Unable to reach out port on gateway node

[sanbroz]

I have setup a gateway node on mu ubuntu system, local services works fine but i am unable to expose http services on local lan on gateway node.
my ubuntu server IP is 192.168.2.118 and i am trying to reach 192.168.2.103:8080, I can confirm working of the service port on lan with telnet. My DNS records are properly pointed to the wiredoor server. I have also setup. Pls help me to debug this issue further.

wiredoor http sftp --domain sftp.mydomain.com --port 8080 --backendHost 192.168.2.102 --proto http
Error - backendPort: Unable to reach out port 8080 in 192.168.2.102

wiredoor status
 ✔ Connection successful to: xxx.xx.xxx.xx

🛡️  Gateway: ubuntu (10.10.0.2) → 🌐 Subnet: 192.168.2.0/24

🔐 Handshake: 1 minute ago | TX: 3.8 MiB | RX: 58.8 MiB

telnet 192.168.2.102 8080
Trying 192.168.2.102...
Connected to 192.168.2.102.
Escape character is '^]'.

IP forwarding is enabled:
sysctl -w net.ipv4.ip_forward=1

my .env file

# Wiredoor admin credentials
ADMIN_EMAIL=xxxxxxx@gmail.com           # Required. Also used by certbot if SSL is enabled
ADMIN_PASSWORD="ChangeMe1st!"           # Required. Use a secure password

# VPN Information
VPN_HOST=xxx.xx.xxx.xx                  # Required. Public address that clients will connect to
VPN_PORT=51820                          # Default WireGuard UDP port
VPN_SUBNET=10.10.0.0/24                  # Subnet for clients (in CIDR format)

# TCP Port range
TCP_SERVICES_PORT_RANGE=32760-32767     # Optional. Port range to expose TCP/UDP services


# TCP/UDP Exposure (Public Port Range)
TZ=Asia/Kolkata                     # Time zone (recommended for logging)

# OAUTH2 PROVIDER CONFIG https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/
OAUTH2_PROXY_PROVIDER=google
OAUTH2_PROXY_CLIENT_ID=
OAUTH2_PROXY_CLIENT_SECRET=

GRAFANA_USER=admin
GRAFANA_PASSWORD="ChangeMe1st!"

[dmesad]

Hi! Please try exposing the service from the Wiredoor dashboard first to make sure the configuration is applied correctly.

Then, inside the Wiredoor container, run:

ip route

You should see a route like:

192.168.2.0/24 dev wg0 scope link

This confirms that traffic to your LAN subnet is correctly routed through the WireGuard tunnel. If the route is missing, the service might not be reachable and you will need to restart wiredoor or recreate your node.

[sanbroz]

My curent ip route on gateway node ubuntu is -

default via 192.168.2.1 dev wlo1 proto dhcp src 192.168.2.118 metric 600 
10.0.0.0/24 dev docker0 proto kernel scope link src 10.0.0.1 linkdown 
10.10.0.0/24 dev wg0 scope link 
172.17.0.0/16 dev br-268507e1c27f proto kernel scope link src 172.17.0.1 
192.168.2.0/24 dev wlo1 proto kernel scope link src 192.168.2.118 metric 600 

I am unable to expose the service first from wiredoor dashboard and cli

wiredoor http ftp --domain ftp.mydomain.com --port 8080 --backendHost 192.168.2.102
Error - backendPort: Unable to reach out port 8080 in 192.168.2.102

[dmesad]

We need to check ip route in Wiredoor Container not in local ubuntu node:

docker compose exec wiredoor bash
ip route

If your routes has something like 192.168.2.0/24 dev wg0 scope link. Then check if you can reach the HTTP service from Wiredoor Container

curl -I 192.168.2.102:8080

[sanbroz]

This time I tried on fresh installed gateway node (Ubuntu server)

9ca2c3b6acdf:/app# ip route
default via 172.18.0.1 dev eth0 
10.10.0.0/24 dev wg0 proto kernel scope link src 10.10.0.1 
172.18.0.0/16 dev eth0 proto kernel scope link src 172.18.0.2 
192.168.2.0/24 dev wg0 scope link 

from gateway node service is reachable

curl -I 192.168.2.102:8080
HTTP/1.1 302 Found
Content-Type: text/html; charset=utf-8
Location: /web/client/login
Server: SFTPGo/2.6.2
Date: Fri, 20 Jun 2025 15:10:14 GMT

but unable to reach from wiredoor container

9ca2c3b6acdf:/app# curl -I 192.168.2.102:8080 -vv
20:43:02.820708 [0-0] * [SETUP] added
20:43:02.824698 [0-0] *   Trying 192.168.2.102:8080...
20:45:12.461693 [0-0] * connect to 192.168.2.102 port 8080 from 10.10.0.1 port 53340 failed: Operation timed out
20:45:12.465979 [0-0] * Failed to connect to 192.168.2.102 port 8080 after 129642 ms: Could not connect to server
20:45:12.469758 [0-0] * closing connection #0
20:45:12.473445 [0-0] * [SETUP] close
20:45:12.474997 [0-0] * [SETUP] destroy
curl: (28) Failed to connect to 192.168.2.102 port 8080 after 129642 ms: Could not connect to server

wiredoor status
✔ Connection successful to: xxx.xx.xxx.xx

🛡️ Gateway: suhavi-ldh (10.10.0.3) → 🌐 Subnet: 192.168.2.0/24

🔐 Handshake: 33 seconds ago | TX: 37.8 KiB | RX: 55.0 KiB

🌐 No services exposed yet.
👉 Use 'wiredoor http' or 'wiredoor tcp' to expose a service.

wiredoor http ftp --domain ftp.mydomain.com --port 8080 --backendHost 192.168.2.102 --proto http
Error - backendPort: Unable to reach out port 8080 in 192.168.2.102

I am only able to ping gateway node IP from wiredoor container

[sanbroz]

This solved the issue (on gateway node)

sudo iptables -t nat -A POSTROUTING -o <client_interface> -j MASQUERADE

Step-by-Step UFW-Compatible NAT Setup

1. Enable IP Forwarding

echo "net.ipv4.ip_forward=1" | sudo tee /etc/ufw/sysctl.conf
sudo sysctl -p /etc/ufw/sysctl.conf

2. Add NAT Rule to UFW’s before.rules
   Edit UFW’s IPv4 pre-routing config:
   sudo nano /etc/ufw/before.rules

Scroll to the top, and before the *filter section, add the following:

*nat
:POSTROUTING ACCEPT [0:0]

# NAT rule for VPN or forwarded traffic
-A POSTROUTING -o eth0 -j MASQUERADE

COMMIT

3. Allow Forwarding in UFW
   Edit the main UFW config:
   sudo nano /etc/default/ufw

Set:
DEFAULT_FORWARD_POLICY="ACCEPT"

4. Reload UFW to Apply Changes

sudo ufw disable
sudo ufw enable

5. (Optional) Allow Forwarding for wg0
   To allow WireGuard traffic:

sudo ufw allow in on wg0
sudo ufw allow out on wg0

Please update the https://www.wiredoor.net/docs/troubleshooting section after final testing

[dmesad]

Thanks a lot for the detailed feedback and for documenting your solution!

This fix is already mentioned in the troubleshooting guide:

https://github.com/wiredoor/wiredoor/blob/main/docs/troubleshooting.mdx#L74

Could you take a quick look and let us know if the current explanation is clear enough? We're happy to improve it if anything feels confusing or incomplete.

[sanbroz]

current explanation is not clear enough, it mentioned net.ipv4.ip_forward=1 only , need to add other steps also, I tested on Ubuntu server fresh install.