How to port forward to a specific host (without WG as the default route)

Molski

So I've recently been playing around with using VPN on specific hosts, without having my default route changed. I didn't even know if this was possible, since I've ever only dealt with subnets and interfaces to handle things like this separately. But I can now have my Chromecast, for example, use the WireGuard VPN while everything else goes through the WAN default route.

One thing I had working with WireGuard VPN, was port forwarding. But doing this using host specific policy routing, it fails. It works fine through the VPN when I have everything going through the VPN. That is, having the System > Routing > Default gateway set to the VPN. But I have a single host working through the VPN just fine, by setting up a policy based route, and a outbound NAT rule for that host. With that working (which I was surprised it even did at first), it seems really simple to just add that one extra rule to make the port forwarding work. But it does not.

Not sure if this is WireGuard specific, since I've never tried this scenario with OpenVPN or any of the others. Or if this is a bug, or I'm just missing something, or if this is even supposed to be possible.

I recently changed providers, just for the functionality of having up to 5 ports forwarded through the VPN. But so far, I'm pleasantly surprised how well the experimental WireGaurd package is working so far!

Using: Netgate SG-1100
22.05-RELEASE (arm64)
WireGuard 0.1.6_2
wireguard-tools-1.0.20210914_1
wireguard-kmod-0.0.20211105_1

Bob.Dig

@molski Port Forwards work like they do on WAN, if you haven't made any mistakes.

Molski

@bob-dig WAN port forwarding works fine. So does through the VPN when I have the default gateway set to it.

But when that specific host routes and works fine, and I try to do forward to it.. It does not work.

Bob.Dig

@molski You need a firewall rule for that too, at least there is none linked to that NAT Rule directly.

Molski

@bob-dig This rule is what implements the policy based route to even make it work it through the VPN in the first place. That works fine.

Bob.Dig

@molski Delete everything there! You should treat it like WAN, there shouldn't be anything other then the port you opened.

Bob.Dig

@molski I also set the Interface Group Membership to none in VPN-WireGuard-Setting.

Molski

@bob-dig said in How to port forward to a specific host (without WG as the default route):

I also set the Interface Group Membership to none in VPN-WireGuard-Setting.

I tried that first, and had that working fairly quickly when I was routing my entire LAN through the VPN. It was only until I was experimenting with routing certain hosts, where I could not get it to work at all that way.

I was watching Christian McDonald's YouTube videos which gave me other ideas to try. (Who is the I believe is the main developer of the WG package, and and then got hired by Netgate.) He creates an interface group for the VPN gateways (for fail over purposes). But I thought I'd try that for a single VPN gateway, and surprisingly, it worked! But not until I assigned it to an interface.

@bob-dig said in How to port forward to a specific host (without WG as the default route):

Delete everything there! You should treat it like WAN, there shouldn't be anything other then the port you opened.

Actually thinking back, those rules don't change anything. That's just left overs of me trying a hundred or so combinations of things.

Bob.Dig

@molski said in How to port forward to a specific host (without WG as the default route):

Actually thinking back, those rules don't change anything. That's just left overs of me trying a hundred or so combinations of things.

Yup, the only thing there should be the one port you like to forward. So just activate it in the NAT-Rule and it will be there.

Molski

That was the first thing I tried. Even redoing it so it makes that exact same rule, but with the gateway as "*". It still gets the same result:

$ curl https://ipv4.am.i.mullvad.net/port/57995
{"ip":"XX.XX.XX.XX","port":57995,"reachable":false}

Edit: This all works in the normal use case of routing the entire LAN. (And yes the port is open and can connect through the VPN).

Bob.Dig

@molski said in How to port forward to a specific host (without WG as the default route):

Edit: This all works in the normal use case of routing the entire LAN. (And yes the port is open and can connect through the VPN).

I don't think this is the normal use case to route everything through the VPN.
Show the VPN Interface again, this time with only one rule and no gateway set in there.
Also show the outbound NAT Rules.

Molski

@bob-dig said in How to port forward to a specific host (without WG as the default route):

I don't think this is the normal use case to route everything through the VPN.

That was a bad way to phrase it. I've done a lot with VPNs and even some pfSense through work, and tying networks together and whatnot. But I've never singled out specific hosts on a subnet, and treated them differently (routing-wise anyway). I was meaning this was not a common scenario (or secure), at least in my experience.

@bob-dig said in How to port forward to a specific host (without WG as the default route):

Show the VPN Interface again, this time with only one rule and no gateway set in there.
Also show the outbound NAT Rules.

I could not get this working at all until I set the gateway there, for my VPN interface I had to put this:

Setting that gateway and this NAT rule made everything all work for a specific host. Both were needed.

That host uses the VPN, and everything else doesn't. It's great! Just the port forwarding doesn't.

Bob.Dig

@molski You are doing things your own way which is fine, if you know what you are doing, but I have my doubts. It looks to be more trial and error on your side.