Wireguard docker port forwarding. 0" services: wireguard: image: linuxserver/wireguard . First, you have to install the kernel module: # first check your kernel version uname -r # install wireguard kernel module apk add wireguard-$ {your_kernel_version} The «internal» port is the port number that WireGuard (the server process) will be listening on inside the WireGuard container. 5 Once you have that, when you login on windscribes stie, you can pick the "client id" and what internal and external ports you want. docker run -p 9000:80 nginx To port forward port 9000 of host machine to port 80 of container. 因为 Service、Pod 的 IP 地址都是 Kubernetes 集群的内部网段,所以我们需要用 kubectl exec 进入到 Pod 内部(或者 ssh 登录到集群的任一节点),再通过 curl 等工具来访问 Service。. 1/24. Port 9981 is open on the VPS on which Netmaker is hosted, but isn't reachable from within the Docker container. svc. Choose a network that is not already assigned to your home network. Put the TCP and UDP ports for WireGuard in the corresponding boxes in your router. Step 2 – Create the Wireguard Container Using Portainer and a Stack. If you are using WireGuard with IPv4, you’ll need the IP address that you chose for the server in Step 2 (a) — Choosing an IPv4 Range, which in this example is 10. But I do not remember where my preference for random ports comes from, I just always had it like that. In your pfSense device, navigate to VPN > WireGuard and click + Add Tunnel. Mullvad port forwarding overview Step 1 - Find your device name or WireGuard key Step 2 - Log in to Mullvad. Enter the following configuration settings. I am running netmaker which is a wireguard mesh VPN service on a Docker container, and I need port 9981 to be reachable from the Docker container, so that I can access port 9981 via my Wireguard WAN. 6 kernels may need to have the module The way to forward a port is: Begin by logging in to your router. Rule #1: You can change the «public» and «external» ports but you can't change the «internal» port unless you are prepared to do a lot more work. In a normal CLI syntax you add: -p <host-port>:<container-port> This is an example command that maps port 443: Here is the relevant info from my docker-compose. 2. My dedicated server is connected to 2 wireguard servers and it is probably something to do with them. 184. . 12), plex (Port 32400). Relevant info: Client (vm on home network): Results of wg: I want to use Wireguard to forward my qbittorrent network traffic. Share Once you have that, when you login on windscribes stie, you can pick the "client id" and what internal and external ports you want. 2 I installed pterodactyl panel (software that uses docker and creates game servers with a web interface) but I can't connect to any servers that I create on it. ip_forward=1 This enables Host C to forward packets from Endpoint A to Endpoint B (or any other hosts). Original wireguard+pia code forked from thrnz/docker-wireguard-pia. 2:9000 from the server Btw your solution should've work The way to forward a port is: Begin by logging in to your router. The simplest way to do this is to enable a firewall with a “default deny” rule for packet forwarding, and add rules to allow forwarding packets between the WireGuard and LAN interfaces. 0" services: wireguard: image: linuxserver/wireguard. ip_forward sysctl parameter (or its alias I am running netmaker which is a wireguard mesh VPN service on a Docker container, and I need port 9981 to be reachable from the Docker container, so that I can docker-wireguard-pia A Docker container for using WireGuard with PIA. 10) PC with wireguard client (IP: 172. Installing the Wireguard Docker Container Step 1 – Create the folders needed for the Wireguard Docker container. src_valid_mark=1 restart: unless-stopped . In doing this, it is important to avoid accidentally enabling direct packet forwarding from the public internet to either the LAN or the VPN. conf. ) Router LAN (192. conf so the rule is set on tunnel creation and deleted before destruction: Docker + WireGuard VPN w/PIA (Port Forwarding) I have followed these two guides (mostly the first one) to set up a container that provides wireguard VPN access with PIA (PrivateInternetAccess) to my torrent downloader: https://spad. Port Forwarding You can use Docker’s normal port publishing options to make ports available through the VPN. ipv4. dat into that folder map a volume at /pia in the deluge container, doesn't matter if it's a volume or a bind point turn on both the wireguard and deluge containers in the deluge container run ln -s /config/port. My dedicated server We can tell WireGuard to forward that incoming port to qBittorrent via the following iptables rule: iptables -t nat -A PREROUTING -p tcp --dport 58787 -j DNAT --to Port Forwarding With Docker Behind CGNAT Hey guys, I've been struggling for a while now, trying to port forward something deployed in a docker container, with wireguard also RaspberryPi with Wireguard server (IP: 172. I installed pterodactyl panel (software that uses docker and creates game servers with a web interface) but I can't connect to any servers that I create on it. 04. In the docker stack it corresponds to the PEERS value. 