Setting Up WireGuard on Oracle Cloud: Overcoming NAT and Routing Challenges

By | April 29, 2023

WireGuard┬« is an open-source VPN solution that is known for its simplicity, speed, and security. While setting up a WireGuard instance on most cloud providers is relatively straightforward, Oracle Cloud Infrastructure presents some unique challenges. This blog post will help you navigate those challenges and guide you through configuring a WireGuard instance on Oracle Cloud. We’ll discuss a specific problem reported by users on Reddit and how to solve it using the provided scripts.

The Problem

Around two years ago, a Reddit user shared their difficulties in setting up a WireGuard VPN between a Windows PC client and an Ubuntu server hosted on Oracle Cloud’s free tier. The main issue appeared to be with the network address translation (NAT) and routing settings, which prevented the VPN from working as expected. The users suspected that Oracle Cloud had some unique configurations that caused these issues.

Previously, I had also experimented with Oracle Cloud and encountered the same issues. Consequently, I decided to share my experience in a response to the Reddit post. The solution I provided was well-received and recognized by the community, and to this day, I continue to receive appreciative testimonials for my assistance.

Recently, I returned to my experiments with Wireguard in Oracle Cloud and found myself searching for my own Reddit post to access the instructions I had shared earlier. As a result, I decided to create this blog post as a reference for myself and others who may need it in the future.

The Solution

The solution involved using two scripts added to the WireGuard configuration file (wg0.conf). These scripts help configure NAT and routing settings for the VPN to work properly on Oracle Cloud Infrastructure.

Here’s what you should do:

  1. Update your wg0.conf file by adding the following lines:
PostUp = /etc/wireguard/helper/add-nat-routing.sh
PostDown = /etc/wireguard/helper/remove-nat-routing.sh

These lines tell WireGuard to execute the corresponding scripts when the VPN is brought up (PostUp) and taken down (PostDown).

  1. Create two new scripts in the /etc/wireguard/helper/ directory and give them execution permissions:
  • add-nat-routing.sh
#!/bin/bash
IPT="/sbin/iptables"
IPT6="/sbin/ip6tables"

IN_FACE="ens3"                   # NIC connected to the internet
WG_FACE="wg0"                    # WG NIC
SUB_NET="10.66.66.0/24"          # WG IPv4 sub/net aka CIDR
WG_PORT="59075"                  # WG udp port
SUB_NET_6="fd42:42:42::/64"      # WG IPv6 sub/net

## IPv4 ##
$IPT -t nat -I POSTROUTING 1 -s $SUB_NET -o $IN_FACE -j MASQUERADE
$IPT -I INPUT 1 -i $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $WG_FACE -o $IN_FACE -j ACCEPT
$IPT -I INPUT 1 -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT

## IPv6 (Uncomment) ##
$IPT6 -t nat -I POSTROUTING 1 -s $SUB_NET_6 -o $IN_FACE -j MASQUERADE
$IPT6 -I INPUT 1 -i $WG_FACE -j ACCEPT
$IPT6 -I FORWARD 1 -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT6 -I FORWARD 1 -i $WG_FACE -o $IN_FACE -j ACCEPT
  • remove-nat-routing.sh
#!/bin/bash
IPT="/sbin/iptables"
IPT6="/sbin/ip6tables"

IN_FACE="ens3"                   # NIC connected to the internet
WG_FACE="wg0"                    # WG NIC
SUB_NET="10.66.66.0/24"          # WG IPv4 sub/net aka CIDR
WG_PORT="59075"                  # WG udp port
SUB_NET_6="fd42:42:42::/64"      # WG IPv6 sub/net

# IPv4 rules #
$IPT -t nat -D POSTROUTING -s $SUB_NET -o $IN_FACE -j MASQUERADE
$IPT -D INPUT -i $WG_FACE -j ACCEPT
$IPT -D FORWARD -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT -D FORWARD -i $WG_FACE -o $IN_FACE -j ACCEPT
$IPT -D INPUT -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT

# IPv6 rules (uncomment) #
$IPT6 -t nat -D POSTROUTING -s $SUB_NET_6 -o $IN_FACE -j MASQUERADE
$IPT6 -D INPUT -i $WG_FACE -j ACCEPT
$IPT6 -D FORWARD -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT6 -D FORWARD -i $WG_FACE -o $IN_FACE -j ACCEPT

Let’s dive deeper into the details of the scripts provided:

add-nat-routing.sh

The add-nat-routing.sh script sets up NAT and routing for both IPv4 and IPv6 networks when the VPN is activated. It does so by adding appropriate iptables and ip6tables rules. Key aspects of this script include:

  • Defining the internet-connected network interface (IN_FACE) and the WireGuard network interface (WG_FACE) is crucial for proper configuration. Keep in mind that you may need to adjust the interface name in IN_FACE="ens3" based on the default interface present on your Oracle instance.
  • It’s essential to specify the WireGuard IPv4 subnet (SUB_NET), the WireGuard IPv6 subnet (SUB_NET_6), and the WireGuard UDP port (WG_PORT). Ensure that these values align with your wg0.conf configuration.
  • Lastly, add iptables and ip6tables rules for NAT, INPUT, and FORWARD chains. These rules will facilitate the correct routing and translation of network addresses, ensuring that your WireGuard VPN operates as intended.

This script ensures that traffic from the VPN is correctly routed through the internet-connected network interface on the Oracle Cloud server.

remove-nat-routing.sh

The remove-nat-routing.sh script undoes the changes made by the add-nat-routing.sh script when the VPN is deactivated. It removes the corresponding iptables and ip6tables rules to ensure a clean shutdown of the VPN. This script has a similar structure to the add-nat-routing.sh script, but instead of adding rules, it deletes them.

Conclusion

With the provided scripts in place, you should now be able to set up a WireGuard instance on Oracle Cloud without any issues. The NAT and routing configurations should work as expected, allowing you to connect your VPN client to the Ubuntu server on Oracle Cloud’s free tier. If you encounter any issues or have any questions, leave a comment below, and I’ll do my best to help you out.

If you have any further questions or require additional assistance, the Reddit community and WireGuard documentation can be valuable sources of information. Don’t hesitate to reach out and share your experiences, as your insights might help others facing similar challenges.

3 thoughts on “Setting Up WireGuard on Oracle Cloud: Overcoming NAT and Routing Challenges

  1. royme

    Wireguard didn’t work also with me we I setup on Oracle cloud free tier, however when I installed wireguard using pivpn script it worked

    Reply
  2. Slava Karpenko

    Thanks for the help, worked like a charm!

    One note, though, in your instructions, remove-nat-routing and add-nat-routing are actually swapped ­čśë

    Reply
    1. Vadim Smirnov Post author

      I’m glad to hear that the help provided worked for you!

      Your observation regarding the mix-up between remove-nat-routing and add-nat-routing is greatly appreciated. We rely on keen-eyed users like yourself to keep our instructions as clear and accurate as possible. I’ve promptly addressed the issue.

      Thanks once again for your input. Please don’t hesitate to reach out if you need more help or find anything else that needs correction.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *