Port Forwarding With IPtables for Wireguard

Setting up a WireGuard VPN on Ubuntu 20.04 was pretty easy, I followed this tutorial: How to setup your own VPN server using WireGuard on Ubuntu

The problems arose when I needed to forward port 27256 on the server to the VPN client. It took me most of a Sunday to figure out.

Initially, set up to forward the different types of packets (NEW, ESTABLISHED, and RELATED) between interfaces (eth0 and wg0):

1
2
3
iptables -A FORWARD -i eth0 -o wg0 -p tcp --syn --dport 27256 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -i eth0 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i wg0 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Second, foward the port from the server’s VPN IP address (10.10.0.1) to the client’s VPN IP address (10.10.0.2):

1
2
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 27256 -j DNAT --to-destination 10.10.0.2
iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 27256 -d 10.10.0.2 -j SNAT --to-source 10.10.0.1