0/24 dev eth0 postup = iptables -t nat -a postrouting -o eth0 -j masquerade # forwarding 443 from local network to wireguard interface postup = iptables -t nat -a prerouting -p tcp -i wg0 --dport 443 -j dnat --to 1 day ago · Port forwarding when using Wireguard. Port Forwarding With IPtables for Wireguard. First, you have to install the kernel module: # first check your kernel version uname -r # install wireguard kernel module apk add wireguard-$ {your_kernel_version} I have wireguard running in a container on a cloud-based VM. 1 will conflict with that. Creating this port forwarding rule will make an explicit exception for incoming WireGuard traffic, and thereby allow a connection. sh from the /config directory. And I make a docker-compose. Requirements The Wireguard kernel module must already be installed on the host. The networks are each connected to consumer Internet (dynamic IP) services using port-forwarding capable firewalls First, download the Wireguard client for your client device (Windows, Mac etc) Create a new tunnel, which will compute a Public/Private key combination. 8 port 36029 I'm thinking the final step is to run an iptables in the docker container itself to the wireguard client on 10. 2 (Docker Containers)] Details: Wireguard Server OS: Ubuntu 20. If it wasn't rejected, there would be anyway a routing issue in the peer because of the two separate LANs using the same IP address block. 0/0, ::/0 To run Wireguard in a container we need to configure the underlying host. 0) is reserved for the subnet itself, and the second IP address (192. Check Enabled. 1] <-> [Home Server 10. If you are using wireguard or openvpn naked, its not so easy. ), some are on bridged networks and expose certain ports (Portainer, nginx, etc. Docker enables more efficient use of system resources, enables application portability, shines for microservices architecture etc. 2 LTS ufw route allow proto tcp from any to 172. Doing so meant that I had to make firewall rules on my network firewall as well as set up port forwarding, and set the . 8' servi. This is the same approach used in the WireGuard Point to Site With Port Forwarding article, where we know all the traffic will come from Site B’s subnet ( 192. Port forwarding allows incoming connections on a specific port, enabling you to run various services on your device that need to be accessible from the Internet. Pre 5. Several sets of these containers need to route traffic through different VPNs. 9" services: nextcloud: image: nextcloud container_name: nextcloud restart: always environment: POSTGRES_DB: nextcloud [interface] address = 10. In the place of 10. Port forwarding with iptables for Nextcloud (fpm+nginx) through Wireguard. 2:58787. If you don't know what it is then you can use curl ifconfig. In a normal CLI syntax you add: -p <host-port>:<container-port> This is an example command that maps port 443: Once you have that, when you login on windscribes stie, you can pick the "client id" and what internal and external ports you want. Routing Select Docker Containers through Wireguard VPN Viewing WireGuard Traffic with Tcpdump Leaning on Algo to route Docker traffic through Wireguard (most recent and consolidates the previous articels) Scenario: You have a host running many Docker containers. 2 \ wg-network \ example-web-server. wg show: You can exec into the container docker exec -it wireguard_wireguard_1 /bin/sh on the peer and run wg show. 200. Docker handles forwarding between the «external» and «internal» port. 0" services: wireguard: image: linuxserver/wireguard docker compose - port forward from host ip to specific ip in container के लिए कोड उत्तर. 0" services: wireguard: image: linuxserver/wireguard [interface] address = 10. mount your deluge config directory to /pia-shared in the wireguard container so that it can write port. Upon first boot, the container will generate the peer configuration files. Port forwarding is a pretty standard feature in Docker. and double check if it’s present via command: ip -a. Relevant info: Client (vm on home network): Results of wg: This is the same approach used in the WireGuard Point to Site With Port Forwarding article, where we know all the traffic will come from Site B’s subnet ( 192. 6-apache and mysql:5. 0/0, ::/0 Here’s the entire client config again: [Interface] Address = 192. It intends to be considerably more performant than OpenVPN. Use the following command to generate the public and private keys: # Generate privatekey docker run --rm -i masipcat/wireguard-go wg genkey > privatekey # Generate publickey from privatekey docker run --rm -i masipcat/wireguard-go wg pubkey < privatekey > publickey Run server Docker Port forwarding is a pretty standard feature in Docker. dat to allow incoming connections to Transmission. [Interface] PrivateKey = (key) Address = 10. 