Hello all.
I think I’m missing something super basic/important/stupid about the wiregard configuration.
The first question is going to be in general terms, as I’m looking for a blatant misunderstanding on my part.
I’ve three nodes with wireguard installed :
vps with public ip address , 10.0.0.1
laptop on a private LAN , 10.0.0.2
mikrotik router ( it’s a lte router ) , 10.0.0.3
the allowed ips are 10.0.0.0/24
The three wireguard endpoints can ping each other. I can successfully ssh from/to the vps and the laptop. I’ve also managed to connect my phone to this small subnet.
I can ping the mikrotik router of course.
In this configuration, the router, the laptop point to the vps.
Now what I think it should be super easy, I want to port forward port 22 on the mikrotik wireguard interface ( addr 10.0.0.3 ) to
an internal service, say 192.168.0.1
The first thing that feels strange is that I can ping, but I’m not able to see any other type of traffic on the wireguard interface ( using torch ).
I tried to add the most permissive firewall rules, but there are no life signs.
So the question is : Can I actually add this port forward from the wireguard interface to a host in my LAN, or there is something fundamentally
wrong in this idea ? I’ve been reading that wireguard is a layer 3 protocol, so this might be a reason.
And if not, how can I simply accomplish this little task ?
Basically from my laptop I want to ssh 10.0.0.3 to a host behind the router. And that’s it.
If this is possible, I’m going to find a way. I’m stubborn.
You likely need to modify your firewall rules to allow the traffic from the Wireguard interface beyond ICMP. That can either be done by separate rules, or by adding your wireguard interface to the LAN group with something like:
Port forwarding is not recommend unless you also enable masquerade to outgoing traffic on the Wireguard interface, but I would recommend against it. You should rather be adding routes on each of your routers to inform the router about the remote subnets available through the Wireguard tunnel(s).
So, there is nothing fundamentally wrong at the conceptual level in the idea of forwarding a port from
a wireguard ip to another host. It’s just a matter of finding the way to do it. I’ll try to add the wireguard interface to the LAN group.
I’ll probably have more technical questions later ( and I’ll post a pic + config + everything ). This was really to understand
if I was trying to do something silly and/or not possible.
Do not understand.
If wireguard permits direct access to the LAN, remote warrior, via VPS wireguard to home router, why do you need port forward?
By the way, BTH VPN by mikrotik provides a cloud relay such that you can ditch your VPS. Keep in mind its meant for incoming so does not serve as an alternate outbound internet connection from home router subnets.
What I tried to say is that it is technically possible while I would not encourage it. Port forwarding is meant to make resources behind NAT available, and NAT is intended as a workaround when facing IP address shortage, such as it is the case with public IP addresses. In your case I would expect that you are using private IP addresses, and have plenty of them, so I would encourage that you plan your networks to have non-overlapping subnets, and use the host address rather than port forwarding. This will provide many advantages.
From a security perspective NAT add little to nothing, and you will still be able to control access through the firewall.