Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| networking:wireguard_redirects [2025/02/06 10:17] – willy | networking:wireguard_redirects [2025/03/13 15:01] (current) – willy | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ===== WireGuard Port Forwarding ===== | + | ===== K) WireGuard Port Forwarding ===== |
| - | + | ||
| - | Please note that you **must** expose port 80 of your reverse-proxy if you plan to use Let's Encrypt Certbot tool, or it will not work. | + | |
| I am assuming that you have already setup WireGuard both on the internal and on the external server. See [[gentoo: | I am assuming that you have already setup WireGuard both on the internal and on the external server. See [[gentoo: | ||
| Line 13: | Line 11: | ||
| * You have one **external** host which has a public IP address | * You have one **external** host which has a public IP address | ||
| * Both hosts have WireGuard setup according to the configuration above | * Both hosts have WireGuard setup according to the configuration above | ||
| - | * Internal host expose port 22, 80 and 8443 | + | * Internal host expose port 22 for SSH (optional: port 8443 for HTTPS and port 80 for HTTP) |
| * External host needs to route those three ports to the internal host | * External host needs to route those three ports to the internal host | ||
| * The WireGuard subnet is // | * The WireGuard subnet is // | ||
| Line 21: | Line 19: | ||
| What we need to do is create nftable rules to ensure that: | What we need to do is create nftable rules to ensure that: | ||
| * packets reaching external host on enp1s0 on port 2022 get routed to 10.100.0.1 port 22 | * packets reaching external host on enp1s0 on port 2022 get routed to 10.100.0.1 port 22 | ||
| - | * packets reaching external host on enp1s0 on port 80 get routed to 10.100.0.1 port 80 | + | * packets reaching external host on enp1s0 on port 443 get routed to 10.100.0.1 port 8443 (optional) |
| - | * packets reaching external host on enp1s0 on port 443 get routed to 10.100.0.1 port 8443 | + | * packets reaching external host on enp1s0 on port 80 get routed to 10.100.0.1 port 80 (optional) |
| * return packets from the internal host get properly re-routed to the original sender out from enp1s0 | * return packets from the internal host get properly re-routed to the original sender out from enp1s0 | ||
| + | |||
| + | **Note:** forwarding ports for HTTP and HTTPS is only required if you don't plan to host a reverse proxy on the external server, which is the recomended approach. See [[networking: | ||
| **Note:** see [[selfhost: | **Note:** see [[selfhost: | ||
| + | |||
| + | **Note:** if you forward HTTPS, you **must** also forward HTTP (80), otherwise Let's Encrypt will be unable to renew your certificates. | ||
| What we need: | What we need: | ||
| Line 51: | Line 53: | ||
| # nft 'add rule ip wg prerouting iifname enp1s0 tcp dport 2022 counter' | # nft 'add rule ip wg prerouting iifname enp1s0 tcp dport 2022 counter' | ||
| nft 'add rule ip wg prerouting iifname enp1s0 dnat to tcp dport map { 2022 : 10.100.0.1 . 22 }' | nft 'add rule ip wg prerouting iifname enp1s0 dnat to tcp dport map { 2022 : 10.100.0.1 . 22 }' | ||
| - | nft 'add rule ip wg prerouting iifname enp1s0 dnat to tcp dport map { 80 : 10.100.0.1 . 80 }' | + | #nft 'add rule ip wg prerouting iifname enp1s0 dnat to tcp dport map { 80 : 10.100.0.1 . 80 }' |
| - | nft 'add rule ip wg prerouting iifname enp1s0 dnat to tcp dport map { 443 : 10.100.0.1 . 8443 }' | + | #nft 'add rule ip wg prerouting iifname enp1s0 dnat to tcp dport map { 443 : 10.100.0.1 . 8443 }' |
| </ | </ | ||