Skip to content

Instantly share code, notes, and snippets.

@Zane5
Forked from Quick104/readme.md
Created September 1, 2023 02:17
Show Gist options
  • Save Zane5/0ea1183a81f612d57e3650aca81fca90 to your computer and use it in GitHub Desktop.
Save Zane5/0ea1183a81f612d57e3650aca81fca90 to your computer and use it in GitHub Desktop.
Expose a server behind CG:NAT via Wireguard

99% of the information in this guide is taken from here: https://golb.hplar.ch/2019/01/expose-server-vpn.html I've added some stuff and changed some things to suit my needs.

A much easier method would be to follow: Routing Plex traffic through an SSH Tunnel

Both solutions work, however I've had better success with Wireguard.

Make sure your VPS is KVM. I've used both BuyVM and ServerCheap and have had good results.

Expose a server behind CG:NAT via Wireguard

Install WireGuard on your VPS and local server

sudo add-apt-repository ppa:wireguard/wireguard

sudo apt install wireguard

Configure WireGuard

Run the following two commands on both computers. The first command creates the private key and writes it directly into the WireGuard configuration file. The second command creates the public key, writes it into the file publickey and prints it into the console.

(umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee /etc/wireguard/wg0.conf > /dev/null) wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickey

Make a note of both public keys and open the WireGuard configuration file on both machines

sudo nano /etc/wireguard/wg0.conf

Enter the following configuration settings. For this example I assign 192.168.4.1 to the VPS and 192.168.4.2 to the server at home. Choose a network that is not already assigned in your home network. The external static IP address of my VPS server is 18.184.64.177 and the port I want WireGuard to connect to is UDP 55107. Make sure that you open an UDP port in the firewall of your VPS for WireGuard. Choose a random port.

VPS

PrivateKey = qHOQs4...
ListenPort = 55107
Address = 192.168.4.1

[Peer]
PublicKey =  ums9y... <--- public key from the machine at home
AllowedIPs = 192.168.4.2/32

Home Server

[Interface]
PrivateKey = OKNAiUi/u...
Address = 192.168.4.2

[Peer]
PublicKey = GJtb+O7nnT... <---- public key from VPS
AllowedIPs = 192.168.4.1/32
Endpoint = 18.184.64.177:55107
PersistentKeepalive = 25

Start WireGuard on both machines and enable it, so it automatically starts up the next time you reboot the computer.

sudo systemctl start wg-quick@wg0

sudo systemctl enable wg-quick@wg0

Forward Traffic

I have ports 80,443 and 32400 forwarded by default. Adding more is as simple as changing the port and running an additional command.

iptables -P FORWARD DROP &
iptables -A FORWARD -i eth0 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT &
iptables -A FORWARD -i wg0 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT &

iptables -A FORWARD -i eth0 -o wg0 -p tcp --syn --dport 443 -m conntrack --ctstate NEW -j ACCEPT &
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 192.168.4.2 &
iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 443 -d 192.168.4.2 -j SNAT --to-source 192.168.4.1 &

iptables -A FORWARD -i eth0 -o wg0 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT &
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.4.2 &
iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 80 -d 192.168.4.2 -j SNAT --to-source 192.168.4.1 &

iptables -A FORWARD -i eth0 -o wg0 -p tcp --syn --dport 32400 -m conntrack --ctstate NEW -j ACCEPT &
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 32400 -j DNAT --to-destination 192.168.4.2 &
iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 32400 -d 192.168.4.2 -j SNAT --to-source 192.168.4.1

apt-get install iptables-persistent

All traffic on ports 80,443, and 32400 should now be forwarded to your local machine. If everything is hosted on a single machine you’re done.

Forwarding traffic from WireGuard VM to another local machine.

I’m running unRaid, which does not support WireGuard. (At the time of writing) I have an Ubuntu VM running and will use iptables to route the traffic accordingly.

192.168.25.9 is my Ubuntu VM, 192.168.25.5 is my unRaid. So change the IP's according to your setup.

Route from 192.168.25.9 to 192.168.25.5 Servercheap > Ubuntu VM > Unraid Host Ports 80>81, 443>444, 32400

sudo iptables -t nat -A PREROUTING -p tcp --dport 32400 -j DNAT --to-destination 192.168.25.5:32400 &
sudo iptables -t nat -A POSTROUTING -p tcp -d 192.168.25.5 --dport 32400 -j SNAT --to-source 192.168.25.9 &

sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 192.168.25.5:444 &
sudo iptables -t nat -A POSTROUTING -p tcp -d 192.168.25.5 --dport 444 -j SNAT --to-source 192.168.25.9 &

sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.25.5:81 &
sudo iptables -t nat -A POSTROUTING -p tcp -d 192.168.25.5 --dport 81 -j SNAT --to-source 192.168.25.9

apt-get install iptables-persistent

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment