Host behind CGNAT with Wireguard

By thunderwood

An issue most Home Labs come to face when moving to a new city or state is finding yourself behind a different ISP, or worse yet, no ISP and using Fixed Wireless (Yikes). I wound up in that spot 6 months ago with fiber and a dedicated IP address just across the river. The frustration was immense, going through the different phases of acceptance, thinking I would have to find a new hobby (Too Dramatic?). Then I saw a light at the end of the tunnel in the form of a article buried in the later pages of google.

I Stayed up till 0100, troubleshooting my way through a beta install of pfSense, SSL Issues, Client IP forwarding, etc. Now we have landed here, with all the webhosting I could ask for, and the reason you are able to get to this page!

Digital Ocean or AWS

The first step is to create an account with a VPS (I used AWS Light Sail) and configure the Virtual Machine for traffic ingress. There are many tutorials on this (Link below), so I won’t go over this.

How to Create a Droplet from the DigitalOcean Control Panel :: DigitalOcean Product Documentation

Web Hosting does work with this method (Self-Hosted Pro Link), but you are unable to see originating IP addresses, which is important for me so Suricata and PfblockerNG can work their magic.

Forward Proxy Configuration

The initial steps for this, and where I gained the inspiration for a Haproxy solution can be found in the above link. His article contains all the steps to get your tunnel configured and running, mine just deviates when you come across the IPTables section. At that point come back here.

Below are the commands to get haproxy configured on the frontend (VPS) and forward downstream through the tunnel.

sudo apt install haproxy -y
sudo nano /etc/haproxy/haproxy.cfg

Next, paste the following into the config file (Over-write everything in there):

        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private
        # See:
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
        log     global
        mode    tcp
        option  tcplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http
frontend https
bind *:443
option tcplog
mode tcp
default_backend httpsb
frontend http
bind *:80
mode http
option httpclose
default_backend httpb
frontend vpn
bind *:10443
mode tcp
default_backend vpnb
backend httpsb
mode tcp
server main send-proxy
backend httpb
mode http
server main
backend vpnb
mode tcp
server main send-proxy

ctrl o and hit enter. Then ctrl x and enter.

Run the following commands to check the configuration (should be good) and restart the service:

haproxy -f /etc/haproxy/haproxy.cfg -c
sudo systemctl restart haproxy.service

IMPORTANT: Don’t be the guy who doesn’t use ufw.

Reverse Wireguard Side

I wont be going over this, as Lawrence Systems on youtube does an amazing job detailing this process (per usual).

Testing Wireguard in the pfsense 2.5 Beta / Development Release – YouTube

Reverse HAproxy side

Now we move to the “backend” haproxy to configure this…one…option….or you will be troubleshooting for ours. In frontend, click edit on your https frontend and enter accept-proxy in advanced options.

Make sure to set the listening address to “Custom” and as the IP of the vpn (Internal Side).