How to make WireGuard work?

Hello,

I believe this is my first post for the year 2022. And I must say I am delighted with how CWP makes everything easy to use. Although I can't get nginx with PHP-fpm to work without a CWP Pro account, I plan to support this unique and hassle-free cPanel-like experience. However, I also needed to have a VPN, so I decided to post my inquiry here.

I am a fan of WireGuard; ever since I have tried it out, I decided to stick to it instead of OpenVPN. I tried the scripts of Nyr and agristan to install WireGuard, and none of them worked after installing CWP and activating the three security features, Mod Security, Firewall, and Hidden Processes.

The good news is, before installing CWP, all of them worked fine. During the installation of WireGuard, I noticed the port is 51820, so I wonder how to allow it in CWP.

Thanks!

- You cant have php-fpm without a pro license.

- To open port in firewall; Edit /etc/csf/csf.conf
Find TCP_IN, TCP_OUT, UDP_IN, UDP_OUT and put the port there depending on if the port is TCP/UDP or if it should be in input or output, then restart the firewall.

- Check in Admin CP if the scripts are getting blocked by Mod_security:
Security - Security Center - Security incidents tab.

- You cant have php-fpm without a pro license.

- To open port in firewall; Edit /etc/csf/csf.conf
Find TCP_IN, TCP_OUT, UDP_IN, UDP_OUT and put the port there depending on if the port is TCP/UDP or if it should be in input or output, then restart the firewall.

- Check in Admin CP if the scripts are getting blocked by Mod_security:
Security - Security Center - Security incidents tab.

Thank you. May you guide me what to write in the csf.conf file?
Also, what will I do if I see it under Mod_Security?

UDP_IN and UDP_OUT should have port 51194 added to start, then restart the firewall with csf -r

- You cant have php-fpm without a pro license.

I just got my license for the entire year I am thrilled.





I am delighted to support this excellent app.

UDP_IN and UDP_OUT should have port 51194 added to start, then restart the firewall with csf -r

Thank you for this!

- You cant have php-fpm without a pro license.

- To open port in firewall; Edit /etc/csf/csf.conf
Find TCP_IN, TCP_OUT, UDP_IN, UDP_OUT and put the port there depending on if the port is TCP/UDP or if it should be in input or output, then restart the firewall.

- Check in Admin CP if the scripts are getting blocked by Mod_security:
Security - Security Center - Security incidents tab.

UDP_IN and UDP_OUT should have port 51194 added to start, then restart the firewall with csf -r

Thank you for your replies. I have carefully followed your instructions.
I have opened the port 5180 by editing the file.



I have edited the file, and restarted the whole server just to be sure.
Apparently, it still does not work. I noticed every time I connect on my phone to the VPN, the listening port changes.





Now, I have tried to use this script and switch over to OpenVPN, I opened UDP 1194 and it still does not work.
I'm thinking of installing the script first then installing CWP after. Do you think that would work?

If you are able to connect to it, then it is indeed working.  What exactly are you trying to accomplish.  BTW, you can put ports 1:65530 in both TCP_OUT and UDP_OUT to not block any outgoing connections from your server (NOt advised, but good for troubleshooting).

If you are able to connect to it, then it is indeed working.  What exactly are you trying to accomplish.  BTW, you can put ports 1:65530 in both TCP_OUT and UDP_OUT to not block any outgoing connections from your server (NOt advised, but good for troubleshooting).

I would like to utilize the VPS server that I am renting by hosting my website and using that machine to encrypt my connection when I am connected through public WiFi networks using a VPN.

I was not aware it is possible to put a range of ports.
I could "send" data but not "receive" data.

If you want to utilize it as a "proxy" server, you need to configure the firewall to allow wireguard to access the internet through masquarading.   I'm not sure what guide you used, but here is a good example:

https://www.smarthomebeginner.com/linux-wireguard-vpn-server-setup/

If you want to utilize it as a "proxy" server, you need to configure the firewall to allow wireguard to access the internet through masquarading.   I'm not sure what guide you used, but here is a good example:

https://www.smarthomebeginner.com/linux-wireguard-vpn-server-setup/

This is the script that I used. https://github.com/Nyr/wireguard-install
And the author replied to me, this is what he said.

