VPS as Wireguard bridge for site - site behind NAT, dynamic IP

edited October 5 in Technical

This was surprisingly easy to get going.

Topology - pfSense running on proxmox at a remote site behind ISP router and with a dynamic IP (so double NAT). Proxmox box also runs a container with piHole and a small debian VM.

I need to remotely administer the whole thing. Initially I set up DuckDNS to get the remote IP and an openVPN server on pfSense, but thought there might be an easier solution. There is.

I have a mrVM VPS (thanks @mikho) running Wireguard as installed using @Nyr 's installer https://talk.lowendspirit.com/discussion/974/wireguard-automated-installer-ubuntu-debian-centos-fedora Thanks @Nyr .

The remote subnet is, my local is .

Installed Wireguard on the debian VM running on the remote subnet, and created a .conf file for it on the VPS using @Nyr 's tool. Edited the entry in /etc/wireguard/wg0.conf on the VPS for the new client and changed:

AllowedIPs = 10.7.0.X/32, ipv6 address


AllowedIPs = 10.7.0.X/32,

That does the magic routing of over Wireguard to that remote client. I probably could have left the ipv6 entry there as well.

On the remote debian client:

iptables -A FORWARD -i wg0-client -j ACCEPT
iptables -t nat -A POSTROUTING -o ensX -j MASQUERADE

Where wg0-client is the name of the .conf file on the remote debian VM and ensX is its virtual NIC.

Made iptables persistent and started the Wireguard connection as a service:

systemctl start [email protected]
systemctl enable [email protected]

Edit: Oops, and also edit /etc/sysctl.conf on the remote debian VM and add or change:

net.ipv4.ip_forward = 1

then reboot or just do:

sysctl -p

Works like magic - I have full access to the remote subnet from my local machine (once that machine is also connected as a Wireguard client of the VPS), without doing anything further.

Sign In or Register to comment.