Port Forwarding over VPN

Fiwi1265 · March 12, 2025, 9:18pm

Hello everyone, I recently switched from pfSense to VyOS 1.3.6 and I’m still getting used to the CLI but I really like how everything works, but I still have a few things to configure, including what I’m here to ask. Currently my ISP has CG-NAT, so my idea was to get a cheap VPS and make a wireguard tunnel and redirect the ports from the VPS to my local network but keeping my ISP internet as default route.

My Lan subnet is 172.20.0.0/16 and the wg tunnel is on 172.26.0.0/31, in pfSense i just make a firewall rule to allow connections from anywhere on the wg interface with the specific port and it just worked.

For example: I want to forward the port 9000 TCP to 172.20.1.5 but when on VyOS I make a firewall rule to allow port 9000 TCP on wg0 interface it does not work, I know it’s something related to routing policies but I don’t get it to work.

I can ping and ssh to and from the VPS from my local network.

The VPS has Debian and all the nat stuff is managed with bare iptables, since it worked with pfsense I don’t think the problem is in the VPS.

Sorry for my english and thanks.

gscjj · March 12, 2025, 9:18pm

You need a firewall rule and a NAT rule

povedaaqui · March 12, 2025, 9:18pm

Could I ask why you left pfsense?

Fiwi1265 · March 12, 2025, 9:18pm

The nat rule is in the VPS, I dont want make NAT twice.

Fiwi1265 · March 12, 2025, 9:18pm

My goal was to allow all devices to access the VPS from my local network without having to install wireguard on each device, so that’s the reason to make the tunnel in VyOS.

Fiwi1265 · March 12, 2025, 9:18pm

I’ve been using pfsense since june 2021 and its great, I have learned a lot about routing but lately when I read about pfsense I always read bad things about netgate, although that has not been the reason, it has been mainly because my knowledge of BSD is almost null and also because the performance of wireguard I have seen that it is worse in pfsense

gscjj · March 12, 2025, 9:18pm

A port forward is NAT. It might be helpful to explain your topology a little more.

If WG is terminating at your Vyos router you technically don’t need a port forward at all. The routing table should show the route.

My best guess is that even though port 9000 is allowed in, traffic isn’t allowed out from

TheBlueKingLP · March 12, 2025, 9:18pm

You need a static route on both VyOS to tell VyOS where to send the traffics. I.e. tell the vps your home network can be accessible via the vpn, and tell your home VyOS the vps is accessible via the vpn

povedaaqui · March 12, 2025, 9:18pm

Thank you, very appreciated.

Fiwi1265 · March 12, 2025, 9:18pm

My setup is the next:

VPS wg0: 172.26.0.0/31

VyOS wg0: 172.26.0.1/32

VyOS eth1: 172.20.1.1/16

My Linux Container: 172.20.1.5

I can ping and ssh from the linux container to the VPS and backwards, so the tunnel is fine.

For the firewall I have 2 rules:

WG0-IN:

 default-action drop
 rule 10 {
     action accept
     state {
         established enable
         related enable
     }
 }
 rule 11 {
     action drop
     state {
         invalid enable
     }
 }
 rule 12 {
     action accept
     source {
         group {
             network-group WGv4 # 172.26.0.0/31
         }
     }
 }
 rule 100 {
     action accept
     destination {
         address 172.20.1.5
         port 9000
     }
     protocol tcp
 }

WG0-LOCAL:

default-action drop
 rule 10 {
     action accept
     state {
         established enable
         related enable
     }
 }
 rule 11 {
     action drop
     state {
         invalid enable
     }
 }
 rule 12 {
     action accept
     icmp {
         type-name any
     }
     protocol icmp
     state {
         new enable
     }
 }
 rule 13 {
     action accept
     source {
         group {
             network-group WGv4 # 172.26.0.0/31
         }
     }
 }

TheBlueKingLP · March 12, 2025, 9:18pm

You need a static route on both VyOS to tell VyOS where to send the traffics. I.e. tell the vps your home network can be accessible via the vpn, and tell your home VyOS the vps is accessible via the vpn

You can also use bgp if you want to https://blog.kroy.io/2021/06/23/vyos-from-scratch-routing-and-vps-edition/

P.s. the command syntax might have changed since 2021

BGP is an automatic way of doing the route sharing. I.e. each VyOS tells each other what’s available via what

gscjj · March 12, 2025, 9:18pm

What does your WG out policies look like?

Fiwi1265 · March 12, 2025, 9:18pm

I have always read about BGP but I have never fully understood how it works but I think it may be the solution to my problem so maybe it is time to learn how to use BGP, Thank

Fiwi1265 · March 12, 2025, 9:19pm

I deleted everything because I couldn’t get anything, so right now it’s practically empty, but I’ve been searching and I found this:

https://forum.vyos.io/t/solved-forwarding-single-host-wan-traffic-via-vpn/5192

By redirecting all the traffic from the container to the VPS, the port forwarding works, now my goal is to keep port forwarding working but using my ISP conection instead of having to redirect all the traffic to the VPS.

TheBlueKingLP · March 12, 2025, 9:19pm

BGP is not a must, you can also do static route manually without bgp if you only has a few routes. I have a similar setup and I’m doing the manual static route for now. Plan to upgrade to BGP or similar protocol soon.