Skip to content

Instantly share code, notes, and snippets.

@adog1314

adog1314/PortForwardOverWireGuard.md

Last active January 22, 2025 03:26
Show Gist options
  • Save adog1314/97bf494d74f56bfff51da9bb4bff8ed0 to your computer and use it in GitHub Desktop.
Save adog1314/97bf494d74f56bfff51da9bb4bff8ed0 to your computer and use it in GitHub Desktop.
Download ZIP
Port forward over wireguard to VPS with static IP
Raw
PortForwardOverWireGuard.md

Port forward over wireguard to VPS with static IP

This is write up is on how to port forward over wireguard. I am going to be port forwarding a mail server running MailCow on my local server, but really any service can be port forwared with some modifications to the IPTables commands in the wireguard file.

I am using a cheap Vultr VPS as my proxy server, if your intrested heres a referral link https://www.vultr.com/?ref=9019507 where I get $10 or if you plan to spend more then $35 on your account you will get $100 and I will get $35 https://www.vultr.com/?ref=9019508-8H

My Setup

  • Debain 10 Buster
  • Tunnel subnet: 10.1.1.0
  • Proxy-VPS Tunnel IP: 10.1.1.1
  • Peer [Mail Server] Tunnel IP: 10.1.1.2

WireGuard Setup on the remote VPS

I installed WireGuard using this script: https://github.com/angristan/wireguard-install

Had an error used to fix: https://stackoverflow.com/a/66745279

Allow wireguard on port 51820(make sure the port is correct, the script assign's a random port): E.g.

sudo ufw allow 51820/udp

Start the WireGuard service at boot time using the systemctl command, run:

sudo systemctl enable wg-quick@wg0

Port Forwarding

  • Destination NAT(DNAT) only rewrites the destination IP address, this should be used for incoming trafic headed to a peer.
  • Source NAT(SNAT) rewrites the source IP address to and should happen automatically for outbound traffic that passes through the Wg Tunnel.

Services Port Forwarded

[Peer - Mail - 10.1.1.2]

  • Http on port 80
  • Https on port 443
  • Postfix SMTP on port 25
  • Postfix SMTPS on port 465
  • Postfix Submission on port 587
  • Dovecot IMAP on port 143
  • Dovecot IMAPS on port 993
  • Dovecot POP3 on port 110
  • Dovecot POP3S on port 995
  • Dovecot ManageSieve on port 4190

Also add ufw for each port on Proxy-VPS E.g. sudo ufw allow 25/tcp

Run and find the WAN interface name and replace enp1s0 blow to the correct interface name we want the portforward to listen on

ip addr

Place in /etc/wireguard/wg0.conf on Proxy-VPS just above [Peer]

