Today going to show you how can you port forward if you are behind NAT (or CG-NAT). In some cases, when you want to host some game server or website, you might need to open ports. That might be a problem if you are using mobile network (4G LTE, 5G,…). Typically, the ISP doesn’t allow port forwarding (you might try to ask them if they have public IPv4 or IPv6, but that is outside the scope of this post), so you are going to need other means of port forwarding. In this case, we are going with a private VPN route.
I am taking inspiration from this video.
You will need:
- VPS with public IPv4 address (you can get one for free from Oracle Free Tier) running Linux
- Bit of Linux know how
- Lot of patience
VPS — Virtual Private Server
WireGuard and Nginx
In this chapter we will install and configure WireGuard and Nginx reverse proxy.
Update packages on the VPS:
root@server:~# apt update && apt upgrade -y
Install WireGuard and Nginx:
root@server:~# apt install wireguard nginx -y
Then do:
root@server:~# (umask 077 && printf "[Interface]\nPrivateKey= " | sudo tee /etc/wireguard/wg0.conf > /dev/null)
The command is used to create and write to the WireGuard configuration file (/etc/wireguard/wg0.conf
) with correct permissions.
umask 077
: Sets the file creation mask to077
, which means new files will have permissions700
(read, write, and execute for the owner only, no permissions for group and others).printf "[Interface]\nPrivateKey= "
: Prints the initial contents of the configuration file, which includes the[Interface]
section and a placeholder for the private key.| sudo tee /etc/wireguard/wg0.conf > /dev/null
: Usessudo
to write the printed content to the configuration file as a superuser. Thetee
command writes to both standard output and the specified file, but> /dev/null
discards the standard output, so the content only goes into the file.
Next run this command. It will generate a key that you need to write down somewhere:
root@server:~# wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickey
Then we are going to edit WireGuard’s config file:
root@server:~# nano /etc/wireguard/wg0.conf
Append after “PrivateKey” this:
ListenPort = 55100
Address = 192.168.33.1
Now install WireGuard on your local machine (Windows or Linux). I will show you both. We will set port forwarding later.
Windows
- Navigate to https://www.wireguard.com/install/
- Click on “Windows Installer”
- Run the setup and install WireGuard
Open WireGuard and click the little triangle besides “Add Tunnel” and click “Add empty tunnel”
Now there are few things we need to do:
Note down the “Public Key” of the tunnel (same as we did earlier in the VPS)
Now name the tunnel (name doesn’t matter). Copy and edit the following config:
[Interface]
PrivateKey = <private key of your tunnel (auto-generated don't touch this!)>
Address = 192.168.33.2/32
[Peer]
PublicKey = <Public key from VPS>
AllowedIPs = 192.168.33.1/32
Endpoint = <IP Address of the VPS>:55100
PersistentKeepalive = 25
Now we are going to add our tunnel to our WireGuard config on our VPS:
root@server:~# nano /etc/wireguard/wg0.conf
Now on a new line copy following
[Peer]
PublicKey = <Public key from Windows PC>
AllowedIPs = 192.168.33.2/32
We can now start the WireGuard server:
root@server:~# systemctl enable --now wg-quick@wg0
Now check if the server is running:
root@server:~# ip a
Find “wg0” and check if it looks like this
X: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 8920 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 192.168.33.1/32 scope global wg0
valid_lft forever preferred_lft forever
Now we need to allow traffic via “iptables”. Because this is test / debug system or private system we can allow everything trough firewall. I DO NOT recommend doing this on production systems. If you want to enhance security port forward only required ports. This is for demonstration only, and I hold no liability for any compromised systems.
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -P OUTPUT ACCEPT
: This sets the default policy for the OUTPUT chain to ACCEPT. This means that any outgoing network packets are allowed by default.iptables -P INPUT ACCEPT
: This sets the default policy for the INPUT chain to ACCEPT. This means that any incoming network packets are allowed by default.iptables -P FORWARD ACCEPT
: This sets the default policy for the FORWARD chain to ACCEPT. This means that any packets being routed through the system (i.e., not destined for the system itself but passing through it) are allowed by default.iptables -F:
This flushes all the rules in all chains. Essentially, it removes any custom rules that have been added, resetting the chains to their default policies.
Then we can turn ON the tunnel on our Windows PC.
This is the result you want to see
Linux
This is basically the same process. We will repeat the installation and config steps from the beginning (except we are not going to install Nginx on our client machine):
root@client-server:~# apt update && apt upgrade -y
root@client-server:~# apt install wireguard -y
root@client-server:~# (umask 077 && printf "[Interface]\nPrivateKey= " | sudo tee /etc/wireguard/wg0.conf > /dev/null)
Next run this command. It will generate a key that you need to write down somewhere:
root@server:~# wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickey
Then we are going to edit WireGuard’s config file:
root@server:~# nano /etc/wireguard/wg0.conf
Now name the tunnel (name doesn’t matter). Copy and edit the following config:
[Interface]
PrivateKey = <private key of your tunnel (auto-generated don't touch this!)>
Address = 192.168.33.3/32
[Peer]
PublicKey = <Public key from VPS>
AllowedIPs = 192.168.33.1/32
Endpoint = <IP Address of the VPS>:55100
PersistentKeepalive = 25
Now do the same treatment for the firewall as before.
Now you can repeat these steps as many times as you like, just increment the IP address of the clients and keep track of them (i.e.: 192.168.33.1 = Windows PC; 192.168.33.2 = Linux Server; 192.168.33.XXX = <whatever service>).
Port forwarding
Now we are going to port forward using the Nginx reverse proxy.
On VPS open Nginx config:
root@server:~# nano /etc/nginx/nginx.conf
Go to the bottom of the file.
For example, we want to forward some server
— Port: 9998
— Windows PC: 192.168.33.2
— Needs both TCP and UDP forwarded
You can do this:
stream {
server {
listen 9998;
proxy_pass 192.168.33.2:9998;
}
server {
listen 9998 udp;
proxy_pass 192.168.33.2:9998;
}
#Example for TCP config:
#
# server {
# listen <PORT>;
# proxy_pass <IP>:<PORT>;
# }
#Example for UDP config:
#
# server {
# listen <PORT> udp;
# proxy_pass <IP>:<PORT>;
# }
}
Everything above needs to be in stream{...}
Now we need to restart Nginx and WireGuard:
root@server:~# systemctl restart nginx.service
root@server:~# systemctl restart wg-quick@wg0.service
Now enable Nginx on startup:
root@server:~# systemctl enable nginx.service
Done! This is how you port forward with WireGuard and Nginx! If you want to add more servers or ports just repeat the steps above. Hope everything works for you!
Common errors
If you can’t connect to the server and error message like this is appearing:
Handshake for peer 1 (<IP>:55100) did not complete after 5 seconds, retrying (try 2)
Handshake for peer 1 (<IP>:55100) did not complete after 5 seconds, retrying (try 3)
...
That means you have blocked port 55100. You just need to open that port and the connection will establish.