Port forwarding from VPS over wireguard to expose services on LAN

tombadog · June 11, 2023, 10:09am

I have a very similar setup and problem as described in the following forum post: Port forward to a target device from VPS Wireguard (over VPN tunnel)

I have setup my wireguard tunnel between Openwrt and my VPS but still struggling with port forwarding. I am essentially trying to expose a reverse proxy which runs on port 443 in my lan through the wireguard tunnel and out through the VPS as I am trying to circumvent CG-NAT. I can ping devices on my LAN from my VPS but still not able to expose my reverse proxy on my VPS. Could someone take a look at my Wireguard setup on my VPS and give me some pointers because this is almost certainly where the problem is as while I can find myself away around wireguard I'm not confident at all using iptables:


[Interface]
PrivateKey = <private key>
Address = 192.168.99.1/24
ListenPort = 56930
SaveConfig = true

PostUp = ufw route allow in on wg0 out on ens6
PostUp = iptables -t nat -I POSTROUTING -o ens6 -j MASQUERADE
PostUp = ip route add 192.168.10.0/24 via 192.168.99.2
PostUp = iptables -t nat -I PREROUTING -i ens6 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.10.10:443
PostUp = iptables -t nat -I POSTROUTING -o wg0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on ens6
PreDown = iptables -t nat -D POSTROUTING -o ens6 -j MASQUERADE
PreDown = ip route del 192.168.10.0/24 via 192.168.99.2
PreDown = iptables -t nat -D PREROUTING -i ens6 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.10.10:443
PreDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE

lleachii · June 11, 2023, 10:19am

What's this?

Also:

where's your allowed IP WG settings?

tombadog · June 11, 2023, 10:30am

Ah yes. Thanks for spotting - removed. Had tried that before I added lan subnet to allowed ips. But port forwarding still not working.

[Interface]
Address = 192.168.99.1/24
SaveConfig = true
PostUp = ufw route allow in on wg0 out on ens6
PostUp = iptables -t nat -I POSTROUTING -o ens6 -j MASQUERADE
PostUp = iptables -t nat -I PREROUTING -i ens6 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.10.10:443
PostUp = iptables -t nat -I POSTROUTING -o wg0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on ens6
PreDown = iptables -t nat -D POSTROUTING -o ens6 -j MASQUERADE
PreDown = iptables -t nat -D PREROUTING -i ens6 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.10.10:443
PreDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
ListenPort = 56930
PrivateKey = Private Key

[Peer]
PublicKey = Public Key
AllowedIPs = 192.168.99.2/32, 192.168.10.0/24
Endpoint = WANIP:56930

lleachii · June 11, 2023, 10:36am

If you have CG-NAT, what's this?

tombadog · June 11, 2023, 10:38am

Should have clarified. Currently have static IP but imminently switching to starlink and cancelling adsl so setting everything up.

lleachii · June 11, 2023, 10:40am

So, if you have a static IP, what's the need to setup the VPS?

If this is not your use case any longer, can you clarify?

In order to assist, we'll need to know what you actually desire to do.

tombadog · June 11, 2023, 10:43am

I currently have an ADSL service with associated static public IP but this is going to be cancelled imminently and replaced with starlink which is CG-NAT. While I'm waiting for everything I need to set starlink up, I'm setting everything up so when I switch everything will already be set up.

lleachii · June 11, 2023, 10:48am

Okay, you'll have to remove that in the future.

Also, you need a route to lan_subnet via wg interface

Do not use a gateway IP, it's not needed on a Layer 3 tunnel.

Also I assume you setup the remote site's service to use wg as it's Internet via route/rules?

tombadog · June 11, 2023, 11:46am

Is this necessary as I can already ping devices on LAN from the VPS?
No I haven't - I assumed (perhaps wrongly) as it's an incoming connection this wouldn't be necessary. So, would I use something like pbr to route traffic from that IP address on port 443 out via wireguard?

tombadog · June 11, 2023, 12:14pm

In fact as a test, using PBR to route all traffic from the client on my LAN through wireguard, that client is unable to access the internet through the VPS

mk24 · June 11, 2023, 1:05pm

Whatever OS is running on the VPS needs to be configured to forward IP. Since it is not OpenWrt (which is of course designed to forward IP by default), that issue is outside the scope of this forum.

tombadog · June 11, 2023, 1:06pm

It's Debian and I did configure it to forward ip. Not sure what's going on.

lleachii · June 11, 2023, 1:14pm

Again this is not the scope of the forum, but I provided a generic description
Have you made the route noted?

That's interesting, but I see no configuration that should allow this (and the VPS is outside scope of the forum).

tombadog · June 11, 2023, 9:15pm

Partially solved. Allowed IP's on the openwrt peer config were incorrect. Should have been 0.0.0.0/0. Can now confirm that using pbr clients can use the internet through the wireguard tunnel. However, I still haven't been able to expose nginx on port 443 through wireguard and VPS.

jookk · June 12, 2023, 4:50am

I have this working
at vps Im using nginx as reverse roxy to my lan server.
But, with this setup, fail2ban is unusable, so securing ports isnt easy. But, It works fine.

And I have wireguard client installed at lan server, not openwrt router. I wanted to use router, but I couldnt get it to work.

tombadog · June 12, 2023, 7:45am

Fully solved now was missing a rule to allow in on ens6 out on wg0

system · June 22, 2023, 7:46am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.