Why did ZippyBot bring me here?

Hi, whenever I try to enter the ports 80 and 443 at the beginning of the -R parameter, I get this error: Warning: remote port forwarding failed for listen port 80. How do I fix this?

How do I make the SSH tunnel forward traffic? It can’t be as easy as just running ssh user@SERVER_IP in the terminal.

(I only need variant 1 btw)

I’ve added the firewall rule and it still says no port[s] to connect to whenever I run echo "Testing" | nc -u SERVER_IP -p 51820. I feel like you’re trying to stay on a sinking ship, so I would suggest to try another method to see if we even can get the whole “bypass CGNAT with a VPS” thing to work at all.

Update: I’ve tried setting up SSH tunneling instead and it STILL doesn’t work. I contacted Hetzner support about this issue and I’m hoping that they can resolve the firewall issues that I’m having.

I’ve added some different ports for the future, but this is my ufw status:

Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
51820                      ALLOW       Anywhere                  
2333                       ALLOW       Anywhere                  
80                         ALLOW       Anywhere                  
81                         ALLOW       Anywhere                  
443                        ALLOW       Anywhere                  
80/tcp                     ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
51820 (v6)                 ALLOW       Anywhere (v6)             
2333 (v6)                  ALLOW       Anywhere (v6)             
80 (v6)                    ALLOW       Anywhere (v6)             
81 (v6)                    ALLOW       Anywhere (v6)             
443 (v6)                   ALLOW       Anywhere (v6)             
80/tcp (v6)                ALLOW       Anywhere (v6)

Alright, I switched to ufw and… it’s still not working. sigh

Should we just try something completely different? WireGuard doesn’t seem to be working on my VPS. Someone in the comments mentioned tunneling via SSH, sounds interesting.

What do you mean with “clear out iptables completely”? Should I remove the iptables package with sudo apt remove iptables?

Alright, sounds good. What firewall are you recommending me to use? I would like to use a firewall that’s easy to manage.

Edit: I went with ufw.

I tried to open the port 22 on UDP (yeah, I am getting pretty desperate over here…) and still get the message no port[s] to connect to… Someone else on this post commented that I should stop using iptables for opening ports and start using something else as a firewall. Should I try this approach?

Does iptables count as a firewall? You said that I should “forget” iptables. Is it that bad? It came preinstalled on the VPS. Should I switch? And if so, how?

Very interesting… How do I get started?

The command you provided for the VPS returns UDP listen needs -p arg, so I just added -p right before the port number and then it worked. Running the homelab command returns no port[s] to connect to… Not good.

I have no idea how to properly manage the firewall with Hetzner. I’ve opened the ports on the Hetzner management page and I ran several iptables commands to allow traffic from those ports. Still doesn’t work. This is weird!

How would that kind of a setup look like?

Hmm, the keys do match on the two different machines. I have no idea why this doesn’t work…

I do not get a response when pinging the VPS’s WG IP from my homeserver. It might have something to do with the firewall that my VPS provider (Hetzner) is using. I’ve now allowed the port 51820 on UDP and TCP and it’s still the same as before… This is weird.

Hi, thank you so much for trying to help me, I really appreciate it!

VPS wg0.conf:

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = REDACTED

PostUp = iptables -t nat -A PREROUTING -p tcp -i eth0 '!' --dport 22 -j DNAT --to-destination 10.0.0.2; iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source SERVER_IP
PostUp = iptables -t nat -A PREROUTING -p udp -i eth0 '!' --dport 55107 -j DNAT --to-destination 10.0.0.2;

PostDown = iptables -t nat -D PREROUTING -p tcp -i eth0 '!' --dport 22 -j DNAT --to-destination 10.0.0.2; iptables -t nat -D POSTROUTING -o eth0 -j SNAT --to-source SERVER_IP
PostDown = iptables -t nat -D PREROUTING -p udp -i eth0 '!' --dport 55107 -j DNAT --to-destination 10.0.0.2;

[Peer]
PublicKey = REDACTED
AllowedIPs = 10.0.0.2/32

Homeserver wg0.conf:

[Interface]
Address = 10.0.0.2/24
PrivateKey = REDACTED
 
[Peer]
PublicKey = REDACTED
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
Endpoint = SERVER_IP:51820

(REDACTED would’ve been the public / private keys, SERVER_IP would’ve been the VPS IP.)

The biggest obstacle for me is the connection between the VPS and my homeserver. I have tried this today and I tried pinging 10.0.0.2 (the homeserver IP via WireGuard) and get this as a result:

PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
From 10.0.0.1 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.0.1 icmp_seq=2 Destination Host Unreachable
ping: sendmsg: Destination address required
^C
--- 10.0.0.2 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1019ms

Not sure why though.

Not really, pinging my homeserver via the VPS returns:

PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
From 10.0.0.1 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.0.1 icmp_seq=2 Destination Host Unreachable
ping: sendmsg: Destination address required
^C
--- 10.0.0.2 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1019ms

Hey, thank you for your blog post. I’m definitely reconsidering my choices with Cloudflare tunnels. I will take a look at the VPS setup. Privacy is something that I really care about, so this would be pretty useful. I would definitely be ready to pay 3.29€ per month for the privacy aspects of this setup.