Open Your Server Behind A CGNAT To The Internet Using An SSH Tunnel

Software Engineering

I NEED TO USE WIREGUARD ITS FASTER!
Solution: https://gtello.github.io/posts/exposing-server-behind-cgnat/

• Do the steps until Forward Traffic Using iptables. Don't do it. You can already access to the ports in home-server by using its wireguard ip (192.168.4.2). Use nginx to forward traffic to them.

• This guide looks good: https://akrutsinger.github.io/2024/09/01/wireguard-port-forwarding.html
• https://sinkingpoints.com/escape-cgnat-with-wireguard/
• https://edwardwibowo.com/blog/how-to-tunnel-traffic-with-wireguard-forwarding/

https://serverfault.com/questions/1106535/wireguard-ufw-ufw-blocks-traffic-on-wg0-even-if-a-rule-allows-it

/etc/ssh/sshd_config:

https://www.ddos-test.com/result/oid.sh

For tls traffic, use this:

• Deprecated I have a better method.

stream {
	upstream oid_sh { server 192.168.4.2:8805; }
	upstream v_oid_sh { server 192.168.4.2:9700; }

	map $ssl_preread_server_name $backend {
		~^oid\.sh$       oid_sh;
		~^v\.oid\.sh$    v_oid_sh;
		default          oid_sh;
	}
	server {
		listen 443;
		ssl_preread on;
		proxy_pass $backend;
		proxy_timeout 32s; # Sets the timeout between two successive read or write operations on client or proxied server connections. If no data is transmitted within this time, the connection is closed.
		proxy_connect_timeout 8s; # Defines a timeout for establishing a connection with a proxied server.
	}

	# SMTP server on port 25
	server {
		listen 25;
		proxy_pass 192.168.4.2:25;
		proxy_timeout 32s;
		proxy_connect_timeout 8s;
	}
	# Email Submissions on port 465 (TLS)
	server {
		listen 465;
		proxy_pass 192.168.4.2:465;
		proxy_timeout 32s;
		proxy_connect_timeout 8s;
	}
	# Email submisions on port 587 (TCP)
	#server {
	#	listen 587;
	#	proxy_pass 192.168.4.2:587;
	#	proxy_timeout 300s;
	#	proxy_connect_timeout 10s;
	#}
	# IMAP Server on port 993 (TLS)
	server {
		listen 993;
		proxy_pass 192.168.4.2:993;
		proxy_timeout 32s;
		proxy_connect_timeout 8s;
	}
	# IMAP Server on port 143 (TCP)
	#server {
	#	listen 143;
	#	proxy_pass 192.168.4.2:143;
	#	proxy_timeout 300s;
	#	proxy_connect_timeout 10s;
	#}
}

To use vps's ip address on requests:

In Client:

• in wireguard config, change AllowedIPs under [Peer] to 0.0.0.0/0

In VPS:

• in /etc/default/ufw, change DEFAULT_FORWARD_POLICY="DROP" to DEFAULT_FORWARD_POLICY="ACCEPT" (I am not sure if this helps)
• Add this to /etc/ufw/before.rules (not sure if this helps, but it probably does)

  *nat
  :POSTROUTING ACCEPT [0:0]
  # Replace ens192 with your server's actual public internet interface
  -A POSTROUTING -s 192.168.4.0/24 -o ens192 -j MASQUERADE
  COMMIT
  

• Add these firewall rules: sudo ufw allow in on wg0 && sudo ufw allow out on wg0
  • This seemed to help but I need to verify.

---

---

GatewayPorts yes

https://www.jeffgeerling.com/blog/2022/ssh-and-http-raspberry-pi-behind-cg-nat

ssh -N -R 9700:localhost:9700 root@50.114.185.30 -p 22

Install autossh then create this service

[Unit]
Description=AutoSSH Reverse Tunnel for Port 9700
After=network-online.target
 
[Service]
# The user who owns the SSH key and should run the tunnel
User=user
ExecStart=sshpass -p ssh_pass /usr/bin/autossh -N -R 9700:localhost:9700 -R 8384:localhost:8384 -R 8805:localhost:8805 vps_user@vps_ip -p 22 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -o "ExitOnForwardFailure yes"
Restart=always
RestartSec=5
Environment="AUTOSSH_GATETIME=0"
 
[Install]
WantedBy=multi-user.target

This enables you to forward home-server's ports to vps. When you look at used ports in vps using sudo ss -tuln, you will see 9700,8384 and 8805. This means you can use the services on your home-server using your vps ip and the port in the vps. You just bypassed CGNAT!

• However ssh tunneling is slower compared to wireguard.