There have been multiple accounts created with the sole purpose of posting advertisement posts or replies containing unsolicited advertising.

Accounts which solely post advertisements, or persistently post them may be terminated.

AlexPewMaster

@[email protected]

Hi, I’m Alex! I like to talk about all sorts of things, like self-hosting stuff, programming shenanigans, random memes, games and probably some other stuff too!

This profile is from a federated server and may be incomplete. Browse more on the original instance.

How can I bypass CGNAT by using a VPS with a public IPv4 address?

I want to move away from Cloudflare tunnels, so I rented a cheap VPS from Hetzner and tried to follow this guide. Unfortunately, the WireGuard setup didn’t work. I’m trying to forward all traffic from the VPS to my homeserver and vice versa. Are there any other ways to solve this issue?...

AlexPewMaster OP ,

Not really, pinging my homeserver via the VPS returns:


<span style="color:#323232;">PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
</span><span style="color:#323232;">From 10.0.0.1 icmp_seq=1 Destination Host Unreachable
</span><span style="color:#323232;">ping: sendmsg: Destination address required
</span><span style="color:#323232;">From 10.0.0.1 icmp_seq=2 Destination Host Unreachable
</span><span style="color:#323232;">ping: sendmsg: Destination address required
</span><span style="color:#323232;">^C
</span><span style="color:#323232;">--- 10.0.0.2 ping statistics ---
</span><span style="color:#323232;">2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1019ms
</span>
AlexPewMaster OP ,

The biggest obstacle for me is the connection between the VPS and my homeserver. I have tried this today and I tried pinging 10.0.0.2 (the homeserver IP via WireGuard) and get this as a result:


<span style="color:#323232;">PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
</span><span style="color:#323232;">From 10.0.0.1 icmp_seq=1 Destination Host Unreachable
</span><span style="color:#323232;">ping: sendmsg: Destination address required
</span><span style="color:#323232;">From 10.0.0.1 icmp_seq=2 Destination Host Unreachable
</span><span style="color:#323232;">ping: sendmsg: Destination address required
</span><span style="color:#323232;">^C
</span><span style="color:#323232;">--- 10.0.0.2 ping statistics ---
</span><span style="color:#323232;">2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1019ms
</span>

Not sure why though.

AlexPewMaster OP ,

Hi, thank you so much for trying to help me, I really appreciate it!

VPS wg0.conf:


<span style="color:#323232;">[Interface]
</span><span style="color:#323232;">Address = 10.0.0.1/24
</span><span style="color:#323232;">ListenPort = 51820
</span><span style="color:#323232;">PrivateKey = REDACTED
</span><span style="color:#323232;">
</span><span style="color:#323232;">PostUp = iptables -t nat -A PREROUTING -p tcp -i eth0 '!' --dport 22 -j DNAT --to-destination 10.0.0.2; iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source SERVER_IP
</span><span style="color:#323232;">PostUp = iptables -t nat -A PREROUTING -p udp -i eth0 '!' --dport 55107 -j DNAT --to-destination 10.0.0.2;
</span><span style="color:#323232;">
</span><span style="color:#323232;">PostDown = iptables -t nat -D PREROUTING -p tcp -i eth0 '!' --dport 22 -j DNAT --to-destination 10.0.0.2; iptables -t nat -D POSTROUTING -o eth0 -j SNAT --to-source SERVER_IP
</span><span style="color:#323232;">PostDown = iptables -t nat -D PREROUTING -p udp -i eth0 '!' --dport 55107 -j DNAT --to-destination 10.0.0.2;
</span><span style="color:#323232;">
</span><span style="color:#323232;">[Peer]
</span><span style="color:#323232;">PublicKey = REDACTED
</span><span style="color:#323232;">AllowedIPs = 10.0.0.2/32
</span>

Homeserver wg0.conf:


<span style="color:#323232;">[Interface]
</span><span style="color:#323232;">Address = 10.0.0.2/24
</span><span style="color:#323232;">PrivateKey = REDACTED
</span><span style="color:#323232;"> 
</span><span style="color:#323232;">[Peer]
</span><span style="color:#323232;">PublicKey = REDACTED
</span><span style="color:#323232;">AllowedIPs = 0.0.0.0/0
</span><span style="color:#323232;">PersistentKeepalive = 25
</span><span style="color:#323232;">Endpoint = SERVER_IP:51820
</span>

(REDACTED would’ve been the public / private keys, SERVER_IP would’ve been the VPS IP.)

