this post was submitted on 27 Mar 2024

34 points (88.6% liked)

Selfhosted

39964 readers

291 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago

MODERATORS

[email protected]

How can I bypass CGNAT by using a VPS with a public IPv4 address? (lemmy.zip)

submitted 7 months ago by [email protected] to c/[email protected]

53 comments fedilink hide all child comments

I want to move away from Cloudflare tunnels, so I rented a cheap VPS from Hetzner and tried to follow this guide. Unfortunately, the WireGuard setup didn't work. I'm trying to forward all traffic from the VPS to my homeserver and vice versa. Are there any other ways to solve this issue?

VPS Info:

OS: Debian 12

Architecture: ARM64 / aarch64

RAM: 4 GB

Traffic: 20 TB

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 2 points 7 months ago (1 children)

Hmm, the keys do match on the two different machines. I have no idea why this doesn't work...

[–] [email protected] 2 points 7 months ago* (last edited 7 months ago) (1 children)

Dumb question: you're starting wireguard right? lol

In most distros, it's systemctl start wg-quick@wg0 where wg0 is the name of the config file in /etc/wireguard

If so, then maybe double/triple check any firewalls / iptables rules. My VPS providers don't have any kind of firewall in front of the VM, but I'm not sure about Hetzner.

Maybe try stopping wireguard, starting a netcat listener on 51820 UDP and seeing if you can send to it from your homelab. This will validate that the UDP port is open and your lab can make the connection.

### VPS
user@vps:  nc -l -u VPS_PUBLIC_IP 51820

### Homelab
user@home:  echo "Testing" | nc -u VPS_PUBLIC_IP 51820

### If successful, VPS should show:
user@vps:  nc -l -u VPS_PUBLIC_IP 51820
Testing

I do know this is possible as I've made it work with CG-NAT on both ends (each end was a client and routed through the VPS).

[–] [email protected] 2 points 7 months ago (1 children)

The command you provided for the VPS returns UDP listen needs -p arg, so I just added -p right before the port number and then it worked. Running the homelab command returns no port[s] to connect to... Not good.

[–] [email protected] 3 points 7 months ago (1 children)

At least that points you to the problem: firewall somewhere.

Try a different port with your netcat test, perhaps? 51820 is the well-known WG port. Can't imagine they'd intentionally block it, but you never know.

Maybe Hetzner support can offer more guidance? Again, I'm not sure what or how they do network traffic before it gets to the VM. On all of mine, it's just a raw gateway and up to me to handle all port blocking.

If you figure that part out and are still stuck on the WG part, just shoot me a reply.

[–] [email protected] 2 points 7 months ago (1 children)

I tried to open the port 22 on UDP (yeah, I am getting pretty desperate over here...) and still get the message no port[s] to connect to... Someone else on this post commented that I should stop using iptables for opening ports and start using something else as a firewall. Should I try this approach?

[–] [email protected] 3 points 7 months ago (1 children)

Yeah, might be worth a shot. iptables is nice, but very verbose and somewhat obtuse.

I'd just clear out iptables completely and use ufw. Should be in Debian's package manager.

Here's a cheat sheet: https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands

[–] [email protected] 2 points 7 months ago (1 children)

What do you mean with "clear out iptables completely"? Should I remove the iptables package with sudo apt remove iptables?

[–] [email protected] 3 points 7 months ago (1 children)

I believe iptables --flush should clear out any entries you've made. You can also reboot and clear them (unless you've got scripts bound to your interface up/down config that adds rules).

Basically just need to get any custom iptables rules you made out of there and then re-implement any FW rules with ufw

You can still use iptables alongside UFW, but I only use those for more complex things like port forwarding, masquerading, etc.

[–] [email protected] 2 points 7 months ago (1 children)

Alright, I switched to ufw and... it's still not working. sigh

Should we just try something completely different? WireGuard doesn't seem to be working on my VPS. Someone in the comments mentioned tunneling via SSH, sounds interesting.

[–] [email protected] 3 points 7 months ago* (last edited 7 months ago) (1 children)

That would work, but I've noticed performance isn't as good as a UDP VPN that uses the kernel's tun module. OpenVPN is also an option, but it's a LOT more involved to configure (I used to run it before Wireguard existed).

The oddest part is you can't get a netcat message through. That implies firewall somewhere.

What is the output of your ufw status ?

[–] [email protected] 2 points 7 months ago (1 children)

I've added some different ports for the future, but this is my ufw status:

Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
51820                      ALLOW       Anywhere                  
2333                       ALLOW       Anywhere                  
80                         ALLOW       Anywhere                  
81                         ALLOW       Anywhere                  
443                        ALLOW       Anywhere                  
80/tcp                     ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
51820 (v6)                 ALLOW       Anywhere (v6)             
2333 (v6)                  ALLOW       Anywhere (v6)             
80 (v6)                    ALLOW       Anywhere (v6)             
81 (v6)                    ALLOW       Anywhere (v6)             
443 (v6)                   ALLOW       Anywhere (v6)             
80/tcp (v6)                ALLOW       Anywhere (v6)

[–] [email protected] 1 points 7 months ago (1 children)

I can't recall if ufw opens both TCP and UDP or just TCP by default.

Try explicitly allowing 51820/udp with ufw allow 51820/udp

[–] [email protected] 2 points 7 months ago* (last edited 7 months ago)

I've added the firewall rule and it still says no port[s] to connect to whenever I run echo "Testing" | nc -u SERVER_IP -p 51820. I feel like you're trying to stay on a sinking ship, so I would suggest to try another method to see if we even can get the whole "bypass CGNAT with a VPS" thing to work at all.

Update: I've tried setting up SSH tunneling instead and it STILL doesn't work. I contacted Hetzner support about this issue and I'm hoping that they can resolve the firewall issues that I'm having.