04 was pretty easy, I followed this tutorial: How to setup your own VPN server using WireGuard on Ubuntu. If you don’t forward this port, your routers firewall will not allow your VPN connection to connect successfully. System 2. Share sudo apt install wireguard. Open a port on router and forward to the docker container host . Setting up a WireGuard VPN on Ubuntu 20. Let's add that to our wg0. Generate the peer private/public key pair and generate the preshared key. 2 to the server at home. 0/24 in that article). WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. 2/32 Table = 100 PreUp = ip rule add . #docker #containerGenerating a container from an image is easier than spending your vacation. Now we need to modify the connect script to do our bidding. 5. 177, and the port I want WireGuard to connect to is UDP 55107. Write down these two keys, which will be for the remote DSM server. cluster. First of all you need a key pair for the server. 1. Wireguard has very good. Final Setup Step This container is now configured and ready to run via docker-compose up. Type the IP address of your computer into the correct box in your router. Once wireguard has been started, you will be able to tail the logs to see the initial qr codes for your clients, but you have access to them on the config directory: $ docker-compose logs -f wireguard. Requirements Ideally the host must already support WireGuard. 5) |Pihole (192. If you had already started up a container you want to expose via WireGuard, you can connect it with the following command: $ sudo docker network connect \ --ip 192. 13. The client id has to match for the port forward to work. Config The following ENV vars are required: [interface] address = 10. net Step 3 - Add a port Step 4 - Test your port forwarding - Windows - using iPerf3 - Linux - using nc - macOS - using nc Step 5 - Find the IP address to connect to Using Mullvad on a router Troubleshooting FAQ What is port forwarding? I have wireguard-pia and transmission working fine, but I'm not sure what the best practice is for using the port. 5 dev docker0 src 192. 1 to the VPS and 192. 101. version: "3. 17. Make sure that you have the private key available from Step 1 — Installing WireGuard and Generating a Key Pair. local ”,但很多时候也可以省 docker compose - port forward from host ip to specific ip in container के लिए कोड उत्तर. /lib/modules ports: - 51820:51820/udp # wireguard udp port - 9001:9001 # port for Qbittorrent-nox sysctls: - net. 2 edit docker run -p 9000:80 nginx To port forward port 9000 of host machine to port 80 of container. The basic Docker container for wireGuard can run its own container. 0/0, ::/0 I have wireguard running in a container on a cloud-based VM. Some containers are on a MACVLAN network and receive regular IP Address in my LAN (e. ) Port forwarding with iptables for Nextcloud (fpm+nginx) through Wireguard. For this example, I assign 192. 8. Use the following command to generate the public and private keys: # Generate privatekey docker run --rm -i masipcat/wireguard-go wg genkey > privatekey # Generate publickey from privatekey docker run --rm -i masipcat/wireguard-go wg pubkey < privatekey > publickey. If you don’t forward this port, your routers firewall I installed pterodactyl panel (software that uses docker and creates game servers with a web interface) but I can't connect to any servers that I create on it. My Docker-compose is like this (slightly redacted): version: '3. UDP. every client will have an ID. I am trying to reach my Nextcloud (fpm behind nginx) instance through a wireguard VPN, both running in a docker container. Click on "Add Peer": 7. IP forwarding will need to be enabled and allowed as well. Transmission integration heavily inspired (and sometimes directly taken from) haugene/docker-transmission-openvpn. We download our Cloud . dat /pia/forwarded_port I installed pterodactyl panel (software that uses docker and creates game servers with a web interface) but I can't connect to any servers that I create on it. 2:9000 instead of 172. local ”,但很多时候也可以省 I installed pterodactyl panel (software that uses docker and creates game servers with a web interface) but I can't connect to any servers that I create on it. Transmission at 48602. I installed pterodactyl panel (software that uses docker and creates game servers with a web interface) but I can't connect to any servers that I create on it. To forward all the traffic through, simply change the AllowedIPs line on the client to this: AllowedIPs = 0. Here is the relevant info from my docker-compose. All you have to do in this case is add the static IP addresses to the AllowedIPs setting in the private server’s WireGuard config: As with the first scenario in this article, let's create our user defined bridge network with a specific subnet via docker network create --subnet 172. The config directory will have the config and qr codes as mentioned: Port Forwarding You can use Docker’s normal port publishing options to make ports available through the VPN. ip route replace 192. Setting Up The WireGuard VPN Client: 6. From a security perspective, what is general seen as the safer solution? Some people fundamentally oppose giving cloudflare a tunnel into your network. 