And there is your problem.  CWP removes firewalld, and installs CSF firewall.  Please do the following:

yum remove firewalld

nano /etc/csf/csfpost.sh  (and add the following script)

Code: [Select]

ip=$(ip -4 addr | grep inet | grep -vE '127(\.[0-9]{1,3}){3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}(\.[0-9]{1,3}){3}' | sed -n "$ip_number"p)
ip6=$(ip -6 addr | grep 'inet6 [23]' | cut -d '/' -f 1 | grep -oE '([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}' | sed -n "$ip6_number"p)

/usr/sbin/iptables -t nat -A POSTROUTING -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to $ip
/usr/sbin/iptables -I INPUT -p udp --dport $port -j ACCEPT
/usr/sbin/iptables -I FORWARD -s 10.7.0.0/24 -j ACCEPT
/usr/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

if [[ -n "$ip6" ]]; then
/usr/sbin/ip6tables -t nat -A POSTROUTING -s fddd:2c4:2c4:2c4::/64 ! -d fddd:2c4:2c4:2c4::/64 -j SNAT --to $ip6
/usr/sbin/ip6tables -I FORWARD -s fddd:2c4:2c4:2c4::/64 -j ACCEPT
/usr/sbin/ip6tables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
fi
chmod 700 /etc/csf/csfpost.sh

csf -r



Then you should have wireguard working

And there is your problem.  CWP removes firewalld, and installs CSF firewall.  Please do the following:

yum remove firewalld

nano /etc/csf/csfpost.sh  (and add the following script)

Code: [Select]

ip=$(ip -4 addr | grep inet | grep -vE '127(\.[0-9]{1,3}){3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}(\.[0-9]{1,3}){3}' | sed -n "$ip_number"p)
ip6=$(ip -6 addr | grep 'inet6 [23]' | cut -d '/' -f 1 | grep -oE '([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}' | sed -n "$ip6_number"p)

/usr/sbin/iptables -t nat -A POSTROUTING -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to $ip
/usr/sbin/iptables -I INPUT -p udp --dport $port -j ACCEPT
/usr/sbin/iptables -I FORWARD -s 10.7.0.0/24 -j ACCEPT
/usr/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

if [[ -n "$ip6" ]]; then
/usr/sbin/ip6tables -t nat -A POSTROUTING -s fddd:2c4:2c4:2c4::/64 ! -d fddd:2c4:2c4:2c4::/64 -j SNAT --to $ip6
/usr/sbin/ip6tables -I FORWARD -s fddd:2c4:2c4:2c4::/64 -j ACCEPT
/usr/sbin/ip6tables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
fi
chmod 700 /etc/csf/csfpost.sh

csf -r



Then you should have wireguard working

You know what, I honestly appreciate what you did, man!

However, I am still a noob. May you please explain what is happening with the code you wrote?

CSF firewall uses it's configuration file to write the iptables rules.  But it does not have the ability to do masquarading built in.  So they have a call in their program to look for 2 files.  csfpre.sh, and csfpost.sh where you can customize rules for the firewall that it cannot do itself.  If you read the script, line by line:

Code: [Select]

ip=$(ip -4 addr | grep inet | grep -vE '127(\.[0-9]{1,3}){3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}(\.[0-9]{1,3}){3}' | sed -n "$ip_number"p)
ip6=$(ip -6 addr | grep 'inet6 [23]' | cut -d '/' -f 1 | grep -oE '([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}' | sed -n "$ip6_number"p)
This get's the "Global" Ip's for 6 and 4.  It makes sure that they are not the loopback or private ip's

Code: [Select]

/usr/sbin/iptables -t nat -A POSTROUTING -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to $ipThis line is what allows your VPN ip's access to the internet

Code: [Select]

/usr/sbin/iptables -I INPUT -p udp --dport $port -j ACCEPTActually. Delete this line.  It's redundant to opening the port in csf.conf

Code: [Select]

/usr/sbin/iptables -I FORWARD -s 10.7.0.0/24 -j ACCEPT
/usr/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
These two lines are what allows you to communicate with the server itself, and completely bypass the firewall, giving you full access to all ports.

Code: [Select]

if [[ -n "$ip6" ]]; then
/usr/sbin/ip6tables -t nat -A POSTROUTING -s fddd:2c4:2c4:2c4::/64 ! -d fddd:2c4:2c4:2c4::/64 -j SNAT --to $ip6
/usr/sbin/ip6tables -I FORWARD -s fddd:2c4:2c4:2c4::/64 -j ACCEPT
/usr/sbin/ip6tables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
fi
Similar to the ipv4 block, but makes sure that we have a global ipv6 address.  If not, does not execute.

I am sorry, it's confusing which files to edit. Do I just edit out the csf.conf or csfpost.sh

I added all of the lines in the /etc/csf/csfpost.sh <-- by the way this path does not work. I edited the file using the CWP Control Panel.
And I tried to remove this:

Code: [Select]

/usr/sbin/iptables -I INPUT -p udp --dport $port -j ACCEPT
...and apparently, it still does not work.

that line is in the script /etc/csf/csfpost.sh .  It's going to throw an error because the variable $port is not set.  But it should work