iptables rules for WireGuard VPN on NAT OpenVZ VPS running Debian 10?

I'm trying to setup WireGuard VPN (TunSafe for that matter) on my NAT OpenVZ VPS running Debian 10. I have an ansible playbook I created to set it up on 'regular' KVM VPSes that I used. The issue I have is with the iptables rules that are needed to route/forward the traffic between the client and the server properly; they don't seem to work.

On my KVM VPSes, I'm using the iptables rule iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
which would translate to iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE for OpenVZ I figured. However, iptables on my OpenVZ NAT VPS complains 'Chain 'MASQUERADE' does not exist'.

I already switched to the legacy version of iptables instead of nf using update-alternatives –config iptables but the error remains. And indeed, if I run iptables -L I see only three chains: INPUT, FORWARD and OUTPUT...

In the meantime I found this set of iptables rules that makes the VPN connection work:

iptables -A FORWARD -i venet0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o venet0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A INPUT -i tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i tun0 -j DROP

However, apart from being 5 rules instead of just 1 simple rule, I'm not sure if the rules above are too permissive.

Since I'm no iptables hero myself, I was hoping someone could help me out here in figuring out the correct set of iptables rules to get WireGuard running on my NAT VPS.

Thanks! :)


Sign In or Register to comment.