How to make wireguard ignore certain ports

I have my router setup to port forward port 80 to a machine running a caddy file server. I can successfully curl the file server from the LAN but I get a timeout when curling from the WAN. The machine running caddy is also running wireguard through NetworkManager to connect to an external VPN. If I turn off the wireguard connection I can curl the file server from the WAN.

This answer says that my AllowedIps=0.0.0.0,::0/0 is routing all traffic through the external VPN. How can I set wireguard to route everything but ports 80 and 443 traffic through the VPN?

Asked By: cheezsteak

||
Source

It is not possible to configure Wireguard to route everything but ports 80 and 443. This is because looking at the OSI network model ports are on a different layer than IP traffic.

But there are two (probably more) answers to this question: first answer is to limit the routes going trough the Wireguard tunnel. Evaluate which IP networks needs to go through the Wireguard tunnel and configure that in the AllowedIps.

The second answer is more advanced to do but you could configure a source NAT on the router which masks the incoming WAN IP address to the IP of the router. This means that the file server thinks that WAN traffic is traffic from the router and will send back a reply to the router which will send it back to the WAN.

Answered By: Mr. Diba

Since Wireguard uses another routing table than the default one, you can use ip rule in order to exclude a certain type of traffic.
Wireguard will add a rule to match traffic after it is redirected to local, but before it goes to main.

You should then be able to add a rule before the wireguard one, which will redirect traffic from port 80and 443 (reply from your server) to the main table.
It should be as simple as:

ip rule add sport 80 table main
ip rule add sport 443 table main

You can verify the rule is placed before the wireguard one with:

ip rule

Although, if you want to make it persistent, you might want to add a PostUp action in your configuration file:

PostUp=ip rule add sport 80 table main && ip rule add sport 443 table main
PreDown=ip rule del sport 80 table main && ip rule del sport 443 table main

If you are only using NetworkManager, you can use dispatcher.d to place a script so it will be executed when a network is connected or disconnected.

#!/bin/bash
echo 'ip rule del sport 80 table custom
ip rule del sport 443 table custom
ip rule add sport 80 table custom
ip rule add sport 443 table custom' > /etc/NetworkManager/dispatcher.d/02-wg_exceptions.sh
chmod +x /etc/NetworkManager/dispatcher.d/02-wg_exceptions.sh
Answered By: setenforce 1
Categories: Answers Tags:
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.