How do I make the SSH tunnel forward traffic? It can’t be as easy as just running ssh user@SERVER_IP
in the terminal.
(I only need variant 1 btw)
Hi, I’m Alex! I like to talk about all sorts of things, like self-hosting stuff, programming shenanigans, random memes, games and probably some other stuff too!
How do I make the SSH tunnel forward traffic? It can’t be as easy as just running ssh user@SERVER_IP
in the terminal.
(I only need variant 1 btw)
I’ve added the firewall rule and it still says no port[s] to connect to
whenever I run echo "Testing" | nc -u SERVER_IP -p 51820
. I feel like you’re trying to stay on a sinking ship, so I would suggest to try another method to see if we even can get the whole “bypass CGNAT with a VPS” thing to work at all.
Update: I’ve tried setting up SSH tunneling instead and it STILL doesn’t work. I contacted Hetzner support about this issue and I’m hoping that they can resolve the firewall issues that I’m having.
I’ve added some different ports for the future, but this is my ufw status
:
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
51820 ALLOW Anywhere
2333 ALLOW Anywhere
80 ALLOW Anywhere
81 ALLOW Anywhere
443 ALLOW Anywhere
80/tcp ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
51820 (v6) ALLOW Anywhere (v6)
2333 (v6) ALLOW Anywhere (v6)
80 (v6) ALLOW Anywhere (v6)
81 (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
Alright, I switched to ufw
and… it’s still not working. sigh
Should we just try something completely different? WireGuard doesn’t seem to be working on my VPS. Someone in the comments mentioned tunneling via SSH, sounds interesting.
What do you mean with “clear out iptables completely”? Should I remove the iptables package with sudo apt remove iptables
?
Alright, sounds good. What firewall are you recommending me to use? I would like to use a firewall that’s easy to manage.
Edit: I went with ufw
.
I tried to open the port 22 on UDP (yeah, I am getting pretty desperate over here…) and still get the message no port[s] to connect to
… Someone else on this post commented that I should stop using iptables for opening ports and start using something else as a firewall. Should I try this approach?
Does iptables count as a firewall? You said that I should “forget” iptables. Is it that bad? It came preinstalled on the VPS. Should I switch? And if so, how?
Very interesting… How do I get started?
The command you provided for the VPS returns UDP listen needs -p arg
, so I just added -p
right before the port number and then it worked. Running the homelab command returns no port[s] to connect to
… Not good.
I have no idea how to properly manage the firewall with Hetzner. I’ve opened the ports on the Hetzner management page and I ran several iptables commands to allow traffic from those ports. Still doesn’t work. This is weird!
How would that kind of a setup look like?
Hmm, the keys do match on the two different machines. I have no idea why this doesn’t work…
I do not get a response when pinging the VPS’s WG IP from my homeserver. It might have something to do with the firewall that my VPS provider (Hetzner) is using. I’ve now allowed the port 51820
on UDP and TCP and it’s still the same as before… This is weird.
Hi, thank you so much for trying to help me, I really appreciate it!
VPS wg0.conf
:
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = REDACTED
PostUp = iptables -t nat -A PREROUTING -p tcp -i eth0 '!' --dport 22 -j DNAT --to-destination 10.0.0.2; iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source SERVER_IP
PostUp = iptables -t nat -A PREROUTING -p udp -i eth0 '!' --dport 55107 -j DNAT --to-destination 10.0.0.2;
PostDown = iptables -t nat -D PREROUTING -p tcp -i eth0 '!' --dport 22 -j DNAT --to-destination 10.0.0.2; iptables -t nat -D POSTROUTING -o eth0 -j SNAT --to-source SERVER_IP
PostDown = iptables -t nat -D PREROUTING -p udp -i eth0 '!' --dport 55107 -j DNAT --to-destination 10.0.0.2;
[Peer]
PublicKey = REDACTED
AllowedIPs = 10.0.0.2/32
Homeserver wg0.conf
:
[Interface]
Address = 10.0.0.2/24
PrivateKey = REDACTED
[Peer]
PublicKey = REDACTED
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
Endpoint = SERVER_IP:51820
(REDACTED would’ve been the public / private keys, SERVER_IP would’ve been the VPS IP.)
The biggest obstacle for me is the connection between the VPS and my homeserver. I have tried this today and I tried pinging 10.0.0.2
(the homeserver IP via WireGuard) and get this as a result:
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
From 10.0.0.1 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.0.1 icmp_seq=2 Destination Host Unreachable
ping: sendmsg: Destination address required
^C
--- 10.0.0.2 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1019ms
Not sure why though.
Not really, pinging my homeserver via the VPS returns:
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
From 10.0.0.1 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.0.1 icmp_seq=2 Destination Host Unreachable
ping: sendmsg: Destination address required
^C
--- 10.0.0.2 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1019ms
Hey, thank you for your blog post. I’m definitely reconsidering my choices with Cloudflare tunnels. I will take a look at the VPS setup. Privacy is something that I really care about, so this would be pretty useful. I would definitely be ready to pay 3.29€ per month for the privacy aspects of this setup.
I prefer owning my server hardware than renting a VPS. I completely forgot that I couldn’t port forward in my home network, so Cloudflare was my last-minute solution to that problem.
Hi, whenever I try to enter the ports 80 and 443 at the beginning of the -R parameter, I get this error:
Warning: remote port forwarding failed for listen port 80
. How do I fix this?