168. All you have to do in this case is add the static IP addresses to the AllowedIPs setting in the private server’s WireGuard config: After the recent addition of Multi-Hop for WireGuard, we are now introducing port forwarding support for Wireguard. If you are using the app, it's easy to figure out. Start up wireguard using docker compose: $ docker-compose up -d. 6 kernels may need to have the module docker-wireguard-pia A Docker container for using WireGuard with PIA. g. yml below: version: "1. me in your host terminal to figure . Find the port forwarding section in your router. 4. Then we can use the following compose yaml to create our containers: After the recent addition of Multi-Hop for WireGuard, we are now introducing port forwarding support for Wireguard. All you have to do in this case is add the static IP addresses to the AllowedIPs setting in the private server’s WireGuard config: 1 day ago · Port forwarding when using Wireguard. If a configuration change is needed that can be done only durin. So, for example, if your VPN provider gives you port 1234 and you want port 80 inside your container to be available through the VPN, call Docker with -p 1234:80 (do not forget the other required options explained above) or add WireGuard is a lightweight protocol with only about 4,000 lines of code. 0/24 via 172. The problem is that Wireguard configured such way that it turn all external connections off so this PC will never answer on connection. If you need client for other clients, check out the docs. Some routers need to be rebooted in order for the changes to be saved. In the place of remote_username put your user name. Config The following ENV vars are required: I have wireguard running in a container on a cloud-based VM. But the best practice is to let docker handle the port forwarding instead of iptables 1 The way to forward a port is: Begin by logging in to your router. Success! Your VPN should be up and running! We can tell WireGuard to forward that incoming port to qBittorrent via the following iptables rule: iptables -t nat -A PREROUTING -p tcp --dport 58787 -j DNAT --to-destination 172. 123. In Settings --> VPN Manager, activate WireGuard by enabling "Active" and enabling "Autostart" so that it automatically starts on boot up. 2 privatekey = listenport = 51820 dns = 10. It should output information about the best endpoint to connect to and an auth token to use for generating your client config. I can see udp traffic on the ethernet interface in the VM and container. The WireGuard tunnel over docker container is able to support any systemcapable of running Docker. Service 对象的域名完全形式是“ 对象. Next, create the Wireguard interface: ip link add dev wg0 type wireguard. y. 11) RaspberryPi with Docker with containers of wireguard client (IP: If you plan to use Wireguard both remotely and locally, say on your mobile phone, you will need to consider routing. Maybe some installation guide trying to obfuscate traffic through that. Port Forward Settings: How to view and use the configuration folders?. This means that when you return home, even though you can see the Wireguard server, the return packets will probably get lost. 11) Start up wireguard using docker compose: $ docker-compose up -d Once wireguard has been started, you will be able to tail the logs to see the initial qr codes for your clients, but you have access to them on the config directory: $ docker-compose logs -f wireguard The config directory will have the config and qr codes as mentioned: First of all you need a key pair for the server. As with the first scenario in this article, let's create our user defined bridge network with a specific subnet via docker network create --subnet 172. Wireguard Docker Compose Stack Forward port 51820 on your Router to your Raspberry Pi. and also need port SSH (22) on host The Plex container using port 32400 from the PC and, The SSH port on the HOST of the RaspberryPi wireguard client The way to forward a port is: Begin by logging in to your router. The problems arose when I needed to forward port 27256 on the server to the VPN client. 27. 