Skip to content

VPS to expose services

Exposing internal services behind CGNAT using a VPS

Testing Actions

Requirements

  • A VPS at the provider of your choice
  • A reverse proxy installed on VPS, I have chosen Caddy
  • Exposed ports for wireguard
    • Wireguard default: 51820
  • Wireguard installed (sudo apt install wireguard)

VPS Setup

(This is for an Oracle Cloud VM) - Edit the iptables.v4 rules file: sudo nano /etc/iptables/rules.v4
- Add a firewall rule to accept the Wireguard port -A INPUT -p udp -m state --state NEW -m udp --dport 51820 -j ACCEPT right below the SSH rule
- Apply the changes to iptables sudo iptables-restore /etc/iptables/rules.v4

Wireguard VPS setup

  • Generate WG Keys wg genkey | tee private.key | wg pubkey > public.key
  • Make WG Config sudo nano /etc/wireguard/wg0.conf
    • Will look something like this:
      [Interface]
      PrivateKey = ServerPrivateKey
      Address = ServerInterfaceIP/24
      ListenPort = 51820
      PostUp = iptables -I FORWARD -i wg0 -j ACCEPT
      PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
      
      [Peer]
      # OPNSense
      PublicKey= OPNSenseClientPublicKey
      AllowedIPs=10.45.75.2/32, LANIPRange/24 (You don't need this unless you want to access your LAN network from WG Clients)
      PersistentKeepalive=25
      

OPNSense VPN setup

  1. Login to OPNSense
  2. Go to VPN > Wireguard > Instances
  3. Click the plus icon
  4. Give it a name
  5. Click the gear icon to generate a public and private keypair
  6. Replace the private key with the [interface] private key from the wireguard config file
  7. Leave the Listen Port blank
  8. Set the tunnel address in /32 format using the tunnel address from the wireguard config file
  9. Leave peer selection blank for now and save
  10. Go to the peers tab
  11. Click the plus icon
  12. Enter in a name
  13. Enter the public key from under the [peer] section in the wireguard config file
  14. Enter the preshared key from under the [peer] section in the wireguard config file
  15. Set the allowed IPs. I set 10.45.75.0/24
  16. Set the endpoint address from the wireguard config file
  17. Set the endpoint port from the wireguard config file
  18. Select the instance you created in step 4
  19. Set the keepalive interval to 20
  20. Save and apply

OPNSense Interface Setup

  1. Go to Interfaces > Assignments and assign the new wireguard interface. Check enable interface and prevent interface removal
  2. Go to System > Gateways > Configuration, add a new gateway. Give it a name, set the interface to the newly created wireguard interface, and set the gateway IP to the IP of the wireguard interface you created. Check far gateway and either enable or disable monitoring
  3. Save and apply

OPNSense rules setup

  1. Go to Firewall > Rules > VPN Interface and add a new rule
  2. Set the source to WGServerIP/32
  3. Set the destination to WGOPNsenseWGInterfaceIP/32, and the protocol to "ping"
  4. Give it a name
  5. Save and apply
  6. You should now be able to ping the OPNSense wireguard interface from the VPS

OPNSense port forward

  1. Go to Firewall > NAT > Port-Forward
  2. Click the plus icon. Set the interface to the OPNSense wireguard interface, set the source IP to the VPS Wireguard Interface IP, set the destinaion IP to the OPNSense wireguard interface IP, set the port you want to forward, and set the redirect IP to the LAN IP address you want to send the traffic to.
  3. I have chosen to use a reverse proxy on the VPS to expose the internal services of my homelab. You can now set the wireguard interface IP and the port of the service you want to access on the reverse proxy on the VPS and it will look like this:

    VPSPublicIP > > WireguardGatewayIP > OPNSenseWireguardInterfaceIP > LANIPOfService

Done