### Http on port 80
PostUp = iptables -t nat -A PREROUTING -p tcp -i enp1s0 --dport 80 -j DNAT --to-destination 10.1.1.2:80
PostDown = iptables -t nat -D PREROUTING -p tcp -i enp1s0 --dport 80 -j DNAT --to-destination 10.1.1.2:80
### Https on port 443
PostUp = iptables -t nat -A PREROUTING -p tcp -i enp1s0 --dport 443 -j DNAT --to-destination 10.1.1.2:443
PostDown = iptables -t nat -D PREROUTING -p tcp -i enp1s0 --dport 443 -j DNAT --to-destination 10.1.1.2:443
### Postfix SMTP on port 25
PostUp = iptables -t nat -A PREROUTING -p tcp -i enp1s0 --dport 25 -j DNAT --to-destination 10.1.1.2:25
PostDown = iptables -t nat -D PREROUTING -p tcp -i enp1s0 --dport 25 -j DNAT --to-destination 10.1.1.2:25
### Postfix SMTPS on port 465
PostUp = iptables -t nat -A PREROUTING -p tcp -i enp1s0 --dport 465 -j DNAT --to-destination 10.1.1.2:465
PostDown = iptables -t nat -D PREROUTING -p tcp -i enp1s0 --dport 465 -j DNAT --to-destination 10.1.1.2:465
### Postfix Submission on port 587
PostUp = iptables -t nat -A PREROUTING -p tcp -i enp1s0 --dport 587 -j DNAT --to-destination 10.1.1.2:587
PostDown = iptables -t nat -D PREROUTING -p tcp -i enp1s0 --dport 587 -j DNAT --to-destination 10.1.1.2:587
### Dovecot IMAP on port 143
PostUp = iptables -t nat -A PREROUTING -p tcp -i enp1s0 --dport 143 -j DNAT --to-destination 10.1.1.2:143
PostDown = iptables -t nat -D PREROUTING -p tcp -i enp1s0 --dport 143 -j DNAT --to-destination 10.1.1.2:143
### Dovecot IMAPS on port 993
PostUp = iptables -t nat -A PREROUTING -p tcp -i enp1s0 --dport 993 -j DNAT --to-destination 10.1.1.2:993
PostDown = iptables -t nat -D PREROUTING -p tcp -i enp1s0 --dport 993 -j DNAT --to-destination 10.1.1.2:993
### Dovecot POP3 on port 110
PostUp = iptables -t nat -A PREROUTING -p tcp -i enp1s0 --dport 110 -j DNAT --to-destination 10.1.1.2:110
PostDown = iptables -t nat -D PREROUTING -p tcp -i enp1s0 --dport 110 -j DNAT --to-destination 10.1.1.2:110
### Dovecot POP3S on port 995
PostUp = iptables -t nat -A PREROUTING -p tcp -i enp1s0 --dport 995 -j DNAT --to-destination 10.1.1.2:995
PostDown = iptables -t nat -D PREROUTING -p tcp -i enp1s0 --dport 995 -j DNAT --to-destination 10.1.1.2:995
### Dovecot ManageSieve on port 4190 
PostUp = iptables -t nat -A PREROUTING -p tcp -i enp1s0 --dport 4190 -j DNAT --to-destination 10.1.1.2:4190
PostDown = iptables -t nat -D PREROUTING -p tcp -i enp1s0 --dport 4190 -j DNAT --to-destination 10.1.1.2:4190

WireGuard on local mail server

sudo apt install wireguard

Transfer the file created by the script from the remote VPS to /etc/wireguard/wg0.conf

On the local machine we kept encountering an issue where the tunnel would die after several minutes, once the handshake connection expired. To fix this I added PersistentKeepAlive = 25 to the bottom of the wg0.conf file

I left AllowedIPs = 0.0.0.0/0 to forward all traffic of all my mail server through the remote VPS IP address, due to it needing to send outgoing SMTP email through the NAT masquerade as the remote IP instead of my home networks IP

Start the WireGuard service at boot time using the systemctl command, run:

sudo systemctl enable wg-quick@wg0

Start WireGuard the tunnel:

sudo wg-quick up wg0
@BytxForge
Copy link

Many thanks for the good instructions. How is Mailcow configured for you? I'm getting an error message that the ACME challenge is failing.

Confirmed A record with IP x.x.x.x, but HTTP validation failed

@adog1314
Copy link
Author

@BytxForge Are you forwarding port 80 or are you using a reverse proxy like nginx on your remote VPS?
LetsEncrypt needs http://mail.domain.tld/.well-known/acme-challenge/ to pass to your mailcow web server to get an SSL cert to verify you own the domain.

@BytxForge
Copy link

@BytxForge Are you forwarding port 80 or are you using a reverse proxy like nginx on your remote VPS? LetsEncrypt needs http://mail.domain.tld/.well-known/acme-challenge/ to pass to your mailcow web server to get an SSL cert to verify you own the domain.

Thank you for your answer. I forward port 80 from the VPS as described in your instructions.

@adog1314
Copy link
Author

adog1314 commented Dec 27, 2024
edited
Loading

@BytxForge You could try and create a test.html file in /opt/mailcow-dockerized/data/web/.well-known/acme-challenge/test.html then go to http://mail.domain.tld/.well-known/acme-challenge/test.html to see the text you put in the test file shows up or a 404.

Its been 2 years since I set up my current instance, but if I remember right there isn't anything you change in the Mailcow config along as all traffic is being forwarded back through Wireguard out your VPS providers ip address and not local ip.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment