0

I'm trying to put a middle server or a proxy between my client and the wireguard server.

I don't want to directly connect to the Wireguard endpoint from my own computer.

If the wireguard endpoint is for examle 2.2.2.2:2408 I want my client to connect to 3.3.3.3:1200 (my vps) and then the connection gets forwarded to the destination endpoint.

wireguard client > middle server with port forwarding > destination server

Tried iptables to forward the port 1200 on my vps to wireguard server IP:PORT with no luck:

iptables -t nat -A PREROUTING -p udp --dport 1200 -j DNAT --to-destination 2.2.2.2:2408

I was told i may need to rewrite the source using SNAT to the ip of the middle server but I'm not sure how to do that.

Tried iptables to forward the port 1200 on my vps to wireguard server IP:PORT with no luck:

iptables -t nat -A PREROUTING -p udp --dport 1200 -j DNAT --to-destination 2.2.2.2:2408

I was told i may need to rewrite the source using SNAT to the ip of the middle server but I'm not sure how to do that.

Improve this question

1 Answer 1

Reset to default
0

For illustration the client will have a visible public IP address of 192.0.2.2.

Why this doesn't work

If only the destination is rewritten, the packet will be routed (forwarded) towards 2.2.2.2 with the unchanged source of 192.0.2.2. This packet will be dropped beyond the VPS by any layer of routers implementing Strict Reverse Path Filtering, most probably the very first. Even if never dropped along the path, when the packet reaches 2.2.2.2, 2.2.2.2 will reply to its source: 192.0.2.2. Assuming this direct path is available, still if the packet reaches the WireGuard client's NAT/router it should not accept it because it's not the source it was expecting (2.2.2.2 instead of 3.3.3.3). Even if it really reaches the client, WireGuard will use its roaming feature and update the peer to 2.2.2.2 instead of 3.3.3.3 which defeats OP's intent of not connecting directly.

Source NAT

As OP suggested, doing a source NAT will allow to get the source of the VPS used when forwarding to 2.2.2.2, "routing" traffic between 192.0.2.2 and 2.2.2.2 through it.

The easiest to use SNAT/MASQUERADE (which happens as last step in postrouting) is to check if the packet already underwent a DNAT transformation (in prerouting), so one doesn't have to duplicate specific values in this rule:

 iptables -t nat -A POSTROUTING -m conntrack --ctstate DNAT -j MASQUERADE

The VPS should also be configured as a router if not already done (this will be a kind of one-armed router):

sysctl -w net.ipv4.ip_forward=1

Other methods

An other completely different method not involving NAT would be to tunnel the packets (ie the WireGuard envelope) between 3.3.3.3 and 2.2.2.2 but this would require to be able to change configuration on 2.2.2.2 (including routing).

Or this could also be implemented (for simplicity) with two separate WireGuard tunnels (where only data is tunneled, not envelope): one between 192.0.2.2 and 3.3.3.3 and one between 3.3.3.3 and 2.2.2.2. This still depends on OP's use case and/or what configuration can be done on 2.2.2.2.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .