How To expose Service from LAN via Wireguard via VPS

Sterlink · May 17, 2025, 3:16pm

I'd like to expose a local say SSH server on a static public IP.
Have a VPS with IP 1.2.3.4
And a LAN 192.168.1.0/24

A Wireguard setup from VPS to OWRT 172.20.0.0/24
Allowed IP 0.0.0.0/0 on the OWRT side
Extra Routing Table 1234 on the OWRT side with default route setup (actually wireguard does that automatically when you have 0.0.0.0/0 in allowed ips).
Allowed IP 172.20.0.0/24, 192.168.1.0/24 on the VPS side

On the VPS I have a NAT Rule
iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 2222 -j DNAT --to-destination 192.168.1.23:22

And then in OWRT an additional FW zone wich currently allows everything from/to

So what is happening when I connect to from PUBLIC_IP 1.2.3.4:2222:
Traffic gets prerouted to 192.168.1.23:22
SSH server responds to PUBLIC_IP
OWRT tries to route that packet via WAN cause that's in the default routing table

Question: How can I (with contrack or mark or whatever) identify the return packets and assign them to the 1234 routing table so they go back where the request came from, the Wireguard interface.

I know that I could add SNAT on the VPS so then the dest of the return packet has a 172 address and rules for that are already set up automatically by wireguard.

But I don't want that, cause I need the SSH server to know the original source address.

I Also tried double DNAT with fwmark but those marks have no effect on the return packets.

egc · May 17, 2025, 3:30pm

You can use pbr to add port 22 of 192.168.1.23 to table 1234

Sterlink · May 17, 2025, 4:17pm

Extremely comprehensive answer
But anyway that would then route ALL traffic from 192.168.1.23:22 to table 1234
So it would break local connects that go over the router.
There is no way to define "except CIDR" in pbr.

egc · May 17, 2025, 4:37pm

Local connections are handled locally on the same subnet. So that should not be a problem.

Edit for (other) local routes copy those local routes also over to table 1234

Edit 2 alternative solution is to masquerade the traffic from the vps wireguard interface

Sterlink · May 17, 2025, 7:16pm

Yeah thats SNAT which I dont want.
Anyway, TY for the PBR hint, got it working that way.
Although I'm not convinced, this is not a very elegant solution.
Wireguard already sets up additional route tables if you want it to do.
PBR isnt even using them but adding its own fwmarks for mached packets.
And then you also need additional policies if you have local traffic from lan a to lan b that goes over the router, so that this traffic from the respective source not also leaves via WG

There must be a more elegant conntrack solution to this problem?
Whatever comes in over X must go out over X

egc · May 18, 2025, 6:45am

Understand that you do not want that, you loose logging and access control etc.

not that I know of but if you find it please report

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

system · May 31, 2025, 7:38am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.