1 tcp 33798 status
nlockmgr and status use variable ports. Do I need to hard strap them in DietPi?
I have read something about hard strapping here: Firewalling a Linux NFS server with iptables -- Prefetch Technologies
If so, where can I find the config file in DietPi?
iptables rules are scanned from top to bottom. First rule which matches is applied and scanning stops.
The tutorial is describing the process on the server part. You are trying to connect from the client side. If you cannot hardcode these ports on the NAS, then it would save you some time to allow all traffic to the IP of the NAS instead of opening specific ports.
Yes, maybe that’s easier.
I removed the ports, but that doesn’t work…
PostUp = iptables -I INPUT 1 -i eth0 -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT
PostUp = iptables -I OUTPUT 1 -s 192.168.1.0/24 -d 192.168.1.0/24 -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
PostUp = iptables -I OUTPUT 1 -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
PostUp = iptables -I INPUT 1 -s 192.168.1.0/24 -d 192.168.1.0/24 -p udp -m state --state ESTABLISHED -j ACCEPT
PostUp = iptables -I INPUT 1 -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m state --state ESTABLISHED -j ACCEPT
PostUp = iptables -I OUTPUT 1 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
PostUp = iptables -I OUTPUT 2 ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PostUp = systemctl start transmission-daemon
PreDown = iptables -D INPUT -i eth0 -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT && iptables -D OUTPUT -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT && ipt>
PreDown = systemctl stop transmission-daemon
Otherwise it always gets the second position and everything else underneath it will never match.
Yes, it’s fixed now! Thanks!!
I’m glad we sorted it out.