bypassing NAT and PORT forwarding using wireguard poll

Sorry if this is spamming as i created a thread about wireguard a few days ago

Just wanted to know if it can be useful for some/any people as creating a script would be a waste if no one has much use for it.

IT'S FOR PEOPLE FOR WHOM PORT FORWARDING DOSEN'T WORK PROPERLY USING SOMETHING LIKE ZEROTIER or would like a specific feature not available in zerotier

If anyone is intrested I would create a script to to all the work for you on a linux (debian) server,

Things required -
A VPS/server of your choice, Local device on which you will install wireguard client to reroute the traffic
Here is how it would work

1)Running the the script will ask you which port/s you would like to forward and it's protocol (TCP/UDP/Both)
2)It will then install and configure wireguard and firewall and create client config file then encrypt the file on the server using 16/32 random letters into a zip and upload it to a temp. file hosting service or create a QR code which can be scanned using official wireguard app
3)Install wireguard on the the device (or a capable router/openwrt etc.) you would like to port forward and import the generated/downloaded conf file
4)You should be able to acces the forwaded ports on IP-address-of-server:port

Optional
You can also set Policy Routing on your local device(if supported) so only the traffic of forwaded ports will be forwaded to the VPS/server and rest all traffic will flow normally
 
Last edited by a moderator:
Click to expand...
Hey, thanks for this initiative. Is the traffic routed through the VPS? It would add latency if I'm not wrong. And please publish the script. That would be great. 🙂
 
Sorry about the delay, was slightly busy, i need to add some finishing touches (like UDP/TCP option, currently it's default TCP and removing forwarded ports)

This script will install and configure wireguard, at last it will ask you to enter ports you would like to forward (TCP)
it will also automatically encrypt and upload the file to a temp. server (URL and Password will be displayed on screen)
To add ports in the future, just run the script again.
To use it (please only use ubuntu 20.04)

Code: 
cd /
wget https://github.com/rehan-kumar/lazyleaf/releases/download/0.11-alpha/wire.sh
chmod +x wire.sh
./wire.sh
 
Last edited:
Code: 
#!/bin/sh

portfrd () {
PRT=0
YESNO="n"
echo
echo "Would you want to setup/enable Port forwarding y/n."
read YESNO
if [ "$YESNO" = "y" ] || [ "$YESNO" = "Y" ]
then
echo "Would you like to port forward UPD or TCP?"
read PROTOCOL
if [ "$PROTOCOL" = "tcp" ] || [ "$PROTOCOL" = "TCP" ]
then
while ! [ "$PRT" = "exit" ] && ! [ "$PRT" = "EXIT" ]
do
echo "Enter which TCP port to forward and press enter, when done, type exit and press enter "
read PRT
if [ "$PRT" = "exit" ] || [ "$PRT" = "EXIT" ]
then
break
fi
sudo iptables -A FORWARD -i eth0 -o wg0 -p tcp --syn --dport $PRT -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A FORWARD -i wg0 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport "$PRT" -j DNAT --to-destination 10.0.0.2
sudo iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport "$PRT" -d 10.0.0.2 -j SNAT --to-source 10.0.0.1
sudo netfilter-persistent save
echo
done
fi
if [ "$PROTOCOL" = "udp" ] || [ "$PROTOCOL" = "UDP" ]
then
while ! [ "$PRT" = "exit" ] && ! [ "$PRT" = "EXIT" ]
do
echo "Enter which UDP port to forward and press enter, when done, type exit and press enter "
read PRT
if [ "$PRT" = "exit" ] || [ "$PRT" = "EXIT" ]
then
break
fi
sudo iptables -A FORWARD -i eth0 -o wg0 -p udp --dport $PRT -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A FORWARD -i wg0 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -t nat -A PREROUTING -i eth0 -p udp --dport "$PRT" -j DNAT --to-destination 10.0.0.2
sudo iptables -t nat -A POSTROUTING -o wg0 -p udp --dport "$PRT" -d 10.0.0.2 -j SNAT --to-source 10.0.0.1
sudo netfilter-persistent save
echo
done
fi
fi
}