AlexPewMaster OP ,

I do not get a response when pinging the VPS’s WG IP from my homeserver. It might have something to do with the firewall that my VPS provider (Hetzner) is using. I’ve now allowed the port 51820 on UDP and TCP and it’s still the same as before… This is weird.

AlexPewMaster OP ,

Hmm, the keys do match on the two different machines. I have no idea why this doesn’t work…

AlexPewMaster OP ,

How would that kind of a setup look like?

AlexPewMaster OP ,

I have no idea how to properly manage the firewall with Hetzner. I’ve opened the ports on the Hetzner management page and I ran several iptables commands to allow traffic from those ports. Still doesn’t work. This is weird!

AlexPewMaster OP ,

The command you provided for the VPS returns UDP listen needs -p arg, so I just added -p right before the port number and then it worked. Running the homelab command returns no port[s] to connect to… Not good.

AlexPewMaster OP ,

Very interesting… How do I get started?

AlexPewMaster OP ,

Does iptables count as a firewall? You said that I should “forget” iptables. Is it that bad? It came preinstalled on the VPS. Should I switch? And if so, how?

AlexPewMaster OP ,

I tried to open the port 22 on UDP (yeah, I am getting pretty desperate over here…) and still get the message no port[s] to connect to… Someone else on this post commented that I should stop using iptables for opening ports and start using something else as a firewall. Should I try this approach?

AlexPewMaster OP , (edited )

Alright, sounds good. What firewall are you recommending me to use? I would like to use a firewall that’s easy to manage.

Edit: I went with ufw.

AlexPewMaster OP ,

What do you mean with “clear out iptables completely”? Should I remove the iptables package with sudo apt remove iptables?

AlexPewMaster OP ,

Alright, I switched to ufw and… it’s still not working. sigh

Should we just try something completely different? WireGuard doesn’t seem to be working on my VPS. Someone in the comments mentioned tunneling via SSH, sounds interesting.

AlexPewMaster OP ,

I’ve added some different ports for the future, but this is my ufw status:


<span style="color:#323232;">Status: active
</span><span style="color:#323232;">
</span><span style="color:#323232;">To                         Action      From
</span><span style="color:#323232;">--                         ------      ----
</span><span style="color:#323232;">OpenSSH                    ALLOW       Anywhere                  
</span><span style="color:#323232;">51820                      ALLOW       Anywhere                  
</span><span style="color:#323232;">2333                       ALLOW       Anywhere                  
</span><span style="color:#323232;">80                         ALLOW       Anywhere                  
</span><span style="color:#323232;">81                         ALLOW       Anywhere                  
</span><span style="color:#323232;">443                        ALLOW       Anywhere                  
</span><span style="color:#323232;">80/tcp                     ALLOW       Anywhere                  
</span><span style="color:#323232;">OpenSSH (v6)               ALLOW       Anywhere (v6)             
</span><span style="color:#323232;">51820 (v6)                 ALLOW       Anywhere (v6)             
</span><span style="color:#323232;">2333 (v6)                  ALLOW       Anywhere (v6)             
</span><span style="color:#323232;">80 (v6)                    ALLOW       Anywhere (v6)             
</span><span style="color:#323232;">81 (v6)                    ALLOW       Anywhere (v6)             
</span><span style="color:#323232;">443 (v6)                   ALLOW       Anywhere (v6)             
</span><span style="color:#323232;">80/tcp (v6)                ALLOW       Anywhere (v6)
</span>
AlexPewMaster OP , (edited )

I’ve added the firewall rule and it still says no port[s] to connect to whenever I run echo “Testing” | nc -u SERVER_IP -p 51820. I feel like you’re trying to stay on a sinking ship, so I would suggest to try another method to see if we even can get the whole “bypass CGNAT with a VPS” thing to work at all.

Update: I’ve tried setting up SSH tunneling instead and it STILL doesn’t work. I contacted Hetzner support about this issue and I’m hoping that they can resolve the firewall issues that I’m having.

