WireGuard for SNO behind NAT

My ISP (Telus) is not really CGNAT, but blocks any incoming connections, which is almost same thing.
So, I can’t configure Port Fowarding.

But I have VPS with unlimited traffic near by. So, I want to proxy StorJ traffix though it.
I tried to configure WireGuard to do that. But I can’t make it work.

Does anyone has experience / knowledge on how to do it?

Here is how I want to do it:

Windows StorJ @ residence with Telus ISP <=Wireguard=> Linux VPS @ Azure <==> Internet

I can’t figure out WireGuard configuration for the Linux VPS. Looks like I need some iptables config…

Hello, you can try the following;

Accept Desired Traffic

iptables -I INPUT 1 -i CHANGETOINTERFACENAME -p udp --dport VPNPORT -j ACCEPT
iptables -A INPUT -i wg0 -p all -j ACCEPT

Enable NAT on vpn traffic

iptables -t nat -I POSTROUTING -s VPNNETWORK -o CHANGETOINTERFACENAME -j MASQUERADE

Port Forward Rules

iptables -t nat -A PREROUTING -d YOURVPSPUBLICIP -p tcp --dport 28967 -j DNAT --to-destination MACHINEINTERNALVPNIP:28967

1 Like

This makes me curious. I’m with Telus and for me only port 80 is blocked. Maybe 25 too but I’ve never tested that. I’m running a lot of services and forwarding many ports without issues. This includes port 443 for my reverse proxy, and multiple higher ports for VPNs, apps like Storj, etc.

Where are you located?

@fmoledina, I’m in Richmond, BC. And I found, that all of my ipv4 ports blocked. Interestingly, I found, that my ipv6 ports are open, but that’s is of little help for StorJ.

I tried @xyphos10 settings above. It didn’t work.
I asked the same question on StackOverflow now.

But I made it to work with Wireguard + rinetd:

  1. Wireguard enables VPS to communicate with StorJ node-behind-NAT
  2. rinetd running on VPS is forwarding TCP from WAN to Wireguard, a sort of “publishing” or opening StorJ ports to the WAN.

Here is the dashboard of my new behind-the-NAT StorJ node:
http://storj.slavikf.com/
Yes, I know, that some people consider opening it as a security risk. I want to test & see what happens.

Hmm not sure why it did not work, I have a similar config running on two machines at it works not problem. I used pivpn to create the wireguard configs though.

Here is my full script for iptables

#!/bin/bash

Flush existing rules

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -F
iptables -X
iptables-save > /etc/iptables/rules.v4

Accept loopback traffic

iptables -A INPUT -i lo -p all -j ACCEPT

Accept return traffic

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Set default INPUT policy to DROP

iptables -P INPUT DROP

Set default FORWARD policy to ACCEPT

iptables -P FORWARD ACCEPT

Set default OUTPUT policy to ACCEPT

iptables -P OUTPUT ACCEPT

Accept Desired Traffic

iptables -I INPUT 1 -i eth0 -p udp --dport 20443 -j ACCEPT #allow vpn traffice to vps
iptables -A INPUT -i wg0 -p all -j ACCEPT

Enable NAT on vpn traffic

iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Port Forward Rules

iptables -t nat -A PREROUTING -d PUBLIC-IP-HERE -p tcp --dport 28967 -j DNAT --to-destination 10.8.0.2:28967

iptables-save > /etc/iptables/rules.v4

1 Like