FILE=/etc/wireguard/wg0.conf
if [ -f "$FILE" ]
then
echo "It seems wireguard is already configured."
portfrd
else
IPV4=$(curl -4 icanhazip.com)
IPV6=$(curl -6 icanhazip.com)
sudo apt-get update && apt-get upgrade -y
sudo apt-get install software-properties-common iptables ufw resolvconf p7zip-full openssl iptables-persistent  -y
sudo add-apt-repository ppa:wireguard/wireguard -y
sudo apt-get install wireguard -y

umask 077
wg genkey > privatekey
wg pubkey < privatekey > publickey
PRIVATEKEY=$(cat privatekey)
PUBLICKEY=$(cat publickey)

cat << WG > /etc/wireguard/wg0.conf
[Interface]
PrivateKey = $PRIVATEKEY
Address = 10.0.0.1/24, fd86:ea04:1115::1/64
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
SaveConfig = true
WG

sudo chmod 600 /etc/wireguard/ -R
sed -i -e '/net.ipv4.ip_forward/c net.ipv4.ip_forward=1  ' /etc/sysctl.conf
sed -i -e '/net.ipv6.conf.all.forwarding/c net.ipv6.conf.all.forwarding=1 ' /etc/sysctl.conf
sudo sysctl -p
sudo ufw allow 22/tcp
sed -i -e '/DEFAULT_FORWARD_POLICY/c DEFAULT_FORWARD_POLICY="ACCEPT" ' /etc/default/ufw

cat << fire >> /etc/ufw/before.rules
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
fire
sudo ufw --force enable
sudo systemctl restart ufw
sudo ufw allow 51820/udp
wg-quick up wg0
sudo systemctl enable wg-quick@wg0
mkdir /client-config
mkdir /client-keys

umask 077
wg genkey > /client-keys/privatekey
wg pubkey < /client-keys/privatekey > /client-keys/publickey
cat << _CLIENT_ > /client-config/client.conf
[Interface]
PrivateKey = $(cat /client-keys/privatekey)
Address = 10.0.0.2/32, fd86:ea04:1115::2/128
DNS = 1.1.1.1
[Peer]
PublicKey = $PUBLICKEY
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = $IPV4:51820
_CLIENT_

sudo wg set wg0 peer $(cat /client-keys/publickey) allowed-ips 10.0.0.2/32,fd86:ea04:1115::2/128
cat << _SAVE_ >> /etc/wireguard/wg0.conf

[Peer]
PublicKey = $(cat /client-keys/publickey)
AllowedIPs = 10.0.0.2/32, fd86:ea04:1115::2/128
_SAVE_

sudo netfilter-persistent save
echo
portfrd

RANDOM=$(openssl rand -base64 32)
7z a clientconfig.7z -p$RANDOM -mhe /client-config/.
UPLOAD=$(curl -i -F name=c.7z -F file=@clientconfig.7z https://uguu.se/api.php?d=upload-tool)
cat << _UPLOAD_ > /upload.log
$UPLOAD
_UPLOAD_
URL=$(sed -n '/a.uguu.se/p' /upload.log)
echo
wg
echo
echo
echo "Please Visit The below URL to download the config files with it's password displayed below it"
echo
echo "$URL"
echo
echo "$RANDOM"
echo
fi
 
Last edited:
I am up for suggestions for adding features, 2 basic things I will add tomorrow are
1) Option to choose between TCP/UDP
2) Option to remove forwarded ports

Some other things which can be done for example are
1) Multiple client support with port forwarding for each user (obviously no overlapping ports)
2) Speed and/or data restrictions on per client basis

Any other ideas? and which features should I add?
 
1) Option to choose between TCP/UDP
2) Option to remove forwarded ports

1) Multiple client support with port forwarding for each user (obviously no overlapping ports)
Click to expand...

@Rehan Kumar these will be better to add.

Will I get error if I run the above script on Ubuntu 18?
 
@Rehan Kumar stuck at this point with my DO bangalore server
 

Attachments

  • Capture.webp
    Capture.webp
    29.5 KB · Views: 486
The thing is I want to use DO wg server for playing GTA V, as my ISP has kept me behind double NAT and I don't get OPEN NAT, I tried using roadwarrior's script of wireguard but still I get MODERATE NAT even when I am connected to DO using a VPN, any fix with this ?
Also 6672 is the udp port required by rockstar for GTA V
 

Top