Port forwarding behind NAT (Using WireGuard and Nginx Reverse Proxy)


Today going to show you how can you port forward if you are behind NAT (or CG-NAT). In some cases, when you want to host some game server or website, you might need to open ports. That might be a problem if you are using mobile network (4G LTE, 5G,…). Typically, the ISP doesn’t allow port forwarding (you might try to ask them if they have public IPv4 or IPv6, but that is outside the scope of this post), so you are going to need other means of port forwarding. In this case, we are going with a private VPN route.
I am taking inspiration from this video.

You will need:

  • VPS with public IPv4 address (you can get one for free from Oracle Free Tier) running Linux
  • Bit of Linux know how
  • Lot of patience

    VPS — Virtual Private Server

WireGuard and Nginx

In this chapter we will install and configure WireGuard and Nginx reverse proxy.

Update packages on the VPS:

Install WireGuard and Nginx:

Then do:

The command is used to create and write to the WireGuard configuration file (/etc/wireguard/wg0.conf) with correct permissions.

  • umask 077: Sets the file creation mask to 077, which means new files will have permissions 700 (read, write, and execute for the owner only, no permissions for group and others).
  • printf "[Interface]\nPrivateKey= ": Prints the initial contents of the configuration file, which includes the [Interface] section and a placeholder for the private key.
  • | sudo tee /etc/wireguard/wg0.conf > /dev/null: Uses sudo to write the printed content to the configuration file as a superuser. The tee command writes to both standard output and the specified file, but > /dev/null discards the standard output, so the content only goes into the file.

Next run this command. It will generate a key that you need to write down somewhere:

Then we are going to edit WireGuard’s config file:

Append after “PrivateKey” this:

Before
After

Now install WireGuard on your local machine (Windows or Linux). I will show you both. We will set port forwarding later.


Windows

Open WireGuard and click the little triangle besides “Add Tunnel” and click “Add empty tunnel”

Now there are few things we need to do:

Note down the “Public Key” of the tunnel (same as we did earlier in the VPS)

Now name the tunnel (name doesn’t matter). Copy and edit the following config:

How it should look like.

Now we are going to add our tunnel to our WireGuard config on our VPS:

Now on a new line copy following

wg0 config on VPS

We can now start the WireGuard server:

Now check if the server is running:

Find “wg0” and check if it looks like this

Now we need to allow traffic via “iptables”. Because this is test / debug system or private system we can allow everything trough firewall. I DO NOT recommend doing this on production systems. If you want to enhance security port forward only required ports. This is for demonstration only, and I hold no liability for any compromised systems.

  • iptables -P OUTPUT ACCEPT: This sets the default policy for the OUTPUT chain to ACCEPT. This means that any outgoing network packets are allowed by default.
  • iptables -P INPUT ACCEPT: This sets the default policy for the INPUT chain to ACCEPT. This means that any incoming network packets are allowed by default.
  • iptables -P FORWARD ACCEPT: This sets the default policy for the FORWARD chain to ACCEPT. This means that any packets being routed through the system (i.e., not destined for the system itself but passing through it) are allowed by default.
  • iptables -F: This flushes all the rules in all chains. Essentially, it removes any custom rules that have been added, resetting the chains to their default policies.

Then we can turn ON the tunnel on our Windows PC.
This is the result you want to see

Linux

This is basically the same process. We will repeat the installation and config steps from the beginning (except we are not going to install Nginx on our client machine):

Next run this command. It will generate a key that you need to write down somewhere:

Then we are going to edit WireGuard’s config file:

Now name the tunnel (name doesn’t matter). Copy and edit the following config:

Now do the same treatment for the firewall as before.

Now you can repeat these steps as many times as you like, just increment the IP address of the clients and keep track of them (i.e.: 192.168.33.1 = Windows PC; 192.168.33.2 = Linux Server; 192.168.33.XXX = <whatever service>).


Port forwarding

Now we are going to port forward using the Nginx reverse proxy.

On VPS open Nginx config:

Go to the bottom of the file.
For example, we want to forward some server
— Port: 9998
— Windows PC: 192.168.33.2
— Needs both TCP and UDP forwarded
You can do this:

Everything above needs to be in stream{...}



Now we need to restart Nginx and WireGuard:

Now enable Nginx on startup:

Done! This is how you port forward with WireGuard and Nginx! If you want to add more servers or ports just repeat the steps above. Hope everything works for you!


