I wanted to do this for soooo long without any luck, and while the video is mostly a step-by-step guide, you took the time to explain in detail what each thing does/mean in the written version, I could not love this channel and this video more! Half of my homelab setup is because of you and your lessons 💜
I want to take a moment to commend you for how you structured this video. You give a short introduction so I know exactly what you’ll cover, then you do a SHORT ad read that is CLEARLY called out with text AND a timer so I know its scope. I actually listened to it, almost out of respect.
Great. This is much better solution than anything else. You have absolute control including firewall rules. What's more required ? Thanks Lawrence for this. Only caveat is that one should harden vps properly before doing this.
Great tutorial. Would have loved it you made it years ago though 😂 I tried doing this a few years ago, but couldn't get the iptables (or masquerade rules, i can't remember now) rules setup properly. I got close, but got frustrated and gave up. I ended up installing pfsense on a linode and configured site to site tunnel, as I knew how to do that (in part thanks to your videos), and it's been working perfectly for the last 4 years. Pfsense works perfectly fine on the $5 linode plan. I kinda like a full blown pfsense on the other end anyways. I needed this so my hosted services would run on my backup 4G connection if my main connection went down, again thanks to your videos I was able to configure failover.
Great video as always.... Would be nice to also see a tutorial on how to connect the pfsense to a wiregard server ( i.e proton wiregard) and be able to control only a specific internal device to route out via the tunnel.
Thanks for the video Tom! This actually will give me an idea how I can host my mail server at home and use VPS to route the e-mails since my Comcast public IP does not allow it and port 25 is blocked.
@Lawrence Systems, as always, thank you very much for the video. I have replicated the setup and it works great. However, as I am running Crowdsec and other services behind pfSense which need the source IP of the incoming request, I was wondering if there is a possibility of retaining the source IP address trough the tunnel and port forwarding of pfSense? Thank you for any ideas!
the iptables statements here are the real special sauce. interesting you use the VPS essentially as a proxy which does get the job done. i'd be curious to test this with some masquerade rules as well.
This is awesome. I've been working on trying to get this set up for so long. Would it be possible for this setup to use subdomains to point to different services on your home lab? The end point could be a reverse proxy like Caddy or Nginx. I've seen some other systems like this but they also require using a proxy on the VPS side as well. Thanks again!
Thank you for another great article, Tom! How can the iptables be modified so that we can forward port 19999 to the pfsense router on port 8443? Thanks and Happy New Year!
Hi, I tried Tailscale on my Truenas server yesterday, well in work's BUT I can't build a Direct connection.. So I am stuck on 30/10 speeds at ping 60.. with DERP reley. Public IP costs 2.90 USD (converted) at my provider so I will probably go that route.
The reason basically is that you need to account for the actual WireGuard overhead, which is about 80 for a combination of IPv4 and IPv6 packets, which results in a MTU of 1420. To get to know more about that you should have a look at the pfSense or WireGuard wiki.
Assuming safety when being on a CGNAT network if they are modifying frame size. Setting it a bit lower just makes things get though with less headache.
Default MTU for your LAN/IPS is 1500, your vpn connection is layered within that 1500 mtu so it must use a MTU lower then that e.g. have a MTU + enough space for packet overhead and still be below 1500. From my experience 1412 is the best and always works. 1420 should work 90% of the time.
@@SeijinSA You can go into the MTU & fine tune so there is zero packet loss. Lion Spergrave (or something) did a good video explaining, how to. It seems to me fine tuning is a better philosophy than lowering the bar. Maybe I don't comprehend carrier grade network address translators, in relation to this point, but they are concerned with address allocation limitations with IPV4, not tuning the signal.
@@jamerfunk Not disagreeing - but have seen many CGNat providers on all sorts of mediums that have either vlan'ed/gre/vpn or stacked all kinds of encapsulation on their networks at times. It all depends on what you are having to deal with. 1420/1412 is usually very reliable when things get odd.
