Port Forwarding with VPN

T

tribumx

New Member
May 11, 2022
20
3
3
Hey everyone,

I think i'm missing something cause i once got it working, but now im stuck. I will definitely make a course about networking, cause i need to know more but maybe someone can help me out fast for now.
This is my network.
Screenshot_20221104_135349-1.png
The VM IP is 10.0.0.12
The VM is connected to a VPN Service with Wireguard. I setup portforwarding at the VPN Provider and got Port
54991.

I used the command on the proxmox host machine
Code: 
iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 54991 -j DNAT --to 10.0.0.12:3389
like i forward every other port to the specific machine.
But i cant connect with the public vpn ip + port to the Windows VM.. do i need to map 54991 to 54991 or whats my error there?
Cause i tried it to map 54991 to 54991 but the Service is exposed on 3389...

If i dont use VPN i cant portforward easily to 3389 and it just works..

Thanks a lot!
 
Last edited:
Hi,

I believe than you have some error in concepts, You don't need map any port...

If you want use Wireguard VPN, then you need connect directly to VM at port 54991 using VPN IP Range, for example: 10.0.0.12:xxxx.
You only need connect to VM from Wireguard VPN inside. Only Clients joined to Wireguard VPN server could connect/view 10.x.x.x IP range.

Really, if you created a Wireguard VPN you don't need any more, only clients joined inside wireguard's VPN see it.

If I analyze your post, you are trying to map a public ip port to private ip port, if you want make this you will loss all Wireguard advantages.

I believe than you are trying this model:

Standard model:
VM private IP -> 10.0.0.2 (Internal bridge on proxmox)
Hos public IP ---> 200.0.0.x (Proxmox host public IP)
RDP Client ---> 88.0.0.x (Your machine or client)

* In this case you could use the example of your post, you need route Host public IP port to VM Private IP --> 200.0.0.x:54991 DNAT --to 10.0.0.2:3389. If you use this model all can connect to RDP server. You will need firewall it to protect.

Wireguard model: (I believe than exists another models, but this is perfect for me and not require different things)

Wireguard VPN Server -----> 10.0.0.254
VM joined to Wireguard VPN Server -----> 10.0.0.2
Wireguard Client joined to Wireguard VPN Server ----> 10.0.0.3

* In this case Wireguard Client (RDP Client) only require connect to Wireguad VPN server first and after this you could forgive use of public IP's. You can join RDP directly from Wireguard's IP Range (10.0.0.x). Only clients joined on Wireguard VPN Server could see and/or connect directly to these IP's.

This model is easy to scale:

Wireguard VPN Server -----> 10.0.0.254
VM joined to Wireguard VPN Server -----> 10.0.0.1
VM joined to Wireguard VPN Server -----> 10.0.0.2
VM joined to Wireguard VPN Server -----> 10.0.0.3
Wireguard Client joined to Wireguard VPN Server ----> 10.0.0.101
Wireguard Client joined to Wireguard VPN Server ----> 10.0.0.102
Wireguard Client joined to Wireguard VPN Server ----> 10.0.0.103

Maybe you want use another kind of model, you can search now if you understand Wireguard VPN concepts now :)

Sorry for my english, and like not confuse with my explanation and you can make it working.

Thanks,
 
he doesn't use a self hosted wireguard vpn.
he use a provider which provide another public ip perhaps a fixed one or a country specific ip.
be careful : do not expose rdp publicly or robots will bruteforce you.
not using a private self hosted vpn (wireguard or openvpn can do it) or a stunnel-pk or a ssh tunnel is too dangerous for ransomware or bruteforce/ddos.
 
Last edited:
_gabriel said:
he doesn't use a self hosted wireguard vpn.
he use a provider which provide another public ip perhaps a fixed one or a country specific ip.
be careful : do not expose rdp publicly or robots will bruteforce you.
not using a private self hosted vpn (wireguard or openvpn can do it) or a stunnel-pk or a ssh tunnel is too dangerous for ransomware or bruteforce/ddos.
Click to expand...
So what are you recommending instead? A RDP gateway?
 
RDP gateway is a solution .... yes for a company
sorry for my english, the others solutions are the ones I wrote :
self hosted vpn listen on your wireguard public ip
( with openvpn , or wireguard over your wireguard, I don't know if possible, why not ... )
ssh tunnel
stunnel-psk (I mainly use, because it's fast and reliable, stunnel run as service on the client, connections are etablished only when needed )
 
I was trying to get this working. But i can't...
My local PC with IP 1.1.1.1 and no open ports wants to connect to server (origin ip: 2.2.2.2 with ssh port on 22 but on origin ip only accesible with port 1222 cause of portforwading). Server is connected to an external OpenVPN Server with ip 3.3.3.3 and open port on 60831. The Server has ufw firewall enabled. The censored part is the OpenVPN IP's.
I want now to ssh to my server through the OpenVPN.
I won't connect with my local pc to the OpenVPN Server. And use no jump host.
I was trying to get it work with ssh reverse tunneling. but didnt worked out for me so far.
 

Attachments

  • Screenshot_20230210_144726.png
    Screenshot_20230210_144726.png
    47.3 KB · Views: 21
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom