Host behind CGNAT with Wireguard
An issue most Home Labs come to face when moving to a new city or state is finding yourself behind a different ISP, or worse yet, no ISP and using Fixed Wireless (Yikes). I wound up in that spot 6 months ago with fiber and a dedicated IP address just across the river. The frustration was immense, going through the different phases of acceptance, thinking I would have to find a new hobby (Too Dramatic?). Then I saw a light at the end of the tunnel in the form of a article buried in the later pages of google.
I Stayed up till 0100, troubleshooting my way through a beta install of pfSense, SSL Issues, Client IP forwarding, etc. Now we have landed here, with all the webhosting I could ask for, and the reason you are able to get to this page!
Digital Ocean or AWS
The first step is to create an account with a VPS (I used AWS Light Sail) and configure the Virtual Machine for traffic ingress. There are many tutorials on this (Link below), so I won’t go over this.
Web Hosting does work with this method (Self-Hosted Pro Link), but you are unable to see originating IP addresses, which is important for me so Suricata and PfblockerNG can work their magic.
Forward Proxy Configuration
The initial steps for this, and where I gained the inspiration for a Haproxy solution can be found in the above link. His article contains all the steps to get your tunnel configured and running, mine just deviates when you come across the IPTables section. At that point come back here.
Below are the commands to get haproxy configured on the frontend (VPS) and forward downstream through the tunnel.
sudo apt install haproxy -y sudo nano /etc/haproxy/haproxy.cfg
Next, paste the following into the config file (Over-write everything in there):
global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets defaults log global mode tcp option tcplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend https bind *:443 option tcplog mode tcp default_backend httpsb frontend http bind *:80 mode http option httpclose default_backend httpb frontend vpn bind *:10443 mode tcp default_backend vpnb backend httpsb mode tcp server main 192.168.4.2:443 send-proxy backend httpb mode http server main 192.168.4.2:80 backend vpnb mode tcp server main 192.168.4.2:10443 send-proxy
ctrl o and hit enter. Then ctrl x and enter.
Run the following commands to check the configuration (should be good) and restart the service:
haproxy -f /etc/haproxy/haproxy.cfg -c sudo systemctl restart haproxy.service
IMPORTANT: Don’t be the guy who doesn’t use ufw.
Reverse Wireguard Side
I wont be going over this, as Lawrence Systems on youtube does an amazing job detailing this process (per usual).
Reverse HAproxy side
Now we move to the “backend” haproxy to configure this…one…option….or you will be troubleshooting for ours. In frontend, click edit on your https frontend and enter accept-proxy in advanced options.
Make sure to set the listening address to “Custom” and as the IP of the vpn (Internal Side).
AND THAT’S IT!