Duckdns/wireguard remote access help please!

openwrt20 · May 10, 2020, 6:51pm

Any other thoughts regarding this? Thank you for your time and effort looking into this!

trendy · May 10, 2020, 7:24pm

Not really.
You should have a public IP from the VPN provider, say 1.2.3.4 . You can assign a duckdns name on that. Then the VPN provider will forward ports for example 4001-4005 to 10.99.0.5
From there you should take action and must forward the 5 ports in the example above to the internal ones. For example 4001 will go to 192.168.1.153:444
Verify with the VPN which one is the public IP and which ports will be forwarded to your tunnel end.
Verify the redirects are correct and have hits.

openwrt20 · May 11, 2020, 11:05am

Finally managed to get it working using the unraid wireguard plugin. Thank you very much!

Additionally, I've been looking to use unraid's letsencrypt/nginx (reverse proxy) to access NC but it requires forwarding ports HTTP 80 and HTTPs 443. Do you know if that's possible in Network/Firewall/Port Forwards? I do not see those as an option.

trendy · May 11, 2020, 10:21pm

These ports must be forwarded by the VPN provider and I don't think they will do that.

openwrt20 · May 13, 2020, 12:31pm

The vpn provider is advising me that I can redirect 80 and 443 to one of their assigned ports. I've created those rules in Luci but nginx (reverse proxy) is unable to create an SSL certificate. Port 80 and 443 are still closed on port check but their assigned ports are open. Would that still work in your opinion?

trendy · May 13, 2020, 12:37pm

No, let's encrypt expects to reach your server on ports 80 and 443.

openwrt20 · May 13, 2020, 12:46pm

Thank you confirms my suspicions too. In the meantime I've been trying to get VPN policy routing working that way I can connect direct to my ISP. I have posted in that thread because my internet connection just drops when activated (possibly DNS related). If you have any ideas on this let me know if not thank you for all your help!

openwrt20 · May 16, 2020, 6:10pm

Hi trendy, just continuing with our discussion regarding NGINX with the requested information:

 config redirect
    option src 'wan'
    option src_dport '80'
    option target 'DNAT'
    option name 'HTTP'
    option dest_port '2xx'
    option dest 'lan'
    option dest_ip '192.168.1.xxx'
    list proto 'tcp'

    config forwarding
    option dest 'WGZONE'
    option src 'lan'

    config redirect
    option dest_port '24xx'
    option src 'wan'
    option name 'HTTPs'
    option target 'DNAT'
    option dest_ip '192.168.1.xxx'
    option dest 'lan'
    list proto 'tcp'
    option src_dport '443'

iptables-save -c

# Generated by iptables-save v1.8.3 on Sat May 16 20:54:25 2020
*nat
.......
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP" -j DNAT --to-destination 192.168.1.xxx:2xx
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 80 -m comment --comment "!fw3: HTTP" -j DNAT --to-destination 192.168.1.xxx:2xx
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPs" -j DNAT --to-destination 192.168.1.xxx:2xxx
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 443 -m comment --comment "!fw3: HTTPs" -j DNAT --to-destination 192.168.1.xxx:2xxx
.......

Port 80 and 443 are open on canyouseeme.org but when I go to example.duckdns.org it shows "this site can't be reached"
Thank you.

trendy · May 16, 2020, 7:12pm

openwrt20:

[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP" -j DNAT --to-destination 192.168.1.xxx:280
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 80 -m comment --comment "!fw3: HTTP" -j DNAT --to-destination 192.168.1.xxx:280
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPs" -j DNAT --to-destination 192.168.1.xxx:2443
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 443 -m comment --comment "!fw3: HTTPs" -j DNAT --to-destination 192.168.1.xxx:2443

The redirects are there alright, but there are no hits, which means there was no incoming packet.
Try to connect once again and verify that the counters at the beginning of the lines are not 0:0

openwrt20 · May 16, 2020, 7:18pm

[1:60] -A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP" -j DNAT --to-destination 192.168.1.xxx:280
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 80 -m comment --comment "!fw3: HTTP" -j DNAT --to-destination 192.168.1.xxx:280
[2:120] -A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPs" -j DNAT --to-destination 192.168.1.xxx:2443
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 443 -m comment --comment "!fw3: HTTPs" -j DNAT --to-destination 192.168.1.xxx:2443

There appear to be some hits now?? But the site still can't be reached.

trendy · May 16, 2020, 7:33pm

Yes, now it is better. Clear browser cache, verify on the server that packets are received from 192.168.1.153 and that the marking for .153 is correct to send traffic out of the pppoe-wan and not via wireguard.

openwrt20 · May 16, 2020, 7:35pm

Sorry how do I do that? Thanks
By the way I can reach NC using duckdns domain with my phone's 4G connection so the reverse proxy is working But not from my server or other devices within in the LAN!!

trendy · May 16, 2020, 8:40pm

Don't use the duckdns name when you are inside the lan.

openwrt20 · May 16, 2020, 9:30pm

Ah I've got it working but it requires: internal ip adress:port/apps/files
You're brilliant, thank you very much for your patience and help in dealing with this

system · May 26, 2020, 9:30pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.