Oracle Free Tier: Wireguard and iptables

Question

Problem: Traffic not making it from "client" to "server" and back.

Configs:

"server":

[Interface]
Address = 10.8.0.1/24
ListenPort = 51820
PrivateKey = [redacted]

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

[Peer]
PublicKey = [redacted]
AllowedIPs = 10.8.0.2/32

"client":

[Interface]
Address = 10.8.0.2/24
PrivateKey = [redacted]
PostUp = ping -c1 10.8.0.1
DNS = 1.1.1.1

[Peer]
PublicKey = [redacted]
Endpoint = [redacted]:51820
AllowedIPs = 0.0.0.0/0, ::/0

/etc/iptables/rules.v4:

# CLOUD_IMG: This file was created/modified by the Cloud Image build process
# iptables configuration for Oracle Cloud Infrastructure
    
# See the Oracle-Provided Images section in the Oracle Cloud Infrastructure
# documentation for security impact of modifying or removing these rule
    
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [463:49013] 
:InstanceServices - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp --sport 123 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 64738 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 64738 -j ACCEPT
    
# I added the following rule manually. The preceding 5 rules and were either
# added by Oracle (22) or dockers (the other ports). All else is added by Oracle. 
-A INPUT -p udp -m state --state NEW -m udp --dport 51820 -j ACCEPT
#
    
# Commenting out the following two lines makes everything work, but defeats 
# the point of iptables.
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
#
    
-A OUTPUT -d 169.254.0.0/16 -j InstanceServices
-A InstanceServices -d 169.254.0.2/32 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.2.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.4.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.5.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.0.2/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 53 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p tcp -m tcp --dport 53 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.0.3/32 -p tcp -m owner --uid-owner 0 -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.0.4/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 67 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 69 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p udp --dport 123 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.0.0/16 -p tcp -m tcp -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j REJECT --reject-with tcp-reset
-A InstanceServices -d 169.254.0.0/16 -p udp -m udp -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j REJECT --reject-with icmp-port-unreachable
COMMIT

Commentary:

I can make the wireguard connection and ping between the two peers, but I cannot get from the "client" peer to the "server" peer and on to the Internet and back.

"client" side:

$ sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.8.0.2/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -6 route add ::/0 dev wg0 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip6tables-restore -n
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
[#] ping -c1 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=169 ms

--- 10.8.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 168.716/168.716/168.716/0.000 ms

$ curl -4 ifconfig.me
curl: (6) Could not resolve host: ifconfig.me

"client" /etc/resolv.conf:

# Generated by resolvconf
nameserver 1.1.1.1

"server" /etc/resolv.conf:

nameserver 127.0.0.53
options edns0 trust-ad
search vcn[redacted].oraclevcn.com

As mentioned in the comments above, commenting out the INPUT REJECT rule in /etc/iptables/rules.v4 solves the problem, but it is undesirable from a firewall-security point of view, if I understand correctly.

The curl error hints at a DNS problem, if I am not mistaken.

I have the following ingress rules in the oracle cloud config:

I have the following Egress rule:

I am a newbie at iptables, networking, and sysadmin, so I've been struggling over this for a while. I haven't found much on the Internet that sheds light on what exactly I'm missing here, just bits and pieces that got me this far.

I think I have narrowed the problem down to the configuration of iptables, but I'm stumped as to what to do.

Any advice on what exactly the problem is here and what a good (and secure) solution would be is much appreciated!!!

Thanks!

Answer 1

Insert these two iptables rules before the -A FORWARD -j reject rule in your server's /etc/iptables/rules.v4 file:

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wg0 -j ACCEPT

If you run sudo iptables-save, you'll see the list of your active iptables rules. The iptables rules from the PostUp script in your server's wg config file are appended after the rules set in /etc/iptables/rules.vp4. Note that you can change this by using the iptables -I flag instead of the -A flag in your wg PostUp scripts -- the -I flag inserts rules at the top of the chain (or at a specified index, 0 by default), whereas the -A flag appends rules to the bottom.

Answer 2

Many (most?) of the guides for configuring wireguard do not say much about adding firewall rules other than the PostUp/PostDown NAT rules in the "server's" wg0.conf file.

In my case (Oracle free tier), I needed a rule in the INPUT chain for the wg port and two rules for the FORWARD chain in order to allow packets on the wg port to move through the "server" and on to their destinations on the Internet.

These are the rules that I added manually to /etc/iptables/rules.v4:

-A INPUT -p udp -m state --state NEW -m udp --dport 51820 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wg0 -j ACCEPT

These rules must come before any REJECT rules in the INPUT and FORWARD chains, or they will be ignored.

Additionally, an Ingress rule must be set in the Oracle dashboard for the wg port.

With all these rules in place, the path for packets through the wg tunnel from "client" peer to "server" peer to the Internet and back is open.