Hey guys. I have Vultr cloud vps with ubuntu. Currently only used for my Unifi cloud controller. I’m trying to setup a wireguard jump setup to facilitate remote access to my LAN over my CGNAT WAN. Incoming Wireguard VPN for my personal services, and incoming port 443 for some servers, would go to the Vultr public IP. Then I need to route it through wireguard to my pfSense home firewall. Once one scene at home, haproxy handles the 443 stuff and wireguard handles my personal stuff.
I have followed these instructions to get Wireguard installed on the VPS. It is complete and operating as instructed. I have connected my home pfSense to it as peers and that interface is up and green. I have not configured any policy routing or firewall rules yet.
What I now need to know, is how on earth to I get incoming 52180 wireguard traffic and incoming 443 HTTPS traffic to the VPS routed to my home pfSense through that tunnel?
I wonder if it would be more simplistic to just spin up a separate VPS and run pfSense on it? The $4/mo might be worth not trying to cobble something together like this?
I have done this with my home setup. I have WireGuard and a reverse proxy on a VPS and any time I go to access my services from outside my lan, dns points to the vps which then tunnels all traffic back to my home lan.
I set this up first by making sure I could ping other devices in my “server vlan” from my VPS. This is accomplished by a few different things. “AllowedIPs” setting in WireGuard which I give it the network that I am able to access. I also had added the lines for masquerade nat but those ended up not being needed in this setup.
Then on my firewall, I needed to add a static route back to the VPS so return traffic could access it. This was much easier than individually adding static routes on all my containers.
With this setup, I am able to accomplish hosting anything I want at home and never publicly exposing my home IP address.
Could you please write some instructions on how you did this.
I did do this, but I ended up installing pfsense on a linode VPS, site to site wireguard tunnel, setup some static routes, and configure each wireguard gateway as each others upstream gateway to enable NAT, then the port forwarding on the pfsense forwards 25/80/443 to local pfsense and it works.
I just would like to know how to deploy just wireguard tunnel, without the need for pfsense on the vps.
I searched all over, and tried various configurations, but I now wonder if it was because I was trying to do the reverse proxy on my local pfsense, instead of in the vps. I still have my wireguard vps in linode setup, just not doing anything.
In my case, I was primarily doing this so I can forward port 25, as I have a 4G failover configured on my pfsense, but because of CGNAT, when the 4g is activated, I can’t get email to my server. My vps pfsense solution works, but as I said, I would like to know a how you did it.
No I don’t run WireGuard on more than one system. I run it on one system and have a static route in my Pfsense/OPNsense firewall that says if you are trying to reach the WireGuard network (10.90.0.0/24) go to this IP (172.16.0.20) for its gateway, then WireGuard takes over and tunnels that traffic out to the VPS. That covers return traffic, under “AllowedIPs” on the vps WireGuard instance, is an allowed rule for any ip in my server net (172.16.0.0/24). That allows the reverse proxy to ping and access any IP on the otherside of the tunnel that is associated with any service I run.
I would like to do like you with a debian vps already configured at OVH with wireguard.
And at home I have a netgate with pfsense+ I installed the wireguard package and the connection is green. but I don’t know how to do the rest of the setup to redirect http,https,… to a server at home.
If you could help me that would be great.
You have to setup a reverse proxy that will redirect all connections at that IP for the given websites to your lan. Additionally you need to make sure that on your VPS you are able to ping those addresses. Those steps could be broken up into two tasks; setup a reverse proxy and networking through the tunnel interface.
Have you worked on setting up nginx or Apache on your VPS?
So this would work as you describe for VPS → HAproxy → WG server ->WG client (dmz int)-> OPNsense → services on other vlan
How did you handle services running internally on a machine where not every service was to be exposed? Did you run into issues with containers and iptables restricting access?
Am I setting up HAproxy on OPNsense as well to redirect internal requests?
Is there a reason to have both HAproxy and nginx on my VPS simultaneously?
My setup was pretty simple. I don’t use ip tables to restrict access as that was handled by my router with rules there. I also don’t use HA Proxy, I use Nginx which would serve my certs on the VPS at the “edge.” For those IPs that are not world accessible, I also used my at home DNS resolver and a separate WireGuard tunnel.
Services would be available from the outside but honestly I rarely used that mode of entry to my network. That was more for other users I share with and for the random time my vpn to home would go down. Otherwise I used mostly my own vpn and internal nginx setup with certs.
I have since moved on from this and use only Cloudflare tunnels for accessing my services from the public. This way no more vps and I trust cloudflare to help stop more traffic than my own setup.
let me know if I am missing something. Other tunnel I use from phone. I really wanted to do site to site, but with your configuration, may be I will be able to do something i want.
If you are unable to ping anything then it is most likely a routeing issue. I had that issue where a client wouldn’t have a route to send the ICMP return packets too. I had to manually add the routes in to the clients. I recommend checking the routing tables in PF and seeing if you have a static route back to the the VPS. If not, create one. Then try and ping again.
