I installed to a EC2 instance in a VPC using the official AMI image. Everything I can find everywhere says that AlmaLinux has a firewall turned on my default, but in my instance it does not even appear to be installed.
I am attempting to setup WireGuard on this instance, and from what I am able to tell it looks like masquerading is not functioning. IP Forwarding is turned on, but if you don’t create a masq rule in iptables, is that all you need to do? Here is what I am experiencing:
I want all traffic to go from the client to the server for Internet, so on the client side I have allowed IPs of 0.0.0.0/0, ::/0 I have three clients and they all behave the same way. When the VPN is active I have no Internet access. I can ping the other end of the tunnel. The other end of the tunnel has unbound installed to provide DNS and from the client I can do DNS queries and I get proper responses from the server on the WireGuard Server IP (wg0 interface IP of server). When I traceroute to an external IP it goes through the tunnel, I get replies from the VPN server itself, but nothing past it. Since I can ping the server wg0 ip, and I am getting proper responses to DNS queries, I know I am getting through the tunnel. However, I am either not getting out to the internet, or any requests being sent to the internet are not finding their way back.
I have found several tutorials on setting up WireGuard on CentOS 8, and the only place I have really deviated is the iptables rules, because iptables in not installed.
Here is a dump of a bunch of what I hope is useful info. Maybe something in it will jump out at someone and they can help me.
# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether 0a:89:86:28:0f:11 brd ff:ff:ff:ff:ff:ff
inet 10.69.69.131/20 brd 10.69.79.255 scope global dynamic noprefixroute eth0
valid_lft 2840sec preferred_lft 2840sec
inet6 fe80::889:86ff:fe28:f11/64 scope link
valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 8921 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 172.19.19.1/24 scope global wg0
valid_lft forever preferred_lft forever
# ip -4 route show table all
default via 10.69.64.1 dev eth0 proto dhcp metric 100
10.69.64.0/20 dev eth0 proto kernel scope link src 10.69.69.131 metric 100
172.19.19.0/24 dev wg0 proto kernel scope link src 172.19.19.1
broadcast 10.69.64.0 dev eth0 table local proto kernel scope link src 10.69.69.131
local 10.69.69.131 dev eth0 table local proto kernel scope host src 10.69.69.131
broadcast 10.69.79.255 dev eth0 table local proto kernel scope link src 10.69.69.131
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 172.19.19.0 dev wg0 table local proto kernel scope link src 172.19.19.1
local 172.19.19.1 dev wg0 table local proto kernel scope host src 172.19.19.1
broadcast 172.19.19.255 dev wg0 table local proto kernel scope link src 172.19.19.1
# ip -4 rule show
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
# ip -6 route show table all
::1 dev lo proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local fe80::889:86ff:fe28:f11 dev eth0 table local proto kernel metric 0 pref medium
ff00::/8 dev eth0 table local metric 256 pref medium
ff00::/8 dev wg0 table local metric 256 pref medium
# ip -6 rule show
0: from all lookup local
32766: from all lookup main
# wg
interface: wg0
public key: XxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXXXxX=
private key: (hidden)
listening port: 41194
peer: XxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXXXxX=
endpoint: 71.84.98.179:41959
allowed ips: 172.19.19.2/32
latest handshake: 14 hours, 52 minutes, 20 seconds ago
transfer: 153.30 KiB received, 21.12 KiB sent
peer: XxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXXXxX=
endpoint: 174.255.129.238:7307
allowed ips: 172.19.19.5/32
latest handshake: 15 hours, 8 minutes, 43 seconds ago
transfer: 67.90 KiB received, 10.46 KiB sent
peer: XxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXXXxX=
endpoint: 71.84.98.179:52107
allowed ips: 172.19.19.4/32
latest handshake: 15 hours, 9 minutes, 16 seconds ago
transfer: 51.47 KiB received, 8.12 KiB sent
peer: XxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXXXxX=
allowed ips: 172.19.19.3/32
# ip netconf
inet lo forwarding on rp_filter off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet eth0 forwarding on rp_filter off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet wg0 forwarding on rp_filter off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet all forwarding on rp_filter strict mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet default forwarding on rp_filter off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet6 lo forwarding on mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet6 eth0 forwarding on mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet6 wg0 forwarding on mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet6 all forwarding on mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet6 default forwarding on mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
# iptables-save
-bash: iptables-save: command not found
# nft list ruleset
-bash: nft: command not found