I want to move away from Cloudflare tunnels, so I rented a cheap VPS from Hetzner and tried to follow this guide. Unfortunately, the WireGuard setup didn’t work. I’m trying to forward all traffic from the VPS to my homeserver and vice versa. Are there any other ways to solve this issue?
VPS Info:
OS: Debian 12
Architecture: ARM64 / aarch64
RAM: 4 GB
Traffic: 20 TB
You don’t want to forward all traffic. You can do SNAT port forwards across the VPN, but that requires the clients in your LAN to use the VPS as their gateway (I do this for a few services that I can’t run through a proxy; its clunky but works well).
Typically, you’ll want to proxy requests to your services rather than forwarding traffic.
- Setup Wireguard or OpenVPN on the VPS as a server VPN. Allow whatever listener port in the firewall (I use
ufwon Debian, but you can use iptables if you want) - Install HAProxy or Nginx (or Nginx Proxy Manager) on the VPS to act as your frotnend. Those will listen on ports 80/443 and proxy requests to your backend servers. They’ll also be responsible for SSL termination, and your public-facing certs will be set there.
- Point your DNS records for your services to the VPS’s public IPv4
- On your LAN, configure your router to connect to the VPS as a VPN client and route into your LAN from the VPN subnet -or- install the VPN client (WG/OVPN) on each host
- In your VPS’s reverse proxy (HAProxy, etc), set the backend server address and port to the VPN address of your host
I’ve done this since ~2013 (before CF tunnels were even a product) and has worked great.
My original use case was to setup direct connectivity between a Raspberry PI with a 3G dongle with a server a home on satellite internet. Both ends of that were behind CG-NAT, so this was the solution I came up with.
- Setup Wireguard or OpenVPN on the VPS as a server VPN. Allow whatever listener port in the firewall (I use
This one works , I myself have done it cause my shitty isp needs a huge payment for a static public ip. A 5$ VPS was much cheaper . Server behind NAT I can help if you got any doubts
I use rathole https://github.com/rapiz1/rathole
Its been solid.I use this too, and it should be noted that this does not require wireguard or any VPN solution. Rathole can be served publicly, allowing a machine behind a NAT or firewall to connect.
I managed this by using tailscale, with a kind of weird setup I think, but it just works.
I have tailscale on the VPS and my local server, let’s say its tailscale name is potatoserver
Then with Caddy on the VPS i have something like:
mywebsite.com { reverse_proxy potatoserver:port }
And so mywebsite.com is accessible on the clearnet through the VPS
Though given you’re getting rid of cloudflare tunnles I don’t know if you’d want to get into Tailscale. There’s Headscale too but I haven’t worked with it so I can’t comment
