Tuesday, July 15, 2025
support@conference.yunohost.org
July
Mon Tue Wed Thu Fri Sat Sun
  1
 2
 3
 4
 5
 6
7
 8
 9
 10
 11
 12
 13
14
 15
 16
 17
 18
 19
 20
21
 22 23
 24
 25
 26
 27
28
 29
 30
 31
      
             

[00:34:28] <tcfx> Hey there. I have bought a VPS, and setup a Wireguard connection between my Yunohost home server and the VPS, to bypass port forwarding limitations. I have also setup Nginx on the VPS for it to forward traffic to the home server. This is the current `nginx.conf` of the VPS:

```
user www-data;
worker_processes auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;

events {
worker_connections 768;
}

http {
server {
listen 80;
server_name [my site];

location / {
proxy_pass http://10.0.0.2:80;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
}

stream {
server {
listen 443;
proxy_pass 10.0.0.2:443;
proxy_timeout 3s;
proxy_connect_timeout 1s;
}

server {
listen 25;
proxy_pass 10.0.0.2:25;
proxy_timeout 3s;
proxy_connect_timeout 1s;
}

server {
listen 587;
proxy_pass 10.0.0.2:587;
proxy_timeout 3s;
proxy_connect_timeout 1s;
}

server {
listen 993;
proxy_pass 10.0.0.2:993;
proxy_timeout 3s;
proxy_connect_timeout 1s;
}
}

```

Now I have a few issues on the side of the home server.

I think most are just errors from Diagnosis that can be ignored, like "Domain [domain] appears unreachable through HTTP from outside the local network.", which I assume comes from the home server not knowing about the VPS.

***HOWEVER***, I believe the configuration is not complete yet. First, I should forward 25 and 587 *to* the VPS and not from, right? Second, and most importantly: I am now unable to access some of the internet from the home server. If I try to install an application through the admin panel, it will not fetch the information of the application. If I try to ping some site from the home server via SSH, it also doesn't work. What other port connections should I be taking into account?
[12:11:10] <tcfx> 12b: You did something similar, right?
[12:15:48] <12b> I'm not using nginx on the VPS side. I'm just using iptables rules
[12:20:09] <12b> Are you using the yunohst app wireguard client on yunhost side?
[12:24:07] <12b> What I have done is inspired by this forum thread : https://forum.yunohost.org/t/homemade-wireguard-vpn-on-a-vps-server/15662
But I had to do some things differently to make things working for my use case. I need to document my setup but I have not taken the time to do it yet.
[12:30:56] <12b> tcfx: how did you setup the wireguard on the VPS side? Have you added any iptables rules for SNAT / MASQUERADE ?
[12:54:43] <12b> tcfx: how did you setup wireguard on the VPS side? Have you added any iptables rules for SNAT / MASQUERADE ?
[12:58:32] <tcfx> > Are you using the yunohst app wireguard client on yunhost side?

Hmm nope, I did it all on the terminal
[12:59:11] <tcfx> > tcfx: how did you setup wireguard on the VPS side? Have you added any iptables rules for SNAT / MASQUERADE ?

