WireGuard tunnel only allows one way data transfer to internet

gelcom

Hi all, sorry for the noob question but any help is appreciated.

I have a remote Oracle VM machine running wireguard with the following wg0.conf

What I want to accomplish is to have all my local internet requests going out via this remote Oracle VM machine.

[Interface]
PrivateKey = XXXX
Address = 10.168.13.2/24
ListenPort = 51820

PreUp = sysctl -w net.ipv4.ip_forward=1
PreUp = iptables -t nat -I POSTROUTING 1 -s 10.168.13.1/24 -o ens3 -j MASQUERADE
PreUp = iptables -t nat -I POSTROUTING 1 -s 192.168.0.0/16 -o ens3 -j MASQUERADE
PreUp = iptables -I INPUT 1 -i wg0 -j ACCEPT
PreUp = iptables -I FORWARD 1 -i ens3 -o wg0 -j ACCEPT
PreUP = iptables -I FORWARD 1 -i wg0 -o ens3 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -s 10.168.13.1/24 -o ens3 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -s 192.168.0.0/16 -o ens3 -j MASQUERADE
PostDOwn = iptables -D INPUT -i wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i ens3 -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -o ens3 -j ACCEPT

[Peer]
PublicKey = XXXX
Endpoint = pfsense.external.ip:51820

On my local side I have a pfSense machine with wireguard setup as follows:

[Interface]
PrivateKey = XXXXXX
ListenPort = 51820

[Peer]
PublicKey = XXXX
AllowedIPs = 10.168.13.2/32,0.0.0.0/0
PersistentKeepalive = 15

The tunnel is established.

This wireguard tunnel is assigned to a 10.16.13.1/24 interface.
This interface was assigned to a gateway with ip address 10.168.13.2

I also have an outbound NAT mapping rule (Hybrid Outbound NAT rule generation) with this VPN interface with any source/destination with NAT address this interface address.

On pfSense I created another interface 192.168.16.1/24 and I have a default rule to allow all IPV4 with any source to any destination via the gateway I created from wireguard VPN. I need all data from this interface to go through the VPN.

When I connect a VM to this interface (192.168.16.100) I get connection to internet from remote wireguard.
I can download files ok but can't upload.
If I run a speed test it gets ok on download test but upload test shows 0/0
Something is blocking my upload.

Maybe an iptables or routing issue?

Am I missing something?

kind regards

stephenw10

Hmm, well obviously it's not blocking it completely since you are able to establish outbound connections. It's not a routing issue. Some sort of outbound rate limiting in Oracle Cloud maybe?

Steve

gelcom

@stephenw10 said in WireGuard tunnel only allows one way data transfer to internet:

Hmm, well obviously it's not blocking it completely since you are able to establish outbound connections. It's not a routing issue. Some sort of outbound rate limiting in Oracle Cloud maybe?

Thanks for the reply.

I think not. If I setup an OpenVPN server on this same machine connection goes both ways perfectly.

gelcom

Also, if I run a speedtest on this remote machine I get Upload and Download ok! But if I do it remotely via Wireguard VPN tunnel I get only download and upload fails.

stephenw10

Try running an iperf test instead. That should give you actual numbers for the upload rather than just a fail. You can also try initiating the connection both ways to check for firewall rule issue.

Steve

areckethennu

@gelcom I was just researching Wireguard and had just finished Tom Lawrence's tutorial on it. He's got 3 firewall rules (Firewall > Rules > Wireguard, Firewall > Rules > WAN and Firewall > NAT > Outbound) and you only mention 2 (that I can see). In case it helps, here's where he starts talking about the rules:

https://youtu.be/8jQ5UE_7xds?t=365