99% of the information in this guide is taken from here: https://golb.hplar.ch/2019/01/expose-server-vpn.html I've added some stuff and changed some things to suit my needs.
A much easier method would be to follow: Routing Plex traffic through an SSH Tunnel
Both solutions work, however I've had better success with Wireguard.
Make sure your VPS is KVM. I've used both BuyVM and ServerCheap and have had good results.
sudo add-apt-repository ppa:wireguard/wireguard
sudo apt install wireguard
Run the following two commands on both computers. The first command creates the private key and writes it directly into the WireGuard configuration file. The second command creates the public key, writes it into the file publickey and prints it into the console.
(umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee /etc/wireguard/wg0.conf > /dev/null) wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickey
Make a note of both public keys and open the WireGuard configuration file on both machines
sudo nano /etc/wireguard/wg0.conf
Enter the following configuration settings. For this example I assign 192.168.4.1 to the VPS and 192.168.4.2 to the server at home. Choose a network that is not already assigned in your home network. The external static IP address of my VPS server is 18.184.64.177 and the port I want WireGuard to connect to is UDP 55107. Make sure that you open an UDP port in the firewall of your VPS for WireGuard. Choose a random port.
PrivateKey = qHOQs4...
ListenPort = 55107
Address = 192.168.4.1
[Peer]
PublicKey = ums9y... <--- public key from the machine at home
AllowedIPs = 192.168.4.2/32
[Interface]
PrivateKey = OKNAiUi/u...
Address = 192.168.4.2
[Peer]
PublicKey = GJtb+O7nnT... <---- public key from VPS
AllowedIPs = 192.168.4.1/32
Endpoint = 18.184.64.177:55107
PersistentKeepalive = 25
Start WireGuard on both machines and enable it, so it automatically starts up the next time you reboot the computer.
sudo systemctl start wg-quick@wg0
sudo systemctl enable wg-quick@wg0
I have ports 80,443 and 32400 forwarded by default. Adding more is as simple as changing the port and running an additional command.
iptables -P FORWARD DROP &
iptables -A FORWARD -i eth0 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT &
iptables -A FORWARD -i wg0 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT &
iptables -A FORWARD -i eth0 -o wg0 -p tcp --syn --dport 443 -m conntrack --ctstate NEW -j ACCEPT &
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 192.168.4.2 &
iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 443 -d 192.168.4.2 -j SNAT --to-source 192.168.4.1 &
iptables -A FORWARD -i eth0 -o wg0 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT &
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.4.2 &
iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 80 -d 192.168.4.2 -j SNAT --to-source 192.168.4.1 &
iptables -A FORWARD -i eth0 -o wg0 -p tcp --syn --dport 32400 -m conntrack --ctstate NEW -j ACCEPT &
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 32400 -j DNAT --to-destination 192.168.4.2 &
iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 32400 -d 192.168.4.2 -j SNAT --to-source 192.168.4.1
apt-get install iptables-persistent
All traffic on ports 80,443, and 32400 should now be forwarded to your local machine. If everything is hosted on a single machine you’re done.
I’m running unRaid, which does not support WireGuard. (At the time of writing) I have an Ubuntu VM running and will use iptables to route the traffic accordingly.
192.168.25.9 is my Ubuntu VM, 192.168.25.5 is my unRaid. So change the IP's according to your setup.
Route from 192.168.25.9 to 192.168.25.5 Servercheap > Ubuntu VM > Unraid Host Ports 80>81, 443>444, 32400
sudo iptables -t nat -A PREROUTING -p tcp --dport 32400 -j DNAT --to-destination 192.168.25.5:32400 &
sudo iptables -t nat -A POSTROUTING -p tcp -d 192.168.25.5 --dport 32400 -j SNAT --to-source 192.168.25.9 &
sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 192.168.25.5:444 &
sudo iptables -t nat -A POSTROUTING -p tcp -d 192.168.25.5 --dport 444 -j SNAT --to-source 192.168.25.9 &
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.25.5:81 &
sudo iptables -t nat -A POSTROUTING -p tcp -d 192.168.25.5 --dport 81 -j SNAT --to-source 192.168.25.9
apt-get install iptables-persistent