Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Wireguard with client on a firewalled LAN?

    Scheduled Pinned Locked Moved WireGuard
    9 Posts 3 Posters 938 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      Rich W.
      last edited by

      I have a LAN on an Internet service that provides me with a dynamic IP address. The service provider has a firewall which blocks ALL inbound traffic — i.e., I can initiate connections outbound from my LAN to the Internet, but any attempts to initiate a connection inbound to my LAN from the outside simply WILL NOT get through (even if my router's external IP address is known, so a dynamic DNS service won't help). Can I use Wireguard in such a situation? Or does Wireguard demand that each endpoint must be able to connect directly to the IP address of the other endpoint? If Wireguard is not usable in my environment, can anyone suggest an alternative that will work?

      1 Reply Last reply Reply Quote 0
      • planedropP
        planedrop
        last edited by

        Just for clarity, are you planning to have a Wireguard "server" that you can connect to from the outside world? Like what is your end goal? To be able to VPN back in to your home network when you're on another network?

        R 1 Reply Last reply Reply Quote 1
        • R
          Rich W. @planedrop
          last edited by

          I want to be able to use Wireguard to connect into my home network from a cloud server sitting on the Internet at large. Can I do this by setting up a Wireguard connection from my home network to my cloud server? I can't initiate a connection from my cloud server to my home network, because my home network is firewalled by my service provider and won't allow any inbound connection attempts. But if I initiate a connection (via Wireguard) from my home network to my cloud server, can I use this outbound connection in some way to allow inbound connections from the cloud server to my home network?

          planedropP 1 Reply Last reply Reply Quote 1
          • planedropP
            planedrop @Rich W.
            last edited by

            @Rich-W I still can't believe some service providers don't allow connections inbound, blows my mind and in all honesty frustrates the crap out of me lol. Anyway rant over.

            So yes, you should still be able to do this, Wireguard works fine behind NAT you just need to be able to have a single static/public IP somewhere that can act as the "server" (in quotes since in WireGuard terms it's all called a peer).

            You should be able to setup WireGuard on a cloud server and then initiate a connection from your local server/client behind the ISP and that in theory should work just fine. Then it's just a matter of firewall rules etc... to allow connections back and forth.

            What is the goal of the servers here? Like are you hosting something that needs to be accessible from the outside world? If so another option might be using something like Cloudflare Tunnels to expose something on the public net.

            R 1 Reply Last reply Reply Quote 0
            • R
              Rich W. @planedrop
              last edited by

              I have a private, local e-mail server (I set this up before Gmail was a thing, and it would be too big of a hassle to migrate to Gmail at this point).

              Everything worked just fine when I had my home LAN connected to the Internet via a public, static IP address. My family recently moved to a small community which is exclusively serviced via a fibre network that provides me with only a dynamic IP address that cannot be connected to from the outside (sorry, @planedrop, that's just the way it is, grin and bear it).

              If I can't have my in-house mail server accessible from the Internet (via SMTP and IMAP), I'll need to set up mirror ports on a cloud server and tunnel these ports to the corresponding ports on my mail server. This, however, will require a way to tunnel into the mail server from the outside.

              planedropP 1 Reply Last reply Reply Quote 1
              • planedropP
                planedrop @Rich W.
                last edited by

                @Rich-W Ahhhh gotcha, this makes a ton of sense.

                In theory it should all be doable but I'd have to think a bit more about the best way to do it.

                I'd probably first ask though, any chance this email server could be migrated to a cloud provider (not like GMail but as in the machine/VM running it could maybe be run with a public IP on a cloud VM?). Just a thought, may not be the best solution though.

                R 1 Reply Last reply Reply Quote 0
                • R
                  Rich W. @planedrop
                  last edited by

                  I've considered migrating my in-house server to the cloud. I've got way, way too much e-mail on my in-house server, though, for an off-site migration to be easy (or to cost less than an arm and a leg). Even if I were to migrate only the "recent" e-mail to the cloud, and keep my long-term archives local, it would still involve gigabytes.

                  L 1 Reply Last reply Reply Quote 0
                  • L
                    lcbbcl @Rich W.
                    last edited by lcbbcl

                    @Rich-W ] Use this and your problem is solved. You will use your vps as frontend to connect to you server at home. It is very powerful, read all the docs

                    R 1 Reply Last reply Reply Quote 0
                    • R
                      Rich W. @lcbbcl
                      last edited by

                      I was able to get my ISP to give me a publicly accessible IP address for my WAN. This has solved my problem. Thanks for all the suggestions.

                      1 Reply Last reply Reply Quote 1
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.