0/24 wgnet and create our folder with mkdir -p /home/aptalca/appdata/wireguard-client . Wireguard client is also available for other distributions and for Windows as well. Alternatively, you can use Docker Compose to set up the network and containers. If I'm thinking about it correctly, it will have made the subnet when starting wg and then use that address when starting up docker. networks: wireguard-vpn: ipam: config: - subnet: 10. If you plan to use Wireguard both remotely and locally, say on your mobile phone, you will need to consider routing. 64. If you for example need the container to forward for some other hosts in 192. Note that the first IP address in the subnet (192. Set peer type to "Remote Tunneled Access". An active PIA subscription. 2 options to open up WireGuard: Tunnel from a Cloudflare tunnel proxy into a docker container host . 11) RaspberryPi with Docker with containers of wireguard client (IP: 172. 0/24, you'll additionally need the same dnat rule in a chain of type nat hook prerouting priority dstnat. ) we want to configure with access to our LAN. Most firewalls will not route ports forwarded on your WAN interface correctly to the LAN out of the box. I have a connnection with Wireguard on a Window PC and also need to be able to connect to this PC using its real IP with RDP. 9" services: nextcloud: image: nextcloud container_name: nextcloud restart: always environment: POSTGRES_DB: nextcloud POSTGRES_USER . Port forwarding when using Wireguard. local ”,但很多时候也可以省 1 day ago · Port forwarding when using Wireguard. Port forwarding on your router (see your router's user manual on how to do it) External port 51820 UDP to internal port 51820 (IP of your NAS) Number of clients: We must know how many clients (smartphone, laptop, server in a different location . 2 put your IP address. 0/24) |Raspi (192. 100. 11) Start up wireguard using docker compose: $ docker-compose up -d Once wireguard has been started, you will be able to tail the logs to see the initial qr codes for your clients, but you have access to them on the config directory: $ docker-compose logs -f wireguard The config directory will have the config and qr codes as mentioned: WireGuard is a lightweight protocol with only about 4,000 lines of code. 123 . And as I said, I'm NOT sure if the rewriting tricks above for 127. 20. हमें मिल 1 कोड . all. But when the wireguard interface is enabled, the client that's trying to connect to it has no traffic. This article helps to setting up WireGuard tunnel using a docker container. In my docker-compose I have a php:5. So, for example, if your VPN provider gives you port 1234 and you want port 80 inside your container to be available through the VPN, call Docker with -p 1234:80 (do not forget the other required options explained above) or add Start up wireguard using docker compose: $ docker-compose up -d. 6 instance. Pihole, Unbound, etc. 名字空间. 0/24 services: transmission: . Enter a Description, like IVPN WG. x. 1 listenport = 51820 privatekey = (secrect) postup = iptables -a forward -i %i -j accept; iptables -a forward -o %i -j accept; iptables -t nat -a postrouting -o eth0 -j masquerade postdown = iptables -d forward -i %i -j accept; iptables -d forward -o %i -j accept; iptables -t nat -d postrouting -o eth0 -j masquerade To run Wireguard in a container we need to configure the underlying host. It will let you know if the peers can communicate (handshake == good) tcpdump: You can run tcpdump -i wg0 on the remote server, then on your local machine ping: ping 10. 1) Docker will use by default for the network’s gateway — so we’ll use the next available address in the subnet (192. Upload the Public key and obtain a client IP address: In the Tunnel Configuration > Interface Keys section, click the Generate key button, copy the Public key, then go to the IVPN Account Area by logging in to the ivpn . 1 postup = ip -4 route add 192. 5:9000. After the recent addition of Multi-Hop for WireGuard, we are now introducing port forwarding support for Wireguard. 8 port 36029 I'm thinking the final step is to run an iptables in the docker container itself to the wireguard client on 10. Click apply: I got port forwarding to work by a work-around hacky solution. Since containers share the host kernel you have to do some changes to make it work. local ”,但很多时候也可以省 What I want to achieve is to be able to route specific internet traffic (ports 10000:11000 are set to accept traffic from the VPS firewall) from VPN to my Docker containers at home server. I want to use Wireguard to forward my qbittorrent network traffic. If you are using the app, it's easy to figure out. 192. As I know it is possible to make some kind of . WireGuard is open source. Port 9981 is open on the VPS on which Netmaker is hosted, but isn't reachable from within the Docker container. 