[Solved] Using the InternetIP of my Hetzner server doing port forward to the Synology in my home-network connected via wireguard

I have a server hosted at hetzner.de which has a real Internet-IPV4.
At home I use a fritzbox ( and a Synology ( behind it which does my mail (Mailplus-Server).
The Mails came via dyndns mx-entry from hetzner.
Since a few days german Telekom blacklists Mail-Servers with dynamic ip, so I have problems getting my mail from certain servers using this blacklist-server from Telekom.
My Internet Provider at home (1&1) does not give out fixed IPs.
So my idea was to connect the hetzner server with my private network at home via an OpenWRT-Router with wireguard. The connection is working fine and stable.
Now I do a port-forward at hetzner server in shorewall for all possible mail-ports (25/465/587) to the local IP of my Synology. Then I change the MX to the fixed IP of the hetzner server.
The problem is: Synology gets packets through wireguard tunnel from Hetzner Server and answeres to the internet-ips via FritzBox, not via wireguard tunnel.
The mail-servers will answer: Was not talking to you.
So would like to masquerade (in the OpenWRT-Router) traffic thet comes from wg0 to Synology, so the external traffic hides behind the local IP of the Openwrt-router and Synology thinks it communicates locally with OpenWrt.
This should be something like
iptables -t nat -I POSTROUTING -s -sourceinterface wg0 -d -j MASQUERADE
I know this command does not work. But logically as an example.
How do I do that in OpenWRT. I only found examples for masq from internal to external.
I need examples from vpn interface to internal interface.


If you add the WG interface to the WAN zone it will masquerade automatically.

BTW you do not need a port forward if you setup like a site-to-site setup:

1 Like

Hello egc.
Thank you for your answer, but I think it will masquerade in the wrong direction: local to wireguard.
I need it the other way around.
About the site-to-site: my wireguard is already configured like this and works. I can ping from all local devices to hetzner server and vice versa. But the Mail-Servers from the internet go to the external IP of the hetzer server which forards the packages to the local Synology behind the wireguard tunnel.
So the synology gets a packet from an internet mail-server through wireguard tunnel and sends the answer to the fritzbox as it came from an external IP. The internet-mail-server receives the answer from a different IP and will say "was not talking to you ".
Therefore I need the masquerade from wireguard to internal network to hide the external IP of the mail-server from synology. The syology receives a packet originating from OpenWRT-Router and sends the answer back to OpenWRT, which looks into his masquerading-table and sends the answer back to the internet-mail-server ......
Hmmm. I think I found another problem: will the OpenWRT-router really send it back through the tunnel? As it is an external IP, the route over FritzBox will have lower metric......ok I can fix that by routing all internet traffic of OpenWRT-Router through the wireguard tunnel.......
But maybe I should masquerade the traffic at the hetzner server: all coming from internet to wireguard masq....
Is there nobody who already did this and can give me hints?


Assuming that your site-to-site connection is configured correctly, enable transit traffic forwardings and disable masquerading and redirects on OpenWrt.
It should work as long as you route all traffic to the VPN, otherwise use PBR to configure routing for port forward replies.

1 Like

I think I see the problem, you do not have a default route back to the VPS?

If you route all traffic back to the VPS your problem should be solved but maybe that is not what you want.

Alternatively MASQUERADING on the VPS might do the trick:
iptables -t nat -I POSTROUTING -o wg0 -d -j MASQUERADE

Edit: using PBR and route everything from the mail server via the VPN is also a viable solution.

1 Like

Since I do not want all traffic to go into wg I tried egc's solution and it works perfectly.
Thanks to vgaetera and egc for the answers.
I do have a similar problem with another router, but there the iptables line should be translated to OpenWRT-command-line-code.
Would someone be so kind and write the line I have to enter at OpenWRT-command Line?

If you need to translate iptables in nftables see: https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

1 Like
  • do you know how to set up "PBR" on the mail server?

This site is great. Thank you @egc .
@dunnos : you mean the the solution egc gave me? Is already running. I will try to translate that to shorewall....

1 Like

yes, what solutions have you tried?

Just entered the line

iptables -t nat -I POSTROUTING -o wg0 -d -j MASQUERADE

at my Hetzner-Server, and it ran.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.