VPS Wirguard CGNAT

erverg · ‎01-20-2024

Hello

I have a homeserver which is behind a CGNAT. Therefore, I use a VPS with public IP which is connected to my virtual opnsense via WireGuard to avoid this. This works perfectly, and I can route the traffic from the VPS directly to my VMs. But I have a major problem because I only see the WireGuard IP of the VPS (192.168.4.1) on the VMs and not the IPs of the source IPs of the clients that come in via the VPS. So every Client who is connected has the same IP. I have been trying for days to find a solution, but I am desperate. I have also tried to establish the WireGuard connection to another server directly, but also I see only the IP of the VPS Wireguard. What i make wrong here?

wg0.conf:

PostUp = iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT
PostUp = iptables -A FORWARD -i wg0 -o eth0 -j ACCEPT

#HTTP/HTTPS
PostUp = iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dport 80 -j DNAT --to 10.0.102.2
PostUp = iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dport 443 -j DNAT --to 10.0.102.2

#XMPP
PostUp = iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dport 5000 -j DNAT --to 10.0.101.2
PostUp = iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dport 5222 -j DNAT --to 10.0.101.2
PostUp = iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dport 5223 -j DNAT --to 10.0.101.2
PostUp = iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dport 5269 -j DNAT --to 10.0.101.2
PostUp = iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dport 5280 -j DNAT --to 10.0.101.2
PostUp = iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dport 5281 -j DNAT --to 10.0.101.2
PostUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE

PostDown = iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -o eth0 -j ACCEPT

#HTTP/HTTPS
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp -m multiport --dport 80 -j DNAT --to 10.0.102.2
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp -m multiport --dport 443 -j DNAT --to 10.0.102.2

#XMPP
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp -m multiport --dport 5000 -j DNAT --to 10.0.101.2
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp -m multiport --dport 5222 -j DNAT --to 10.0.101.2
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp -m multiport --dport 5223 -j DNAT --to 10.0.101.2
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp -m multiport --dport 5269 -j DNAT --to 10.0.101.2
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp -m multiport --dport 5280 -j DNAT --to 10.0.101.2
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp -m multiport --dport 5281 -j DNAT --to 10.0.101.2
PostDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE

Network:

Screenshot from 2024-01-20 13-06-14.png

paul driver · ‎01-21-2024

Hello
TBH not familiar with your setup here, can you elaborate how the VPS and your internal vms connect.
If I’m not mistaken it looks like you are still behind cgnat box via you home router with the VPS reachable via your ISPs cgnat pip?

If so, then you still won’t have an accessible public ip address as your home router will have the cnat address. - Maybe UPnP could assist but I wouldnt recommend it.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul