Struggling to expose Proxmox VMs publicly via WireGuard + VPS routed IPs (routing loop & connectivity issues)

[Binayak01]

Hello Proxmox community,

I’m facing a complex networking issue and would appreciate guidance from anyone experienced with routed public IPs + VPN + Proxmox.

Current Setup​

I have:

• Local server: Dell PowerEdge running Proxmox (behind NAT / LAN)
• Remote VPS (Cloudzy):
  
  • Main public IP: 144.172.116.81
  • Extra routed public IPs:
    
    • 144.172.107.119
    • 144.172.115.159

WireGuard tunnel between:

• Cloudzy VPS WG IP: 10.50.0.1
• Proxmox WG IP: 10.50.0.2

Proxmox bridges:

• vmbr0 → main LAN
• vmbr1 → internal VM network (10.10.10.0/24)

Goal:
Expose Proxmox VMs directly to the internet using the extra Cloudzy public IPs and allow SSH/access via those IPs (basically: VPS routes public IP → WireGuard → Proxmox → VM).

What I Tried​

1. WireGuard tunnel works (Proxmox ↔ VPS reachable).
2. Added routed IPs on Cloudzy pointing to WireGuard.
3. Enabled IP forwarding on both sides.
4. Added routes like:

On VPS:

ip route add 144.172.107.119 via 10.50.0.2
ip route add 144.172.115.159 via 10.50.0.2

On Proxmox:
net.ipv4.ip_forward=1

1. Assigned private IPs to VMs (10.10.10.x) and attempted DNAT / 1:1 NAT.
2. Also attempted bridging public IP directly to VM.

Problems​

• Routing loops appear.
• Sometimes Proxmox loses access over VPN.
• VM can’t reach internet properly.
• Public IP does not respond when assigned to VM.
• After manipulating routes (especially 10.50.0.0/24), Proxmox VPN access drops.
• Traffic seems to bounce between WG and vmbr bridges.

I’m clearly missing something fundamental in the routing design.

What I’m Trying to Achieve​

I want something similar to Hetzner/OVH routed IP behavior:

• Cloud VPS acts as gateway
• Extra public IPs forwarded to Proxmox
• Each VM gets its own public IP
• No port forwarding — real public IP per VM
• SSH directly to VM via public IP

Questions​

1. Should I be using 1:1 NAT or true routed IPs + bridge?
2. Is Linux policy routing required here?
3. Should VMs use Cloudzy gateway or Proxmox as gateway?
4. What is the cleanest architecture for this setup?
5. Has anyone successfully done:
   VPS → WireGuard → Proxmox → VM (public IP)?

Any example configs or diagrams would be hugely appreciated.


Thanks in advance — this has been looping me for days.


— Binayak

 

[Nemesiz]

Did it worked for short ?

 

[Nemesiz]

If I wanted to trick VPS provider I would look does he use ARP. In that case I would use L2 VPN (wireguard is only L3): Cloudzy VPS eth0 -> bridge with VPN -> VPN L2 -> Proxmox -> bridge with VPS -> VPS

 

[Nemesiz]

I recommend SoftEther VPN

 

[nmateo]

I could give you my setup this evening after work, I have a similar setup: Server collocated in public datacenter -> Wireguard CT -> One Ip.

 

[Binayak01]

Did it worked for short ?

No It had not worked

After i asisgn the ip 10.10.10.10 to the VM which is inside Proxmox and the VM is neither replying to the ping nor curl ifconfig.me

 

[Binayak01]

I could give you my setup this evening after work, I have a similar setup: Server collocated in public datacenter -> Wireguard CT -> One Ip.

Sure It would be helpful for me and I would really appreciate it