VPS > Wireguard > Home pfSense for incoming web traffic

Hey guys. I have Vultr cloud vps with ubuntu. Currently only used for my Unifi cloud controller. I’m trying to setup a wireguard jump setup to facilitate remote access to my LAN over my CGNAT WAN. Incoming Wireguard VPN for my personal services, and incoming port 443 for some servers, would go to the Vultr public IP. Then I need to route it through wireguard to my pfSense home firewall. Once one scene at home, haproxy handles the 443 stuff and wireguard handles my personal stuff.

I have followed these instructions to get Wireguard installed on the VPS. It is complete and operating as instructed. I have connected my home pfSense to it as peers and that interface is up and green. I have not configured any policy routing or firewall rules yet.

What I now need to know, is how on earth to I get incoming 52180 wireguard traffic and incoming 443 HTTPS traffic to the VPS routed to my home pfSense through that tunnel?

I am not aware of a way to get port forward to come back across the tunnet.

You probably need something like in this post. Also there might be some Wireguard related settings you have to tweak, like AllowedIPs.

I wonder if it would be more simplistic to just spin up a separate VPS and run pfSense on it? The $4/mo might be worth not trying to cobble something together like this?

I have done this with my home setup. I have WireGuard and a reverse proxy on a VPS and any time I go to access my services from outside my lan, dns points to the vps which then tunnels all traffic back to my home lan.

I set this up first by making sure I could ping other devices in my “server vlan” from my VPS. This is accomplished by a few different things. “AllowedIPs” setting in WireGuard which I give it the network that I am able to access. I also had added the lines for masquerade nat but those ended up not being needed in this setup.

Then on my firewall, I needed to add a static route back to the VPS so return traffic could access it. This was much easier than individually adding static routes on all my containers.

With this setup, I am able to accomplish hosting anything I want at home and never publicly exposing my home IP address.

Reach out if you go through it and need any help.

Could you please write some instructions on how you did this.

I did do this, but I ended up installing pfsense on a linode VPS, site to site wireguard tunnel, setup some static routes, and configure each wireguard gateway as each others upstream gateway to enable NAT, then the port forwarding on the pfsense forwards 25/80/443 to local pfsense and it works.

I just would like to know how to deploy just wireguard tunnel, without the need for pfsense on the vps.
I searched all over, and tried various configurations, but I now wonder if it was because I was trying to do the reverse proxy on my local pfsense, instead of in the vps. I still have my wireguard vps in linode setup, just not doing anything.

In my case, I was primarily doing this so I can forward port 25, as I have a 4G failover configured on my pfsense, but because of CGNAT, when the 4g is activated, I can’t get email to my server. My vps pfsense solution works, but as I said, I would like to know a how you did it.

  1. Setup WireGuard on VPS
  2. Setup WireGuard at “home location”
  3. Validate that you are able to ping from VPS to WireGuard home location.
  4. Setup Reverse proxy on VPS
  5. All reverse proxy requests forward to local lan IP
  6. At home location, setup static route that says any ip is able to access WireGuard subnet. (This allows return traffic to the WireGuard interface)
  7. Profit and enjoy.

So the only thing I did different was try and use my reverse proxy locally.

Thanks, I’ll give it a look

Do you have wireguard configured on your local systems?
How can you ping from VPS to local ip’s without any routing?
What firewall are you using?

I don’t understand how you can ping internal ip’s.

No I don’t run WireGuard on more than one system. I run it on one system and have a static route in my Pfsense/OPNsense firewall that says if you are trying to reach the WireGuard network ( go to this IP ( for its gateway, then WireGuard takes over and tunnels that traffic out to the VPS. That covers return traffic, under “AllowedIPs” on the vps WireGuard instance, is an allowed rule for any ip in my server net ( That allows the reverse proxy to ping and access any IP on the otherside of the tunnel that is associated with any service I run.


I would like to do like you with a debian vps already configured at OVH with wireguard.
And at home I have a netgate with pfsense+ I installed the wireguard package and the connection is green. but I don’t know how to do the rest of the setup to redirect http,https,… to a server at home.
If you could help me that would be great.

many thanks

You have to setup a reverse proxy that will redirect all connections at that IP for the given websites to your lan. Additionally you need to make sure that on your VPS you are able to ping those addresses. Those steps could be broken up into two tasks; setup a reverse proxy and networking through the tunnel interface.

Have you worked on setting up nginx or Apache on your VPS?