Jump to content
Not connected, Your IP: 3.133.119.247
SurchargeNavigate

ANSWERED pfsense + wireguard port forwarding confusion

Recommended Posts

Posted ... (edited)

Going crazy with this.

To start off, the qbittorrent port forward works with my ISP IP, so the issue doesn't lie within the end machine.

Glossary (redacted values):
qbittorrent machine: 10.0.0.10 (listening on 12345, I can ncat to the port from another machine on the network, ufw is open, also configured incoming connection port in the GUI and restarted the container)
wireguard interface virtual ip: 10.20.30.40
assigned AirVPN port: 12345

I created a new Wireguard tunnel and interface, assigned it the wireguard virtual IP and added a new gateway.
I have a Wireguard handshake, and doing a `curl ifconfig.me` on the qbit machine returns the vpn exit IP, as it should.

The problem lies with the port forward, I can't seem to get a connection from the web tester.

Comparing my issues to this long thread, https://forum.netgate.com/topic/86926/port-forward-over-vpn-interface/28
I think I might have the same issue, packets originating from the qbittorrent machine lan are going out the AIRVPN_WAN, so why wouldn't packets being sent TO the qbittorrent machine lan be routed back out the AIRVPN_WAN?

Here are the bottom rules in the subnet with the qbittorrent host:
Basically I want only the qbittorrent host to go through AirVPN, and everything else should use regular internet.
image.thumb.png.139af8426b2ada7a70bd973c115cae82.png

Here are the AIRVPN wireguard interface rules with the corresponding aliases (quebec is the qbittorrent machine, and the port is 23456)
image.thumb.png.6e22dd335481e4e9bd7ee8aa97a40647.png

What the hell am I missing?

Edited ... by SurchargeNavigate

Share this post


Link to post
16 hours ago, SurchargeNavigate said:

...
Basically I want only the qbittorrent host to go through AirVPN, and everything else should use regular internet.
...
What the hell am I missing?


You have not said what OS you are using.

But one of these articles may be helpful:

https://github.com/tool-maker/VPN_just_for_torrents/wiki/Running-OpenVPN-on-Windows-without-VPN-as-Default-Gateway

https://github.com/tool-maker/VPN_just_for_torrents/wiki/Running-Non-Specific-VPN-on-Linux-without-VPN-as-Default-Gateway

Although the first says "OpenVPN", it applies to Wireguard too. Or to any other VPN software or VPN provider.

For either Windows or Linux, you need to bind qBittorrent to the VPN network interface address. Did you do that?

EDIT: I apologize . You did say PFSense/BSD.

I have done this for BSD too. But I wrote only a cursory article about it, long after the fact:

https://github.com/tool-maker/VPN_just_for_torrents/wiki/Running-OpenVPN-on-BSD-(or-MAC)-without-VPN-as-Default-Gateway

In general, my approach is:

1) Let the VPN software add its routing table entries, but then add more routing table entries pointing to the original default gateway, so that the VPN is bypassed by default.

2) Make arrangements for "source address routing". On BSD the "PF" firewall or the" ipfw " firewall can do this.

3) Bind qBittorrent (or other torrent client) to the VPN interface (or address).

EDIT 2:

Is qBittorrent running on pFSense? Can you do that? Or is qBittorrent running on some other machine? If you only want the VPN for qBittorrent, then I suggest you run it on the machine where qBittorrent is. Then the articles I linked will apply.
 

Share this post


Link to post
Posted ... (edited)

Qbittorrent is running on a VM behind pfsense. I am configuring a Wireguard connection from my pfsense router to AirVPN. The OS is irrelevant in this equation.

What's weird is everything seems to be working. Qbittorrent shows as connected, but the forwarded port remains closed.
image.png.ed8e39f5f8df9d7a37b4d8624c7217ca.png

Never mind, after restarting qbittorrent, it's back to firewalled...
image.png.1aa12ef2dc263065d6cb3dd6cc3dbb6e.png

To summarize:

1. VPN is working from inside the network:
image.thumb.png.8a7112bc5fac22ac4f7cc153a1755a84.png

2. In the subnet in which the qbittorrent VM resides, I made a firewall rule that routes traffic only from the qbittorrent VM to the AirVPN gateway (AirVPN_hosts is an alias for hosts that I want routed over VPN):
image.thumb.png.4958f3b4464c1206b60b7d4f3863b381.png

3. Port forward to qbittorrent, I just use the same port on qbittorrent as I was assigned on AirVPN.
image.thumb.png.c2d534db74125018d4671ad22c06e60b.png

4. Which creates the following rule automatically (on the AirVPN interface tied to wireguard):
image.thumb.png.a0b9712d639d50a98cf0a97b81fa34ad.png