AlexPewMaster OP ,

How do I make the SSH tunnel forward traffic? It can’t be as easy as just running ssh user@SERVER_IP in the terminal.

(I only need variant 1 btw)

AlexPewMaster OP ,

Hi, whenever I try to enter the ports 80 and 443 at the beginning of the -R parameter, I get this error: Warning: remote port forwarding failed for listen port 80. How do I fix this?

AlexPewMaster OP ,

I know, I just added the speed test because I can. If people want to use it, they can.

AlexPewMaster OP ,

Thank you! I appreciate the feedback!

AlexPewMaster OP ,

Thank you for pointing these things out! I’ve removed Dockge from Uptime Kuma.

AlexPewMaster OP ,

I prefer owning my server hardware than renting a VPS. I completely forgot that I couldn’t port forward in my home network, so Cloudflare was my last-minute solution to that problem.

AlexPewMaster OP ,

If you have a domain and connected it to Cloudflare, you can assign tunnels to specific subdomains. For example, I have Invidious running locally on my server with port 3000. I connected the server with a Cloudflare tunnel and pointed invidious.reallyaweso.me to http://192.168.0.17:3000, which is my local IP.

AlexPewMaster OP ,

Thanks! I’m glad that I could show you some other services!

AlexPewMaster OP ,

Hey, thank you for your blog post. I’m definitely reconsidering my choices with Cloudflare tunnels. I will take a look at the VPS setup. Privacy is something that I really care about, so this would be pretty useful. I would definitely be ready to pay 3.29€ per month for the privacy aspects of this setup.

AlexPewMaster OP ,

I’ve never heard of Intel N100 before, what’s that? Just so you know, a Raspberry Pi 5 with 8 Gigabytes of RAM costs ~90€ in my country (Germany). I wouldn’t really count that as overpriced. Could you show me some machine examples with Intel N100?

AlexPewMaster OP ,

but the SD cards don’t last long

This is what scares me the most. Ideally, I want a whole SSD to store data. I really don’t want to lose any important data. I plan on hosting public services (like the services I’ve mentioned above) under my domain, so having a reliable drive would be really helpful.

AlexPewMaster OP ,

Is a Pentium powerful enough? I recently found a YouTube channel called “Wolfgang’s Channel” and he also has a home server with a Pentium. He says it is plenty enough for these kind of tasks.

AlexPewMaster OP ,

I want my private information to be hidden in Whois requests. Also, I don’t want to buy a domain from a registrar that seems very sketchy.

AlexPewMaster OP ,

What kind of TLD did you buy? Did you choose a TLD that’s supported by the WHOIS privacy? I wanted to see if alexpewmaster.de was available, and it told me this:


<span style="color:#323232;">⚠️   PRIVACY WARNING ⚠️
</span><span style="color:#323232;">
</span><span style="color:#323232;">This TLD does not allow WHOIS privacy but generally redacts your personal information. This means that your personal contact information will be sent to the registry but it should not be made public.
</span>
AlexPewMaster OP ,

Njalla doesn’t seem to be a good option according to this comment on a privacy-focused forum.

AlexPewMaster OP ,

That seems to sum up my question. Thank you!

AlexPewMaster OP ,

It’s great for my needs. If you think about picking one up today, I wouldn’t really recommend it. It just offers too little resources to be actually viable in the regular day. I use mine because I had it laying in the dust for a couple of years. Well, it’s enough for my Mumble server and the bots I use for Discord and Matrix.

AlexPewMaster OP ,

This docker compose up -d thing is something I don’t understand at all. What exactly does it do? A lot of README.md files from git repos include this command for Docker deployment. And another question: How can you automatically start the Docker container? Do you need a systemd service to run docker compose up -d?

AlexPewMaster OP ,

What is Portainer? You’ve said that it’s a web UI, but what exactly does it provide you with?

AlexPewMaster OP ,

Sounds awesome! I’ve taken a look at Portainer and got confused on the whole Business Edition and Community Edition. What are you running?

AlexPewMaster ,

I love how it says “Restaurants” but then displays an image with ice cream, makes a lot of sense 👍

AlexPewMaster ,

Congratulations, you are now being put on a watchlist!

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • lifeLocal
  • goranko
  • All magazines
    •