How to make wireguard ignore certain ports
I have my router setup to port forward port 80 to a machine running a
caddy file server. I can successfully curl the file server from the LAN but I get a timeout when curling from the WAN. The machine running
caddy is also running
NetworkManager to connect to an external VPN. If I turn off the
wireguard connection I can curl the file server from the WAN.
This answer says that my
AllowedIps=0.0.0.0,::0/0 is routing all traffic through the external VPN. How can I set wireguard to route everything but ports 80 and 443 traffic through the VPN?
It is not possible to configure Wireguard to route everything but ports 80 and 443. This is because looking at the OSI network model ports are on a different layer than IP traffic.
But there are two (probably more) answers to this question: first answer is to limit the routes going trough the Wireguard tunnel. Evaluate which IP networks needs to go through the Wireguard tunnel and configure that in the
The second answer is more advanced to do but you could configure a
source NAT on the router which masks the incoming WAN IP address to the IP of the router. This means that the file server thinks that WAN traffic is traffic from the router and will send back a reply to the router which will send it back to the WAN.
Since Wireguard uses another routing table than the default one, you can use
ip rule in order to exclude a certain type of traffic.
Wireguard will add a rule to match traffic after it is redirected to local, but before it goes to main.
You should then be able to add a rule before the wireguard one, which will redirect traffic from port 80and 443 (reply from your server) to the main table.
It should be as simple as:
ip rule add sport 80 table main ip rule add sport 443 table main
You can verify the rule is placed before the wireguard one with:
Although, if you want to make it persistent, you might want to add a PostUp action in your configuration file:
PostUp=ip rule add sport 80 table main && ip rule add sport 443 table main PreDown=ip rule del sport 80 table main && ip rule del sport 443 table main
If you are only using NetworkManager, you can use dispatcher.d to place a script so it will be executed when a network is connected or disconnected.
#!/bin/bash echo 'ip rule del sport 80 table custom ip rule del sport 443 table custom ip rule add sport 80 table custom ip rule add sport 443 table custom' > /etc/NetworkManager/dispatcher.d/02-wg_exceptions.sh chmod +x /etc/NetworkManager/dispatcher.d/02-wg_exceptions.sh