iptables rules for WireGuard VPN on NAT OpenVZ VPS running Debian 10?
I'm trying to setup WireGuard VPN (TunSafe for that matter) on my NAT OpenVZ VPS running Debian 10. I have an ansible playbook I created to set it up on 'regular' KVM VPSes that I used. The issue I have is with the iptables rules that are needed to route/forward the traffic between the client and the server properly; they don't seem to work.
On my KVM VPSes, I'm using the iptables rule
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
which would translate to
iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE for OpenVZ I figured. However, iptables on my OpenVZ NAT VPS complains 'Chain 'MASQUERADE' does not exist'.
I already switched to the legacy version of iptables instead of nf using
update-alternatives –config iptables but the error remains. And indeed, if I run
iptables -L I see only three chains: INPUT, FORWARD and OUTPUT...
In the meantime I found this set of iptables rules that makes the VPN connection work:
#Forwarding iptables -A FORWARD -i venet0 -o tun0 -j ACCEPT iptables -A FORWARD -i tun0 -o venet0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE #Hardening? iptables -A INPUT -i tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -i tun0 -j DROP
However, apart from being 5 rules instead of just 1 simple rule, I'm not sure if the rules above are too permissive.
Since I'm no iptables hero myself, I was hoping someone could help me out here in figuring out the correct set of iptables rules to get WireGuard running on my NAT VPS.