iptables rules for WireGuard VPN on NAT OpenVZ VPS running Debian 10?

FreekFreek Senpai
in Help

I'm trying to setup WireGuard VPN (TunSafe for that matter) on my NAT OpenVZ VPS running Debian 10. I have an ansible playbook I created to set it up on 'regular' KVM VPSes that I used. The issue I have is with the iptables rules that are needed to route/forward the traffic between the client and the server properly; they don't seem to work.

On my KVM VPSes, I'm using the iptables rule iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
which would translate to iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE for OpenVZ I figured. However, iptables on my OpenVZ NAT VPS complains 'Chain 'MASQUERADE' does not exist'.

I already switched to the legacy version of iptables instead of nf using update-alternatives –config iptables but the error remains. And indeed, if I run iptables -L I see only three chains: INPUT, FORWARD and OUTPUT...

In the meantime I found this set of iptables rules that makes the VPN connection work:

#Forwarding
iptables -A FORWARD -i venet0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o venet0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
#Hardening?
iptables -A INPUT -i tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i tun0 -j DROP

However, apart from being 5 rules instead of just 1 simple rule, I'm not sure if the rules above are too permissive.

Since I'm no iptables hero myself, I was hoping someone could help me out here in figuring out the correct set of iptables rules to get WireGuard running on my NAT VPS.

Thanks! :)

LinuxFreek.com

Tagged:

Comments

Sign In or Register to comment.

© LowEndSpirit 2025

ipv6 ready