Nope, only plain wireguard connection and tried to get nginx to handle the rest
[13:01:49] <tcfx> I'l try reading the forum stuff later then
[13:11:29] <12b> If I remember correctly, what I have done differently if for IPv6. In the forum they are doin NAT as for IPv4. On my setup the VPS is giving a public IPv6 address to the yunohost server, so no seed for NAT with IPv6.
Also, for I don't use the SNAT rules. I found them redundant with the MASQUERADE rule. However my MASQUERADE rule is slightly different than what they use on the forum.
[13:11:48] <12b> If I remember correctly, what I have done differently if for IPv6. In the forum they are doing NAT for IPv6. On my setup the VPS is giving a public IPv6 address to the yunohost server, so no seed for NAT with IPv6.
Also, for I don't use the SNAT rules. I found them redundant with the MASQUERADE rule. However my MASQUERADE rule is slightly different than what they use on the forum.
[13:12:18] <12b> If I remember correctly, what I have done differently if for IPv6. In the forum they are doing NAT for IPv4 and IPv6. On my setup the VPS is giving a public IPv6 address to the yunohost server, so no seed for NAT with IPv6.
Also, for I don't use the SNAT rules. I found them redundant with the MASQUERADE rule. However my MASQUERADE rule is slightly different than what they use on the forum.
[13:12:35] <12b> If I remember correctly, what I have done differently is mainly for IPv6. In the forum they are doing NAT for IPv4 and IPv6. On my setup the VPS is giving a public IPv6 address to the yunohost server, so no seed for NAT with IPv6.
Also, for I don't use the SNAT rules. I found them redundant with the MASQUERADE rule. However my MASQUERADE rule is slightly different than what they use on the forum.
[13:12:48] <12b> If I remember correctly, what I have done differently is mainly for IPv6. On the forum they are doing NAT for IPv4 and IPv6. On my setup the VPS is giving a public IPv6 address to the yunohost server, so no seed for NAT with IPv6.
Also, for I don't use the SNAT rules. I found them redundant with the MASQUERADE rule. However my MASQUERADE rule is slightly different than what they use on the forum.
[13:13:00] <12b> If I remember correctly, what I have done differently is mainly for IPv6. On the forum they are doing NAT for IPv4 and IPv6. On my setup the VPS is giving a public IPv6 address to the yunohost server, so no need for NAT with IPv6.
Also, for I don't use the SNAT rules. I found them redundant with the MASQUERADE rule. However my MASQUERADE rule is slightly different than what they use on the forum.
[13:13:21] <12b> If I remember correctly, what I have done differently is mainly for IPv6. On the forum they are doing NAT for IPv4 and IPv6. On my setup the VPS is giving a public IPv6 address to the yunohost server, so no need for NAT with IPv6.
Also, for IPv4 I don't use the SNAT rules. I found them redundant with the MASQUERADE rule. However my MASQUERADE rule is slightly different than what they use on the forum.
[13:23:37] <12b> tcfx: In the setup described on the forum, the DNAT rules are doing the equivalent of what you are doing with your Nginx stream config. And the SNAT / MASQUERADE part is probably what you are missing. But you should use the DNAT rules instead of Nginx, it will give better performances. For wireguard on yunohst side, I think using the ynh wireguard client app is only more convenient to setup. It should work the same configuring wireguard from the terminal.
[13:24:02] <12b> tcfx: In the setup described on the forum, the DNAT rules are doing the equivalent of what you are doing with your Nginx stream config. And the SNAT / MASQUERADE part is probably what you are missing. But you should use the DNAT rules instead of Nginx, it will give better performances. For wireguard on yunohost side, I think using the ynh wireguard client app is only more convenient to setup. It should work the same configuring wireguard from the terminal.
[15:03:34] <tituspijean[m]> @tcfx:matrix.orgsorry, late to the party with another approach: what's your YunoHost version? We have an experimental feature called "SNI/TLS passthrough" that would simplify your whole setup. (I cannot remember if it covers other ports than SSL though)
[15:21:56] <tcfx> The latest stable, 12.0.17. What's that and where can I find it?
[15:25:43] <tcfx> Ok, found it
[15:25:46] <tcfx> https://aria.im/_bifrost/v1/media/download/AUYBsS5pEwa__4Eyl2ygwx_uYpDcedgQTP9Xa8Na-IFEW1WzOIqluZMZX7f3FZAqWrVUuqUziB19mLMcODlMsA5CeYE9d85AAG1hdHJpeC5vcmcvV3huSUpKZUhpTFRCZkdqbHJleVFjRVFp
[15:29:18] <tcfx> Would that allow me to use all the stuff from my home server, including all apps and email, and without restricting the home server's non-forwarded access to the internet?
[15:51:07] <lautre> It's related, but not this case. I wrote something when Yunohost server are behind a proxy-SNI
https://pad.fdn.fr/Yunohost_proxy-sni
[16:02:14] <tituspijean[m]> After a quick glance to YunoHost's code, I do not think it handles the emails or apps requiring to open specific ports.
[16:02:58] <tituspijean[m]> For outbound emails, I guess you can use the SMTP relay feature.
[19:01:40] <tcfx> Ok right now I'm trying the Wireguard approach from the forum post, and apparently some of the iptables commands are invalid
[19:02:07] <tcfx> This is my error message when I run `systemctl status wg-quick@wg0`:
[19:02:31] <tcfx> https://aria.im/_bifrost/v1/media/download/AUYmZr14hHOmEAaiIdJ0iVk2mpHv-eCC42RhAThAZFXNCsehNrsh9gg14xgwR5zJjFUErX_CDDerPKkrTuSE8uZCeYFJ3wjwAG1hdHJpeC5vcmcvSkJNdmZEZmdnSVNWVVRiUlhXcmZ6dnJ6
[19:10:40] <tcfx> I forgot to fill in a field, so nevermind this one. But still not working. Status still returns "active (exited)".
[20:19:59] <tcfx> The /etc/network/interfaces part of the forum post was what I couldn't replicate exactly since it's deprecated.
[20:21:50] <tcfx> 12b: You said you had a solution inspired by the forum post. I understand that you didn't document it yet, but are you able to later send your wireguard config and scripts if you modifed them? (after redacting the addresses and keys of course)