I feel the same although mine is dynamic (so no extra cost of service) but a public IP nonetheless, even though i wanna get out of latin America but i feel great for having a dedicated public ipv4 (plus a /48 IPv6) and not being cg-nated
Could you suggest/spec how "big" (cores/mem/speed/data) the VPS should be?.... somewhere while researching trying to do this, I probably confused myself, but I saw something that made me "think" that once connected TailScale found the shortest/most direct path between devices..... If this is correct, does this mean that minimal traffic passes through the VPS?.....
is this a full data tunnel or just a reroute, curious the amount of xfer data i would need to say stream video non stop. the term is escaping me right now \o/
Great video! It would be nice to see you do a similar video showing how you can pass the real client IP over the VPN. Backend services only seeing the Wireguard IP could be problematic for a multitude of reasons including but not limited to general logging/reporting, implementing fail2ban, etc. One way I think this would be possible is to have HAProxy in tcp mode on the VPS using HAProxy on PFsense as a backend over the tunnel. The real client IP could be sent to HAProxy on PFsense via proxy protocol. All cert management could be handled by PFSense, and dynamic DNS updates should theoretically work from PFsense over the tunnel as well.
Excellent explanation! I tried replicating it to set up a site-to-site VPN between two Unifi gateways, but I couldn’t get it to work. It would be great if someone could help me
I baffled at how to generate these private keys and public keys(which seem to be pre-generated) when you add a pool/tunnel? Im a total noob a this but I am ver interested inlearningt the craft as possibly fast as posssible. MAYBE NOT WITH THE BEST OF GRAMMER OR SPELLING, but pleas forgive that...Dave. Thanks for the video, and I will be doing this on the least loved platform for anything really, WINDOWS 10.....'(
This seems like a bad idea, you already have a public facing asset, just use it. Piping a server over a wire guard connection over a satellite or cellular connection, seems like a really bad idea.
Didnt know that was possible with pfsense, my current setup is probably way behind, CHR on cloud, wireguard here and there, port forward on the CHR, i have nodes on 5 different countries for different manual routing instead of auto route (lowers latency by quite a bit)
hi, you complicated the things. :) you can use a easy script to install wireguard server on the vps, and on the client install wireguard. create a client with the automatic script and will work, doing this for years... :)
@@FrankyDigital2000 yes, and i make for every client different port :), i have at home 2 "mini servers" wich have 5G sim and another mini server in my car...:D to get some OBD data and other stuff
This is needlessly complicated. Fast Reverse Proxy does the same thing but better in every way. Your future self will also be thankful for simple declarative config and hot reload of changes directly from local webui. Perhaps I'm missing something, but I don't see any reason to use wireguard for bypassing CGNAT - it is just a headache compared to other solutions
I don’t understand how FRP is supposed to be easier, just looking at their GitHub page this looks a lot more complicated than the solution in this video.
@@LAWRENCESYSTEMS Fair enough, was just wondering why everyone suggest wireguard+iptables for CGNAT bypass. Seems overkill for such a task. I've also set up it this way (due to similar recommendations) my first time and it worked fine, but took some time to get it right. After finding better (for me) solutions, I'm questioning whether I'm missing something obvious, or people just not familiar with other approaches.
I wanted to do this for soooo long without any luck, and while the video is mostly a step-by-step guide, you took the time to explain in detail what each thing does/mean in the written version, I could not love this channel and this video more!
Half of my homelab setup is because of you and your lessons 💜
Thanks, glad to hear I could help! 💜
I want to take a moment to commend you for how you structured this video. You give a short introduction so I know exactly what you’ll cover, then you do a SHORT ad read that is CLEARLY called out with text AND a timer so I know its scope. I actually listened to it, almost out of respect.
Thanks!
Ive been researching this exact issue yesterday whole day. Thank you!
Glad I could help!
I'm so glad to be subscribed to this channel
Welcome!
Great. This is much better solution than anything else. You have absolute control including firewall rules. What's more required ? Thanks Lawrence for this. Only caveat is that one should harden vps properly before doing this.
This video is explaining exactly what I am trying to achieve!
Nice its like a self hosted clodflare tunnel kind of architecture but more flexible
Great video. I was planning to do such guide for many years but ... Lawrence is way better in presenting that :)
Great tutorial. Would have loved it you made it years ago though 😂
I tried doing this a few years ago, but couldn't get the iptables (or masquerade rules, i can't remember now) rules setup properly. I got close, but got frustrated and gave up.
