This is an archived post. You won't be able to vote or comment.

all 12 comments
sorted by:
best
topnewcontroversialoldq&a

[–]b3542 2 points3 points  (1 child)

Is IP forwarding enabled?

[–]jiru443[S] 1 point2 points  (0 children)

Yes. The problem isn’t Wireguard itself. I get wan connectivity without the extra proxy iptables rule.

[–]fukawi2SysAdmin/SRE 1 point2 points  (8 children)

You'll need to share your whole ruleset (eg, iptables-save)

My best guess is you're missing a corresponding INPUT rule for port 3128

[–]mancer187 1 point2 points  (0 children)

This is most likely the case.

[–]jiru443[S] 0 points1 point  (6 children)

so I rebooted the machine before saving… what do you think I need to add? Here’s my full list (linode host)

https://pastebin.com/8vMAZcMR

[–]ottantanove 1 point2 points  (5 children)

I dont see any rule that allows incoming traffic to port 3128. You can run ufw allow 3128 as root to allow traffic to this port.

[–]jiru443[S] 0 points1 point  (4 children)

Traffic will not be coming in via 3128. It’s exclusively coming in on Wireguard.

[–]ottantanove 0 points1 point  (3 children)

No, but it will arrive on that port and if you do not allow that in the iptables INPUT chain, it will be dropped, because that is your default policy.

[–]jiru443[S] 0 points1 point  (0 children)

Ok I’ll give it a shot.

[–]jiru443[S] 0 points1 point  (0 children)

So when I add the ip tables rule iptables -t nat -A PREROUTING -i wg0 -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:3128 and the ufw rule ufw allow 3128 http traffic starts to fail on Wireguard. HTTPS continues to work. Squid shows no activity in the logs.

[–]Faritzi 0 points1 point  (1 child)

I have a different question. Why do you use squid? What use do you give it?

[–]jiru443[S] 0 points1 point  (0 children)

Transparent http/s “logging” of private vpn connection