Port Forwarding via WireGuard Tunnel

HarryPod · April 21, 2025, 1:11pm

Please help me configure the setup.
The goal is to implement port forwarding through a WireGuard tunnel.

There is a home network with a computer assigned the IP address 192.168.100.31. This computer must be accessible from the outside via RDP (port 3389). The home network accesses the internet via a local IP address.

To solve this task, a VPS running RouterOS was rented. The WireGuard tunnel is functioning properly. Port forwarding to the computer in the home network is done in two steps:

From the eth1 interface of the Router_VPS to the WG_Home interface of the Router_Home.
From the WG_Home interface of the Router_Home to the computer Comp.

To make sure the replies from Comp go back through the WireGuard tunnel, an SNAT rule was created (to route replies via the WG interface).

However, the setup is not working. I suspect that the reply traffic is not going through the tunnel, and Router_Home is trying to send it out via the default gateway.
config_backup_vps.rsc (1.45 KB)
config_backup_home.rsc (2.35 KB)

anav · April 21, 2025, 4:06pm

ON VPS

FIX the wireguard peers TO:
/interface wireguard peers
add allowed-address=192.168.254.2,192.168.100.0/24 interface=WG_VPS
name=peer_WG_VPS public-key= “----”

Remove the funky nat rule.
/ip firewall nat
add action=dst-nat chain=dstnat comment=
“RDP-Forwarding to local Router through WireGuard” dst-address=
123.123.123.123 dst-port=3389 in-interface=ether1 protocol=tcp
to-addresses=192.168.254.2
and replace with
/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1
add chain=srcnat action=masquerade out-interface=WG_VPS

The idea being that you want all traffic hitting the home router as coming from the wireguard IP of the VPS, makes life at the home router easier.
What is MISSING is your port forwarding rule here…
SO
/ip firewall nat
add chain=dstnat action=dst-nat in-interface=ether1 dst-port=3389
protocol=tcp to addresses=192.168.100.31

Now, it would be safer if you didnt use a well hacked port as the incoming you could use 12009 for example and then have something like
/ip firewall nat
add chain=dstnat action=dst-nat in-interface=ether1 dst-port=12009
protocol=tcp to addresses=192.168.100.31 to-ports=3389

Even better if you can limit to your sources coming in like a src-address-list
Much safer is you give users wireguard access (via vps) and then through firewall rules ONLY to the server. (WHAT I WOULD DO!)

ON HOME ROUTER

Fix Peer Settings:
/interface wireguard peers
add allowed-address=192.168.254.0/24 endpoint-address=123.123.123.123 endpoint-port=
51820 interface=WG_HOME name=peer_WG_HOME persistent-keepalive=25s
public-key=“======”

Replace Nat Rules:
/ip firewall nat
add action=src-nat chain=srcnat comment=“All Local clients to Internet”
out-interface=ether1WAN to-addresses=192.168.178.2
add action=dst-nat chain=dstnat comment=
“RDP-Forwarding WG_HOME to 192.168.100.31” dst-port=3389 in-interface=
WG_HOME protocol=tcp to-addresses=192.168.100.31
add action=masquerade chain=srcnat comment=“SNAT replies via WG”
out-interface=WG_HOME src-address=192.168.100.0/24
WITH:
/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1

To ensure the incoming wireguard reaches the server you simply need firewall rule.
However you have no firewall rules on either device which means all traffic is allowed which is not a very safe setup.
As those being port forwarded would be able to reach and hack your router including anybody scanning the vps for one of the most hacked ports 3389.

In other words this is not a good plan.
Furthermore your requirement dont mention the LAN members using VPS for their internet connection, so it needs to be stated clearly.
Thus rethink access to your router, it can be done through wireguard safely, and also you need firewall rules.