WireGuard does not work after installing CWP.

Question

WireGuard does not work after installing CWP.

ItsAdventureTime opened this issue 2 years ago · comments

Juan Karlo de Guzman commented 2 years ago

Hello,

It's me again. I asked help and it seems that CWP disabled firewalld and installs CSF firewall.
Someone from the community forum helped me with the following code. However, it did nothing to allow WireGuard to work.

Here is the code:

ip=$(ip -4 addr | grep inet | grep -vE '127(.[0-9]{1,3}){3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}(.[0-9]{1,3}){3}' | sed -n "$ip_number"p)
ip6=$(ip -6 addr | grep 'inet6 [23]' | cut -d '/' -f 1 | grep -oE '([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}' | sed -n "$ip6_number"p)

/usr/sbin/iptables -t nat -A POSTROUTING -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to $ip
/usr/sbin/iptables -I INPUT -p udp --dport $port -j ACCEPT
/usr/sbin/iptables -I FORWARD -s 10.7.0.0/24 -j ACCEPT
/usr/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

if [[ -n "$ip6" ]]; then
/usr/sbin/ip6tables -t nat -A POSTROUTING -s fddd:2c4:2c4:2c4::/64 ! -d fddd:2c4:2c4:2c4::/64 -j SNAT --to $ip6
/usr/sbin/ip6tables -I FORWARD -s fddd:2c4:2c4:2c4::/64 -j ACCEPT
/usr/sbin/ip6tables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
fi

Please help me!

Thank you.

Nyr · Answer 1 · Wed Mar 16 2022 01:55:12 GMT+0800 (China Standard Time)

I am not familiar with CSF, but the following are indeed relevant rules for OpenVPN:

/usr/sbin/iptables -t nat -A POSTROUTING -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to $ip
/usr/sbin/iptables -I INPUT -p udp --dport $port -j ACCEPT
/usr/sbin/iptables -I FORWARD -s 10.7.0.0/24 -j ACCEPT
/usr/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

If your server has IPv6, the following are also required:

/usr/sbin/ip6tables -t nat -A POSTROUTING -s fddd:2c4:2c4:2c4::/64 ! -d fddd:2c4:2c4:2c4::/64 -j SNAT --to $ip6
/usr/sbin/ip6tables -I FORWARD -s fddd:2c4:2c4:2c4::/64 -j ACCEPT
/usr/sbin/ip6tables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

You need to replace the words starting with $. For example, $ip should be your public IPv4 address, and $port the port you selected during setup.

As I said I am not familiar with CSF, but a tiny bit of research indicates that you can likely add the commands above to /etc/csf/csfpost.sh and then restart CSF with csf -r

Anyway you need to understand that this is not a support forum but an issue tracker to manage issues and feature improvements. I can not provide personal support to every user of the project. Please do not open a third issue on this matter, you could reply to this one and maybe someone can help you further, but there are usually better places to use for help.

Still, I hope this helps.

Juan Karlo de Guzman · Answer 2 · Thu Mar 17 2022 14:26:40 GMT+0800 (China Standard Time)

Thank you for this. I appreciate your patience and understanding. However, you mentioned that those rules are for OpenVPN. Are they also the same thing, and do they apply in WireGuard too?

Nyr · Answer 3 · Thu Mar 17 2022 19:37:36 GMT+0800 (China Standard Time)

Sorry, those rules above are indeed for this WireGuard installer.

I also manage a related OpenVPN installer and mixed up words.