Posted: Sun Jun 20, 2021 17:04 Post subject: Bypass Carrier Grade NAT using Wireguard Tunnel
My ISP has a Carrier Grade NAT so accesing my server/NAS from outside is not possible unless I get a static IP. Asked them for a public dynamic IP but still waiting. Meanwhile I found this (https://github.com/mochman/Bypass_CGNAT) which uses Wireguard to bypass the CGNAT.
This is the server config (which redirects ports to client):
Using those settings works in DD-WRT I can see the traffic coming from the outside server into the router (using tcpdump). What I don't know is what to do (which switches to set in the Tunnel page) so the incoming traffic that comes to through the tunnel gets redirected to the firewall so the Port forwarding works. I'm sure I'm missing something simple since I'm almost there.
Hmmm, maybe I didn't explained myself well. This is what I want:
VPS (WG Server, has public ip)->dd-wrt(WG Client, no public ip)->Redirect using port forwarding to any server
I want to open ports on the VPS server, redirect ports with Wireguard to the dd-wrt and then have dd-wrt forward those ports to with the Port forwarding rules I set in the router (a NAS in my case).
The VPS->dd-wrt works, I try to connect to the VPS server, traffic goes to ddwrt but stays there, all I'm missing is redirect the traffic to the servers set in Port Forwarding.
For example:
Connect to port 80 on VPS (works), ddwrt receives the packet (works)->ddwrt forwards packet to my NAS (does not work)
If you have not already read the forum guidelines, please do !!
As Per Ingve said if you want to connect to your network from outside you can make a site-to-site setup.
Your DDWRT router connects via WG to your VPS.
A client on the internet e.g. your phone also connects via WG to your VPS and your VPS connects those two.
For that you do not need any port forwarding as the networks are connected via routing.
Of course you can open a port on your VPS and redirect that to your router but for that too you do not need port forwarding on the router as it is already connected in site-to-site setup to the VPS.
To give an example, your VPS is 192.168.1.1 and your router is 192.168.2.1 the site-to-site setup sets up routing between those and you can port forward a port on your VPS to 192.168.1.1 i.e. to your router or to an other client on your routers network.
Your DDWRT router connects via WG to your VPS.
A client on the internet e.g. your phone also connects via WG to your VPS and your VPS connects those two.
For that you do not need any port forwarding as the networks are connected via routing.
Again it seems I'm not explaining myself well. I'm not connecting to the VPS with WG. I want to let anyone connect to the VPS (for example with a browser) and it being redirected to servers (http, smtp, etc.) in my local LAN, no WG involved. Opening port in VPS and redirecting it through the WG tunnel to the router and letting the firewall block it or redirecting it with port forwarding rules.
Anyway I almost have it. I already have traffic going from VPS->Router->Firewall->Port forwarding rules->Chosen server. Still testing some stuff. Thanks anyway.
Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Thu Jun 24, 2021 14:44 Post subject:
Faw wrote:
egc wrote:
Your DDWRT router connects via WG to your VPS.
A client on the internet e.g. your phone also connects via WG to your VPS and your VPS connects those two.
For that you do not need any port forwarding as the networks are connected via routing.
Again it seems I'm not explaining myself well. I'm not connecting to the VPS with WG. I want to let anyone connect to the VPS (for example with a browser) and it being redirected to servers (http, smtp, etc.) in my local LAN, no WG involved. Opening port in VPS and redirecting it through the WG tunnel to the router and letting the firewall block it or redirecting it with port forwarding rules.
Anyway I almost have it. I already have traffic going from VPS->Router->Firewall->Port forwarding rules->Chosen server. Still testing some stuff. Thanks anyway.
You also have to read the second part of my answer
If you have a proper site-to-site setup you can simply port forward on your VPS to your router (the WG client) as I tried to explain
Suppose your VPS is on subnet 192.168.1.1, your router (the WG client to your VPS) has its own IP address of 192.168.2.1 then you set a port forward on your VPS to 192.168.2.1 as simple as that
Your VPS can port forward to any client it knows and it knows the client router (192.168.2.1) because you have setup a site-to-site setup.
Site-to-site means that your server knows (has routing) to the clients subnet.
The DDWRT WireGuard advanced Setup guide has a paragraph about site-to-site setup (in short on the client disable NAT, add the VPS subnet in Allowed IP's, disable (do not tick) Firewall inbound, On the VPS add the clients subnet e.g. 192.168.2.1/24 in the allowed IP'S and enable route allowed IP's so that the server has routing to the client).
Your VPS can port forward to any client it knows and it knows the client router (192.168.2.1) because you have setup a site-to-site setup.
Site-to-site means that your server knows (has routing) to the clients subnet.
I know but the UI of the VPS (Oracle Cloud) just lets me open ports, not redirecting to another ip like dd-wrt does with port forwarding. I would have to work with iptables on the VPS and all that crap and I'm lazy.
I just like to go on an UI and toggle things on/off. So to make my life easier later I just wanted to redirect everything from the VPS and let the router deal with it so all I have to do is edit the forwarding rules in the ddwrt UI and be done with it.
Just learning to do the difficult part now to be lazy in the future.
Joined: 14 Sep 2021 Posts: 21 Location: Western Hemisphere
Posted: Tue Jul 25, 2023 3:24 Post subject:
I am also trying to get a WG server setup behind CGNAT (Starlink and TM Home Internet), goal is a ddwrt client B could tunnel to WG Server C behind CGNAT via a VPS then out to Internet via Server C, basically client B VPN to Server C so have IP address of Server C:
ddwrt (WG client B) -> VPS (WG Server A )-> CGNAT -> dd-wrt (WG Server C )-> CGNAT internet Server C IP address
This looks like the case in WG Advanced Network guide of Site-to-Site between multiple sites Hub and Spoke, and the router behind CGNAT needs to become a client, and now need to facilitate traffic from Client B to Client C through VPS:
ddwrt Client B -> ddwrt Server A -> CGNAT ddwrt Client C
But in my case for Sever A using Oracle Cloud VPS WG instead of ddwrt:
ddwrt Client B -> VPS WG Server A -> CGNAT ddwrt Client C
My question is to get client B traffic to exit at Client C (so client C is like a Server) how do I set that up? Following the ddwrt guide would It be similar to this:
Allowed IPs
Client B: [WG IP address of C]/32
Client C: [WG IP address of A]/32 or should it be just [WG IP address of B]/32?
On Server A have two peer (default same as guide?):
Peer B Allowed IP's:
Only allow the IP address of the tunnel of site B and site's B subnet
[WG IP address of B]/32, [subnet of B]
Peer C Allowed IP's:
[WG IP address of C]/32, [subnet of C]
Thank you,
SP _________________ ASUS 7xAC68U
Linksys 3200ACM, 1900ACSv2, 3x1900AC, E3000, 5xE2500
Netgear 3xR7000, R6700, R6400
If able, give more than you take. Make the world better.