I have setup my wireguard tunnel between Openwrt and my VPS but still struggling with port forwarding. I am essentially trying to expose a reverse proxy which runs on port 443 in my lan through the wireguard tunnel and out through the VPS as I am trying to circumvent CG-NAT. I can ping devices on my LAN from my VPS but still not able to expose my reverse proxy on my VPS. Could someone take a look at my Wireguard setup on my VPS and give me some pointers because this is almost certainly where the problem is as while I can find myself away around wireguard I'm not confident at all using iptables:
PrivateKey = <private key>
Address = 192.168.99.1/24
ListenPort = 56930
SaveConfig = true
PostUp = ufw route allow in on wg0 out on ens6
PostUp = iptables -t nat -I POSTROUTING -o ens6 -j MASQUERADE
PostUp = ip route add 192.168.10.0/24 via 192.168.99.2
PostUp = iptables -t nat -I PREROUTING -i ens6 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.10.10:443
PostUp = iptables -t nat -I POSTROUTING -o wg0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on ens6
PreDown = iptables -t nat -D POSTROUTING -o ens6 -j MASQUERADE
PreDown = ip route del 192.168.10.0/24 via 192.168.99.2
PreDown = iptables -t nat -D PREROUTING -i ens6 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.10.10:443
PreDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
I currently have an ADSL service with associated static public IP but this is going to be cancelled imminently and replaced with starlink which is CG-NAT. While I'm waiting for everything I need to set starlink up, I'm setting everything up so when I switch everything will already be set up.
Is this necessary as I can already ping devices on LAN from the VPS?
No I haven't - I assumed (perhaps wrongly) as it's an incoming connection this wouldn't be necessary. So, would I use something like pbr to route traffic from that IP address on port 443 out via wireguard?
Partially solved. Allowed IP's on the openwrt peer config were incorrect. Should have been 0.0.0.0/0. Can now confirm that using pbr clients can use the internet through the wireguard tunnel. However, I still haven't been able to expose nginx on port 443 through wireguard and VPS.