this post was submitted on 06 Mar 2026
12 points (92.9% liked)

Linux

12710 readers
413 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev
12
How do I pass traffic on some port to a wireguard peer (lemmy.ml)
submitted 3 days ago by lonesomeCat@lemmy.ml to c/linux@programming.dev
8 comments fedilink hide all child comments
 

So I have an http server on node A, and a VPS on node B. Both are connected through wireguard on a VPN which consists only of these two nodes. I'm trying to make all the requests that arrive on http/s on node B to be forwarded to A and processed there. Then of course the response must return to the original sender. I've seen a million ways to do it online and I'm hitting a brick wall so how would you do it properly on a fresh install (assuming my firewall, ufw in my case, is disabled. I'll figure it out once routing works as intended)

top 8 comments
sorted by: hot top controversial new old
[–] kittykillinit@lemy.lol 1 points 6 hours ago (1 children)

I had something like this set up where essentially my wireguard VPS acted as a proxy that allowed me to forward all ports to my local machine that's connected to it.

I had to use AI to figure this out, and I still don't get it. Here are the commands that I saved:

ip route add 10.0.0.2/32 dev wg0;
iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT;
iptables -A FORWARD -i wg0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT;
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1:65535 -j DNAT --to-destination 10.0.0.2;
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 1:65535 -j DNAT --to-destination 10.0.0.2;

This is to be run on the wireguard VPS.

wg0 is the name of the wireguard interface, brought up with something like wg-quick up wg0. eth0 is the name of the network interface.

I don't fully understand it so I can't explain it better, but this is what allowed me to forward traffic from my VPS to my computer as though it were a router with open ports.

Hopefully someone more knowledgeable than me can chime in and give clarification.

[–] lonesomeCat@lemmy.ml 2 points 5 hours ago

Yeah I had pain dealing with iptables which is why I decided to ask folks here what they use. I finally went with NGINX stream module. It's very easy to use and I didn't have to mess up my firewall rules this way.

[–] forestbeasts@pawb.social 2 points 2 days ago* (last edited 2 days ago)

We use nginx for that! It can proxy TCP/UDP in general. You can also have it be your TLS endpoint and then pass stuff back to the backend over plain HTTP, if you trust your VPS, but you don't have to.

nginx can preserve the source IP with its "proxy_protocol" feature, somewhat (might only work for HTTPS; with proxy_protocol, nginx on server A will then set the appropriate header with the IP it gets from server B). Or if you decrypt on the VPS, it can set the appropriate header for you before sending it back to server A.

I've got a guide on how we have ours set up: https://frost.brightfur.net/blog/selfhosting-with-a-bounce-vps-part-1/

-- Frost

[–] Scoopta@programming.dev 2 points 3 days ago

Are the https requests being sent to an IP address assigned to node B? If so you either need an nginx reverse proxy on node B or NAT with port forwarding.

[–] possiblylinux127@lemmy.zip 1 points 3 days ago* (last edited 3 days ago)

You need to rewrite the incoming dest IP address to be the IP of node B. The important part is to make sure the source IP is unaltered. On node B you then would need it to route outbound traffic threw Node A. If sounds really complicated it is because it is.

The easiest solution would be to setup a reverse proxy on Node A and have it forward traffic to Node B. Http has this cool header called X-forwarded-for which will automatically take care of routing.

[–] dgdft@lemmy.world 1 points 3 days ago* (last edited 3 days ago) (1 children)

SSH tunneling is the term for what you need here. You can set it up on either end, and it’ll transparently pipe data from a port on the VPS to your TLS box. Configure the web server to reverse-proxy that port, and you’re up and running.

[–] possiblylinux127@lemmy.zip 1 points 3 days ago (1 children)

SSH tunneling is really slow and doesn't preserve the source IP

[–] dgdft@lemmy.world 0 points 2 days ago* (last edited 2 days ago)

SSH tunnels suffer from TCP over TCP, but it's not too much worse than OpenVPN or wg over TCP on the whole. E.g. https://asciinema.org/a/347146.

Nothing OP mentioned in the post required preserving the source IP, but as your root comment alludes to, standard practice is to set an X- header on the reverse proxy to keep source IP.