I ended up installing pfsense on a linode and configured site to site tunnel, as I knew how to do that (in part thanks to your videos), and it's been working perfectly for the last 4 years. Pfsense works perfectly fine on the $5 linode plan. I kinda like a full blown pfsense on the other end anyways.
I needed this so my hosted services would run on my backup 4G connection if my main connection went down, again thanks to your videos I was able to configure failover.
Great video as always....
Would be nice to also see a tutorial on how to connect the pfsense to a wiregard server ( i.e proton wiregard) and be able to control only a specific internal device to route out via the tunnel.
great information. came across this video doing some research.
Thanks
@@LAWRENCESYSTEMS thank you for all the content. I hope everyone understands the value & the amount of time you put into this.
more then 10 years i heard the ipv6 panacea, this video is necessary since ipv4 is the standard.
Thanks for the video Tom! This actually will give me an idea how I can host my mail server at home and use VPS to route the e-mails since my Comcast public IP does not allow it and port 25 is blocked.
I’m a Tailscale guy. Very nice demo
@Lawrence Systems,
as always, thank you very much for the video.
I have replicated the setup and it works great. However, as I am running Crowdsec and other services behind pfSense which need the source IP of the incoming request, I was wondering if there is a possibility of retaining the source IP address trough the tunnel and port forwarding of pfSense? Thank you for any ideas!
the iptables statements here are the real special sauce. interesting you use the VPS essentially as a proxy which does get the job done. i'd be curious to test this with some masquerade rules as well.
Have been running similar setup for almost a year now, works great
Same here for more then 2 years. Best way to not use cf tunnel.
This is awesome. I've been working on trying to get this set up for so long. Would it be possible for this setup to use subdomains to point to different services on your home lab? The end point could be a reverse proxy like Caddy or Nginx. I've seen some other systems like this but they also require using a proxy on the VPS side as well. Thanks again!
Yes, you can forward to a reverse proxy.
Thank you for another great article, Tom!
How can the iptables be modified so that we can forward port 19999 to the pfsense router on port 8443?
Thanks and Happy New Year!
Hi, I tried Tailscale on my Truenas server yesterday, well in work's BUT I can't build a Direct connection.. So I am stuck on 30/10 speeds at ping 60.. with DERP reley.
Public IP costs 2.90 USD (converted) at my provider so I will probably go that route.
Write-up appears incomplete when viewing..
"For this setup extra static routes are not needed and because all the traffic is ec"
I missed part of the copy / paste. I fixed it, thanks!
Why ist MTU size 1420 and not 1500? 8:57
The reason basically is that you need to account for the actual WireGuard overhead, which is about 80 for a combination of IPv4 and IPv6 packets, which results in a MTU of 1420.
To get to know more about that you should have a look at the pfSense or WireGuard wiki.
Assuming safety when being on a CGNAT network if they are modifying frame size. Setting it a bit lower just makes things get though with less headache.
Default MTU for your LAN/IPS is 1500, your vpn connection is layered within that 1500 mtu so it must use a MTU lower then that e.g. have a MTU + enough space for packet overhead and still be below 1500. From my experience 1412 is the best and always works. 1420 should work 90% of the time.
@@SeijinSA You can go into the MTU & fine tune so there is zero packet loss. Lion Spergrave (or something) did a good video explaining, how to. It seems to me fine tuning is a better philosophy than lowering the bar. Maybe I don't comprehend carrier grade network address translators, in relation to this point, but they are concerned with address allocation limitations with IPV4, not tuning the signal.
@@jamerfunk Not disagreeing - but have seen many CGNat providers on all sorts of mediums that have either vlan'ed/gre/vpn or stacked all kinds of encapsulation on their networks at times. It all depends on what you are having to deal with. 1420/1412 is usually very reliable when things get odd.
I feel lucky that I can still have a static public IP address that I pay pennies for -_- though I wonder how long that will last.
From your ISP?
