Incoming traffic not forwarding to Wireguard with Easytether gateway

Question

I'm not sure if this is a general routing question or more to do with Wireguard or EasyTether but I think it's general routing.

I have a Raspberry Pi 4 to enable an Android phone to act as the WAN port on a NAT router.

The Pi runs EasyTether via USB to the phone. This is working. It provides an tun-easytether interface on 192.168.117.0/31 The phone is 192.168.117.1.

I have defined a gateway resulting in the following:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.117.1   0.0.0.0         UG    0      0        0 tun-easytether
192.168.115.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.117.0   0.0.0.0         255.255.255.254 U     0      0        0 tun-easytether
192.168.118.0   0.0.0.0         255.255.255.0   U     0      0        0 wg0

eth0 is the Ethernet port at 192.168.115.1 which is connected to the router's WAN. The router WAN has a static IP of 192.168.115.2.

That works nicely. I can browse the web from my laptop connected to the LAN side of the router.

Now I'm trying to introduce Wireguard. I have Wireguard installed on a droplet at Digital Ocean and on the Pi. The server is at 192.168.118.1 and the Pi is 192.168.118.2.

I have changed the default route and setup one for the VPN resulting on the following:

0.0.0.0         192.168.118.2   0.0.0.0         UG    0      0        0 wg0
68.x.x.x        192.168.117.1   255.255.255.255 UGH   0      0        0 tun-easytether
192.168.115.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.117.0   0.0.0.0         255.255.255.254 U     0      0        0 tun-easytether
192.168.118.0   0.0.0.0         255.255.255.0   U     0      0        0 wg0

68.x.x.x is the public address of the server. That pretty much works because I can ping 192.168.118.1 and 8.8.8.8 from the command line on the Pi. A traceroute to 8.8.8.8 shows it going through Digital Ocean. That all looks great except that I can no longer get to the outside world from my laptop on the LAN side of the router. A traceroute stops at 192.168.115.1, i.e., eth0 on the Pi.

The Pi seems to be not forwarding traffic coming into 192.168.115.1. I've reverted to the original non-VPN config several times to make sure that still works. net.ipv4.ip_forward=1 is set in sysctl.conf on the Pi.

I feel like I'm close but just missing something. I could give the Wireguard setup etc but it doesn't seem relevant because that appears to be working.

Thanks for any help.

Edit: On further digging, I think I might be wrong about this not being a Wireguard issue. It looks like a duplicate of https://serverfault.com/questions/1014577/howto-configure-wireguard-on-linux-router-to-route-all-traffic-from-lan-to-remot

Answer 1

Solved! This is what it needs to forward traffic between eth0 and wg0.

iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT
iptables -A FORWARD -i wg0 -o eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE

It doesn't seem to need a gateway setting. This is now my routing table.

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.115.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.117.0   0.0.0.0         255.255.255.254 U     0      0        0 tun-easytether
68.x.x.x        192.168.117.1   255.255.255.255 UGH   0      0        0 tun-easytether

I deleted my previous answer of putting eth0 on the same network as wg0. That was a hack.