66. The config directory will have the config and qr codes as mentioned: If you plan to use Wireguard both remotely and locally, say on your mobile phone, you will need to consider routing. What I want to achieve is to be able to route specific internet traffic (ports 10000:11000 are set to accept traffic from the VPS firewall) from VPN to my Docker containers at home server. GitHub repository: . Relevant info: Client (vm on home network): Results of wg: You can enable port forwarding for both WireGuard and OpenVPN by logging in and visiting the Port Forwarding tab in your client area. It took me most of a Sunday to figure out. Then we can use the following compose yaml to create our containers: WireGuard Point to Site With Port Forwarding Usually when you connect a remote endpoint to a local site, you want the endpoint to be able to access some resources (like a web app or a mail server) at the local site, and don’t need to allow hosts at the site to be able to initiate connections to the remote endpoint. Raspi with Docker and multiple Containers connected to my Router. /connect_to_wireguard_with_token. Then start up the containers you want to expose, specifying the network name and an available IP address in that network for each. Packet Forwarding on Host C The original WireGuard Hub and Spoke Configuration guide, in the “Configure Routing on Host C” section, directs you to to add the following line in the WireGuard configuration on Host C: PreUp = sysctl -w net. yml below: version: "1. uk/wireguard-as-a-vpn-client-in-docker-using-pia/ RaspberryPi with Wireguard server (IP: 172. 2 PrivateKey = <client's privatekey> ListenPort = 21841 [Peer] PublicKey = <server's publickey> Endpoint = <server's ip>:51820 AllowedIPs = 0. If I'm thinking about it correctly, it will have made the subnet when starting wg and then use that address when starting up docker. Success! Your VPN should be up and running! As with the first scenario in this article, let's create our user defined bridge network with a specific subnet via docker network create --subnet 172. Setup. WireGuard is designed as a general purpose VPN for running on embedded . 1 day ago · Port forwarding when using Wireguard. Try this. Once you have that, when you login on windscribes stie, you can pick the "client id" and what internal and external ports you want. 0. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. 2:9000 from the server Btw your solution should've work just need to curl 10. 2 edit 2: using this command in the wireguard docker after doing the above worked: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 36029 -j DNAT --to-destination 10. dat into that folder; map a volume at /pia in the deluge container, doesn't matter if it's a volume or a bind point; turn on both the wireguard and deluge containers 2 options to open up WireGuard: Tunnel from a Cloudflare tunnel proxy into a docker container host . Most firewalls will not route ports forwarded on your WAN interface Routing Select Docker Containers through Wireguard VPN Viewing WireGuard Traffic with Tcpdump Leaning on Algo to route Docker traffic through Wireguard (most recent Unlike the directions from the WireGuard Point to Site With Port Forwarding guide, do not attempt to set the net. 1 listenport = 51820 privatekey = (secrect) postup = iptables -a forward -i %i -j accept; iptables -a forward -o %i -j accept; iptables -t nat -a postrouting -o eth0 -j masquerade postdown = iptables -d forward -i %i -j accept; iptables -d forward -o %i -j accept; iptables -t nat -d postrouting -o eth0 -j masquerade … You can enable port forwarding for both WireGuard and OpenVPN by logging in and visiting the Port Forwarding tab in your client area. I have the following setup: Raspi with Docker and multiple Containers connected to my Router. Just a quick reminder to adjust the port forwarding settings in your router to forward port 51820 to your Docker host. Hosting Your Own VPN With WireGuard and Docker. Please note that WireGuard port forwarding will not be activated automatically until you have disconnected all your active sessions at least once. System 1. [Internet] <-> [Wireguard 10. Type the IP address of your computer into the correct box in Just a quick reminder to adjust the port forwarding settings in your router to forward port 51820 to your Docker host. 48602. WireGuard has gained a lot of traction as being the new standard. My VPS server's external static IP address is 18. networks: wireguard-vpn: ipv4_address: 10. 10. At this point if you want to test out the basics fire up the container, exec in and run . 23. Then you need to connect to 10. Is there any way to tell docker-compose to have port 3306 on the web container port forwarded to 3306 on the db container, so that when the web container tries to connect to localhost on 3306 it gets sent to db on 3306 and also share port 80 on the web container to the outside . wireguard docker port forwarding tywsy iteupaz mvwyyre inqam ydkluo kwgsjr pidt nblo nhwiq izkgapn