@@Hornet1806 yeah
I feel the same although mine is dynamic (so no extra cost of service) but a public IP nonetheless, even though i wanna get out of latin America but i feel great for having a dedicated public ipv4 (plus a /48 IPv6) and not being cg-nated
thanks for this
Could you suggest/spec how "big" (cores/mem/speed/data) the VPS should be?.... somewhere while researching trying to do this, I probably confused myself, but I saw something that made me "think" that once connected TailScale found the shortest/most direct path between devices..... If this is correct, does this mean that minimal traffic passes through the VPS?.....
is this a full data tunnel or just a reroute, curious the amount of xfer data i would need to say stream video non stop. the term is escaping me right now \o/
All the traffic is passing from the system running with the public IP then over the wireguard tunnel to the pfsense. This is not UDP hole punching.
can you show us this with wireguard-go instead please ?
Why?
Is it also possible to configure this for a static IPv6. I have IPv6 from the provider but only dynamic and this is not suitable for a mail server.
I have an ASUS ax6000 as my router. Can I use it in place of pfsense? If not can I run PFsense with one connection to my lan only and do this?
Great video! It would be nice to see you do a similar video showing how you can pass the real client IP over the VPN.
Backend services only seeing the Wireguard IP could be problematic for a multitude of reasons including but not limited to general logging/reporting, implementing fail2ban, etc.
One way I think this would be possible is to have HAProxy in tcp mode on the VPS using HAProxy on PFsense as a backend over the tunnel. The real client IP could be sent to HAProxy on PFsense via proxy protocol. All cert management could be handled by PFSense, and dynamic DNS updates should theoretically work from PFsense over the tunnel as well.
Hahaha!! That's "The It Crowd" internet representation 🤣
Useful stuff would this work in info to?
Exactly what I was looking for to host on a starlink :)
Excellent explanation! I tried replicating it to set up a site-to-site VPN between two Unifi gateways, but I couldn’t get it to work. It would be great if someone could help me
Nice.
I forgot linode existed.
Well, technically they are Akami now, but I still call them Linode.
I did the same setup, but I used pfsense as a vps on the public side
I baffled at how to generate these private keys and public keys(which seem to be pre-generated) when you add a pool/tunnel? Im a total noob a this but I am ver interested inlearningt the craft as possibly fast as posssible. MAYBE NOT WITH THE BEST OF GRAMMER OR SPELLING, but pleas forgive that...Dave. Thanks for the video, and I will be doing this on the least loved platform for anything really, WINDOWS 10.....'(
This seems like a bad idea, you already have a public facing asset, just use it. Piping a server over a wire guard connection over a satellite or cellular connection, seems like a really bad idea.
I must admit that GUI in pfsense isnt that logical as i thought, its a headache at the begging. IPtables omg :p
thanks . Great video .
Didnt know that was possible with pfsense, my current setup is probably way behind, CHR on cloud, wireguard here and there, port forward on the CHR, i have nodes on 5 different countries for different manual routing instead of auto route (lowers latency by quite a bit)
hi, you complicated the things. :) you can use a easy script to install wireguard server on the vps, and on the client install wireguard. create a client with the automatic script and will work, doing this for years... :)
So if you want to reach 10 different Linux VM's do don't let pfsense handle the routing but instead have 10 separate wireguard peers?
@@FrankyDigital2000 yes, and i make for every client different port :), i have at home 2 "mini servers" wich have 5G sim and another mini server in my car...:D to get some OBD data and other stuff
first
This is needlessly complicated. Fast Reverse Proxy does the same thing but better in every way. Your future self will also be thankful for simple declarative config and hot reload of changes directly from local webui.
Perhaps I'm missing something, but I don't see any reason to use wireguard for bypassing CGNAT - it is just a headache compared to other solutions
Then this is clearly not the solution for you.
I don’t understand how FRP is supposed to be easier, just looking at their GitHub page this looks a lot more complicated than the solution in this video.
@@LAWRENCESYSTEMS Fair enough, was just wondering why everyone suggest wireguard+iptables for CGNAT bypass. Seems overkill for such a task.
I've also set up it this way (due to similar recommendations) my first time and it worked fine, but took some time to get it right. After finding better (for me) solutions, I'm questioning whether I'm missing something obvious, or people just not familiar with other approaches.