To make a long story short i moved and ATM only have cellular net access which means IPv4 only and CGN. Aint working well with my self-hosted stuff.
So i cooked up a scheme to use a pfsense instance in digital ocean and use a wireguard tunnel to relay traffic back to my router. Used wireguard to encapsulate traffic and that part works, HE tunnel works so the routing from the DO droplet to my router is correct i assume (added wg tunnel as gateway for my local subnets). Replicated the original FW rules from the local router WAN onto the wg tab on the local firewall and to the wan tab on the do droplet.
But for some reason it does not work even though every relevant firewall rule is set to use the do droplet as gateway… (talking about IPv4 here, most of the time i use my phone to remotely access stuff but the carrier lives in the dark ages and only offers CGN v4)
Im starting to give up here, no matter what i do it simply refuses to work. Nothing responds from behind the router and haproxy stubbornly replies from the main WAN instead of the droplet through the VPN tunnel. And if i set the default gateway to the DO droplet (while also modifying the FW rules to make sure everything uses the main gateway except for the exposed stuff) all it does is totally messes up the routing and i loose ibetrnet connection 
.
Is there a way to rewrite incoming ipv4 packets into v6? (Tried google but havent found anything that could help.)
Maybe this will help
Are you masquerading on the DO end? I would not NAT on the DO end. I would just stand up a linux system with two interfaces; eth0 and wg0. Then setup forwarding rules for various ports being redirected to the wg IP on the home router. I’d grab a domain name for this setup too.
The issue isnt the NAT or the forward (that part works, traffic gets to home router), its routing (traffic leaves on the “real” WAN instead of the VPN). I could set the default GW to the droplet after the VPN establishes but then it will break when the cellular signal randomly decides to drop-out and messes up everything…
Thanks, ill look into it. Ill try haproxy 1st (readily available in pfsense), latency is already abysmal so hopefully it wont make it that much worse…
So when you set your home gateway to use wg0 things work for a while? So this is working then? Not sure why the tunnel wouldn’t come right back up after your signal does, but I am suspicious this setup is never working.
If layer 1 is the real issue then anything else you try higher up the stack will be problematic too. Also, the HAproxy method will be a pain with dynamic ipv4 at the home router.
The default route is the culprit, wg tries to use the tunnel to connect which does not exist after the connection breaks… But if i set it to the real wan everything running on the router will try to reply from it instead of the tunnel.
I wont be using the wan ip (how could i from the behind CGN?). Ill use the tunnel for that and the droplet end is fix. (I most have that tunnel regardless, HE tunnelbroker doesnt work without being able to ping the ip initially.)
OK. I would leave the default gateway alone and just manually adjust the routes for your various subnets. Just make those subnets route out wg0 at your home gateway.
Good point on the HA front. I was thinking you were trying to use it exclusively, which wouldn’t work with cgn.