CHR at Hetzner, tunnel floating IP via Wireguard back home

rbe · May 8, 2024, 9:04pm

Hi all,

like many others on the forum here, I’m trying to use wireguard to tunnel a floating IP from a CHR at Hetzner Online back home.
The way this is terminated at Hetzner is, the IP is just routed to the router in front of the CHR at Hetzner and expected to be resolvable via ARP.

To do this, I’ve configured proxy arp on the Hetzner CHR and configured the IP on the wireguard client at home.

In this example, I’ve replaced the floating IP with 1.1.1.1

I can ping just fine from the router at home using this IP to a destination I’ve got under control and can see that the packets there arrive just fine from the floating IP by specifying the interface and IP when doing ping:
ping mydestination.com src-address=1.1.1.1 interface=WG_chr0

However, I can’t NAT any of the ports to my home services, I can see it hitting the correct policies (the NAT policy) but neither do I see the packets arrive on the server nor does the connection work.
This is what I see in the log:
dstnat: in:WG_chr01 out:(unknown 0), connection-mark:WAN3 connection-state:new proto TCP (SYN), x.x.x.x:7838->1.1.1.1:443, len 60
With the same (copied) NAT rule, it works for both of my ISPs (ISP1 and ISP2).

Please don’t wonder why I do this when my ISPs are reachable externally: Right now, I still have DSL with a public IP (non static through), however pretty soon I’ll have internet from the “Deutsche Glasfaser” and they do CGNAT without any chance to get a public IPv4..

Here are the configs:
CHR: https://pastebin.com/QSr5SDsN
Router at home: https://pastebin.com/PdUyRME4

Hope anyone can shed some light here, I’m already quite desperate. I thought about using IPIP or EoIP, but I’d need to encapsulate that into wireguard to bypass CGNAT also and I believe it would be better to just leave these layers out.

Edit: I should add, if I open the specific IP from internally (= behind the home router), it does NAT onto the webserver, so the NAT rule itself seems to be fine.

Thanks for reading!
Robin

abbio90 · May 10, 2024, 6:49am

you must set allowed address 0.0.0.0/0 in both WG Endpoints. You have to rotate the address, if you use /32 that way it’s normal for it to do so.

example in the chr set the wireguard IP address like this:

/ip address add address=10.30.50.1 network=1.1.1.1 interface=wireguard

in your home router set the IP like this:

/ip address add address=1.1.1.1 network=10.10.10.1 interface=wireguard
/routing table add name=to_CHR fib=yes
/routing rules add src-address=1.1.1.1 table=to_CHR
/ip route add gateway=%wireguard routing-table=to_CHR

Furthermore, in your home router you must create a routing table where traffic with source 1.1.1.1/32 exits with the %wireguard gateway
To make sure it’s working properly, ping the public IP from an external network. if it is successful the public IP is working perfectly

rbe · May 10, 2024, 9:33pm

Thanks for the reply - before I test this, I’m trying to understand it..
What exactly is the address 10.30.50.1 and the network address 10.10.10.1 in this case?

Edit 1: Just tested, still the same behavior. Traffic makes it to the home router, I can see it hitting the NAT rule but it doesn’t make it through.

Edit 2: Got it, I’ll post the fixed config tomorrow, after sanitizing it. Thanks a lot!

abbio90 · May 12, 2024, 6:57am

yes, if you post both configurations it’s better. maybe remove everything that doesn’t interest you. leaves only internet access and the wireguard tunnel. and possibly the LAN on which you want to open the door