How do I port forward through a VPS?

psychobacter

I am looking for guidance on how to achieve port forwarding through my low-end VPS, which I currently use as a wireguard VPN (PiVPN). I want to torrent but my home connection is behind a CGNAT so other peers in the swarm can't make connections to me. Could anyone please advise me on how to do this? I am a novice so detailed guidance would be appreciated. Thanks!

TimboJones

Uh, use your VPN at home instead of on the VPS?

anubhavhirani

If you are already able to use wiregaurd then some UDP port is open in your VPS, or do you mean SSH tunneling? Sorry if I did not understand your question.

rasping5978

Correct me if I am wrong, you can set up torrent server on your VPS. Any torrent transfers will be made to/from your VPS?

You could also just set up a wireguard server and have your home client devices connect to it and browse as normal? At least that is what I am using right now.

FrankZ

Since you gave no network or O/S info, in my example below 172.19.4.254 is the tunnel endpoint at your VPS and 172.19.4.1 is the tunnel endpoint on you local server. 66.66.66.66 is your VPS external IP and the local service you wish to serve from is running on 172.19.4.1. The wireguard interface is "wg0" and the network adapter on the VPS is "eth0"

On the local server and the VPS make sure forwarding is enabled. To check use:

sysctl net.ipv4.ip_forward

if you get the response

net.ipv4.ip_forward = 1

your good to forward traffic from the tunnel. If you get

net.ipv4.ip_forward = 0

Then forwarding is not enabled. To enable

sysctl -w net.ipv4.ip_forward=1

This is not persistent. If you want to make it persistent across reboots, edit the /etc/sysctl.conf file in your favorite text editor and change

net.ipv4.ip_forward = 0

to

net.ipv4.ip_forward = 1

I would also add

net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1

Then after saving the file enter this command

sysctl -p

Then add a routing table to your local server to forward outbound traffic via the tunnel.

ip route add 172.19.4.254 via 172.19.4.1 dev wg0
ip rule add from 172.19.4.0/26 table 1003
ip route add throw 172.19.4.0/26 table 1003
ip route add 0.0.0.0/1 via 172.19.4.254 dev wg0 table 1003
ip route add 128.0.0.0/1 via 172.19.4.254 dev wg0 table 1003

Then on your VPS after making sure you have installed iptables add the following iptables rules. Change "wg0" to whatever the name of your VPS wireguard adapter is named, if different.

iptables -A POSTROUTING -s 172.19.4.0/24 -j SNAT --to-source 66.66.66.66
iptables -A PREROUTING -p tcp --dport [whatever port you wish to forward to your local server] -j DNAT --to-destination 172.19.4.1:[port the service is running on local server]
iptables -A INPUT ! -i wg0 -s 172.19.4.0/24 -j DROP
iptables -A FORWARD ! -i wg0 -s 172.19.4.0/24 -j DROP
iptables -A FORWARD -j ACCEPT

In the example above I have forwarded a tcp port, you can also forward a udp port by changing the "tcp" to "udp" in the PREROUTING line.
These iptable rules are not persistent, but if you get it working we can make them so if you let me know what o/s you are using.
I think I covered everything. Let us know how it goes.

netmonk

@FrankZ said:
Since you gave no network or O/S info, in my example below 172.19.4.254 is the tunnel endpoint at your VPS and 172.19.4.1 is the tunnel endpoint on you local server. 66.66.66.66 is your VPS external IP and the local service you wish to serve from is running on 172.19.4.1. The wireguard interface is "wg0" and the network adapter on the VPS is "eth0"

On the local server and the VPS make sure forwarding is enabled. To check use:

sysctl net.ipv4.ip_forward

if you get the response

net.ipv4.ip_forward = 1

your good to forward traffic from the tunnel. If you get

net.ipv4.ip_forward = 0

Then forwarding is not enabled. To enable

sysctl -w net.ipv4.ip_forward=1

This is not persistent. If you want to make it persistent across reboots, edit the /etc/sysctl.conf file in your favorite text editor and change

net.ipv4.ip_forward = 0

to

net.ipv4.ip_forward = 1

I would also add

net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1

Then after saving the file enter this command

sysctl -p

Then add a routing table to your local server to forward outbound traffic via the tunnel.

ip route add 172.19.4.254 via 172.19.4.1 dev wg0
ip rule add from 172.19.4.0/26 table 1003
ip route add throw 172.19.4.0/26 table 1003
ip route add 0.0.0.0/1 via 172.19.4.254 dev wg0 table 1003
ip route add 128.0.0.0/1 via 172.19.4.254 dev wg0 table 1003

Then on your VPS after making sure you have installed iptables add the following iptables rules. Change "wg0" to whatever the name of your VPS wireguard adapter is named, if different.

iptables -A POSTROUTING -s 172.19.4.0/24 -j SNAT --to-source 66.66.66.66
iptables -A PREROUTING -p tcp --dport [whatever port you wish to forward to your local server] -j DNAT --to-destination 172.19.4.1:[port the service is running on local server]
iptables -A INPUT ! -i wg0 -s 172.19.4.0/24 -j DROP
iptables -A FORWARD ! -i wg0 -s 172.19.4.0/24 -j DROP
iptables -A FORWARD -j ACCEPT

In the example above I have forwarded a tcp port, you can also forward a udp port by changing the "tcp" to "udp" in the PREROUTING line.
These iptable rules are not persistent, but if you get it working we can make them so if you let me know what o/s you are using.
I think I covered everything. Let us know how it goes.

Can you take a loo at this and help me?
https://lowendtalk.com/discussion/comment/3717821