Common errors

If you can’t connect to the server and error message like this is appearing:

That means you have blocked port 55100. You just need to open that port and the connection will establish.

Installing and configuring CUPS in Proxmox


I have an old printer and I want to make it network discoverable. For this tutorial, you will need already running Proxmox server and a bit of know-how.

I am using VM instead of LXC because I’ve encountered some connection problems when passing the USB printer trough.


Installing Debian VM

Go to https://tteck.github.io/Proxmox/#debian-12-vm and copy the installation command.

Login into your Proxmox server and open shell on your node.

Paste the code in and press Enter. Now enter and select the following:

  1. “This will create a New Debian 12 VM. Proceed?” → Yes
  2. “Use Default Settings?” → Advanced
  3. “Set Virtual Machine ID” → Leave default
  4. “Choose Type” → Leave default
  5. “Disk cache” → Leave default
  6. “Set hostname” → “cups”
  7. “CPU Model” → Leave default
  8. “Allocate CPU Cores” → 1
  9. “Allocate RAM in MiB” → 1024
  10. “Set a Bridge” → Leave default
  11. “Set a MAC Address” → Leave default
  12. “Set a VLAN” → Leave blank
  13. “Set Interface MTU Size” → Leave blank
  14. “Start VM when completed?” → Yes
  15. “Ready to create a Debian 12 VM?” → Yes
  16. “Which storage pool you would like to use for cups?” → I assume you don’t have any other disks in your Proxmox server, so choose local-lvm (Press space bar to make selection, then tab and OK)

Now wait and don’t close the console.

If you did everything correctly, this should be the result.
And the machine ID should be in the “Server view” list


Making the disk size bigger

This part will be the tricky one. We need to extend the disk size from 2 GB to 8 GB. Unlike LXC container (where you add disk capacity in Proxmox UI), you will need to run some commands in the VM.

Click the VM in the server view list → Hardware → Select “Hard Disk” → Disk Action → Resize → Size Increment (GiB) → 6 → Resize Disk
Now the Hard Disk section should contain …,size=8G,…

Now we need to resize the disk in the actual VM. Press Console:

You should see prompt “root@localhost:~#”

Now list disks using fdisk:


If /dev/sda is 8 GB, good. (Ignore the red error for now, we will deal with that later)


Now update the repositories:

Install parted:

Now run parted:

Your shell should change to this:

Then type print (warning should pop up, type Fix). Take note of the ext4 partition (that is the root partition that we want to expand, for me, it is 1).

Type in this (replace the “1” with your partition number):

Accept the warning by typing Yes

Type in print again and check if the size changed. At the start of this step it was around 2000 MB now it changed to 8456 MB, so we successfully changed the size.


You can quit the parted shell by typing “quit”

Now reboot the VM by typing reboot:

Login again.

We are done resizing the disk!


Installing CUPS

(Finally) We are going to install CUPS and drivers for our printer.

Update system via:

Install CUPS and Splix (https://github.com/OpenPrinting/splix: drivers for old printers, if yours doesn’t work, you will need to find another one):

Then start CUPS.

Enable auto-start at boot time.

Check its status:

Output should look similar to this

Now we are going to edit the config file:

Here we need to modify a few things.

Find the following line:

Change it to:

Then find:

Change it to:

Then we need to make the web UI accessible only from LAN, find these lines:

And change them to this:

Now save and close the file. (Press CTRL + X, then Y, then Enter)

After these changes restart CUPS service:

Now create a user called cups (set the password to whatever you want):

Then add the “cups” user to “lpadmin” group:

Now we need to find out the local IP of our VM

Copy that IP, we will need it later.

Go back to Proxmox UI and click “Hardware”

  1. Connect your printer via USB to the Proxmox server
  2. Click Add
  3. Click USB Device
  4. “Use USB Vendor/Device ID” → Find your printer
  5. OK

Type the IP from earlier in your search bar:

  1. Click “Administration”
  2. Login your with your “cups” credentials → “Add Printer”
  3. Click on your printer from the list, click “Continue”
  4. Edit the details to your liking and check “Share This Printer”, click “Continue”
  5. Choose correct driver for the make of your printer, click “Continue”
  6. Click “Set default options
  7. Everything default should be correct, click “Set default options”

Now you are finished! Your old printer should be discoverable on your local network using IPP (Internet printing protocol).

I hope this guide helped you!