5. I also added an outbound NAT mapping for all hosts that are in the same subnet as the qbittorrent VM, although only the qbittorrent VM will be routed over VPN (Shown in 2.) - Although it seems this mapping does nothing, everything seems to work the same without it.
image.thumb.png.d16ae1a2e2518bf389714266bdc60073.png

Here's a (redacted) packet capture of the AIRVPN wireguard interface with the port filter I'm trying to forward (12345):
wireguard virtual interface IP: 10.20.30.40
VPN exit IP: 50.60.70.80

16:11:02.739452 IP 10.20.30.40.1866 > 50.60.70.80.12345: UDP, length 104
16:11:03.578393 IP 10.20.30.40.56477 > 50.60.70.80.12345: tcp 0
16:11:04.579201 IP 10.20.30.40.56477 > 50.60.70.80.12345: tcp 0
16:11:05.581204 IP 10.20.30.40.48124 > 50.60.70.80.12345: tcp 0
16:11:06.595203 IP 10.20.30.40.48124 > 50.60.70.80.12345: tcp 0
16:11:06.595560 IP 10.20.30.40.56477 > 50.60.70.80.12345: tcp 0
16:11:07.583776 IP 10.20.30.40.1866 > 50.60.70.80.12345: UDP, length 20
16:11:07.584421 IP 10.20.30.40.65218 > 50.60.70.80.12345: tcp 0
16:11:08.611245 IP 10.20.30.40.65218 > 50.60.70.80.12345: tcp 0
16:11:08.611321 IP 10.20.30.40.48124 > 50.60.70.80.12345: tcp 0
16:11:10.627204 IP 10.20.30.40.65218 > 50.60.70.80.12345: tcp 0
16:11:10.851284 IP 10.20.30.40.56477 > 50.60.70.80.12345: tcp 0
16:11:11.589916 IP 10.20.30.40.1866 > 50.60.70.80.12345: UDP, length 20
16:11:12.590962 IP 10.20.30.40.28909 > 50.60.70.80.12345: tcp 0
16:11:12.643203 IP 10.20.30.40.48124 > 50.60.70.80.12345: tcp 0

Doing the same capture on WAN shows that the wireguard virtual IP is trying to go out WAN instead of the VPN exit IP, WTF, WHY?
10:40:26.882403 IP 10.20.30.40.12345 > 188.159.237.246.55708: tcp 0
10:40:34.952699 IP 10.20.30.40.12345 > 188.159.237.246.55708: tcp 0
10:40:44.174485 IP 10.20.30.40.12345 > 142.93.172.65.56518: tcp 0
10:40:45.178277 IP 10.20.30.40.12345 > 142.93.172.65.56518: tcp 0
10:40:46.184785 IP 10.20.30.40.12345 > 142.93.172.65.56518: tcp 0
10:40:47.194791 IP 10.20.30.40.12345 > 142.93.172.65.56518: tcp 0
10:40:47.216824 IP 10.20.30.40.12345 > 34.236.150.82.58444: tcp 0
10:40:48.232710 IP 10.20.30.40.12345 > 34.236.150.82.58444: tcp 0

Here's the capture on the interface within which the qbittorrent VM resides:
qbittorrent VM: 10.0.0.10
VPN exit IP: 50.60.70.80
?: 85.17.225.221 (maybe another exit IP?)

16:16:08.934998 IP 10.0.0.10.43959 > 50.60.70.80.12345: UDP, length 20
16:16:11.938915 IP 10.0.0.10.43959 > 50.60.70.80.12345: UDP, length 20
16:16:11.939241 IP 10.0.0.10.43959 > 85.17.225.221.12345: UDP, length 20
16:16:14.941980 IP 10.0.0.10.43959 > 50.60.70.80.12345: UDP, length 20
16:16:17.944860 IP 10.0.0.10.60669 > 50.60.70.80.12345: tcp 0
16:16:18.946734 IP 10.0.0.10.60669 > 50.60.70.80.12345: tcp 0
16:16:20.962945 IP 10.0.0.10.60669 > 50.60.70.80.12345: tcp 0


Yet I seem to be overlooking something...

Edited ... by SurchargeNavigate

Share this post


Link to post

Holy f**k.

The problem was an any/any rule in the Wireguard unasigned tunnel firewall rule list. Even though the AirVPN WG interface was assigned, group rules are evaluated first...

Hope this helps someone else as well.

Share this post


Link to post
On 11/22/2023 at 4:18 AM, SurchargeNavigate said:

Holy f**k.

The problem was an any/any rule in the Wireguard unasigned tunnel firewall rule list. Even though the AirVPN WG interface was assigned, group rules are evaluated first...

Hope this helps someone else as well.

This did help me.

I love you.

I hope that's not weird.

Share this post


Link to post
Guest
This topic is now closed to further replies.

×
×
  • Create New...