Port-forwarding with WireGuard and UFW?

R

RavingRobot2022-04-17 13:57:33

linux

RavingRobot, 2022-04-17 13:57:33

There is a home server. It runs Portainer, Home Assistant, TeamSpeak 3 in the docker. There is also a VPS server. Wireguard is configured between them. Home resources are available from the VPS, for example curl 20.20.20.2:8123 gives the answer. But it is not possible to configure port-forawrding so that the resources of the home server are available via the VPS IP, so as not to shine home IP (not only friends, but also acquaintances and unfamiliar people can enter TeamSpeak). I tried different guides, tips, etc., nothing helped.

Current settings:
VPS WG config

[Interface]
PrivateKey = aBVntnMA2P+Tc4J82k+MueK4FlGtNrHgozo2sGRpDlg=
Address = 20.20.20.1/24
ListenPort = 51820
PreUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PreUp = iptables -t nat -A PREROUTING -d %VPSIP% -p tcp --dport 8123 -j DNAT --to-destination 20.20.20.2
PostDown = iptables -t nat -D PREROUTING -d %VPSIP% -p tcp --dport 8123 -j DNAT --to-destination 20.20.20.2

[Peer]
PublicKey = 2mQadCFPdp6H3iItOt2enpTORSD9TGZ9sP9S+AIpCRo=
AllowedIPs = 20.20.20.2/32

VPS UFW

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
51820                      ALLOW       Anywhere
8123                       ALLOW       Anywhere

VPS iptables -t nat

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   15   780 DNAT       tcp  --  *      *       0.0.0.0/0            %VPSIP%       tcp dpt:8123 to:20.20.20.2

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

A1RWALK3R, 2022-04-18
@RavingRobot

I suppose the key here is "so as not to shine home ip", and the task is to separate flies from cutlets - VPN and TeamSpeak 3 should be available at the VPS ip address, but not intersect, right?
In this case, forward the associated port of the home server with the TeamSpeak 3 container on the home router to the VPS ip port that you will allocate for connections to the TeamSpeak 3 server, and from the VPS side to the external ip: port of the home network. Don't forget to open a port in UFW on the VPS.
At the same time, in the case of a white ip of the home network, we configure iptables VPS like this , and in the case of gray and the presence of DDNS - like this .
PS PrivateKey is therefore private, so that it does not shine.