save information on how to host for free (without port forwarding)

[srele96]

What

save information on how to enable access to a service from many devices (ideally for free)

cloudflare tunnels

• https://community.cloudflare.com/t/cloudflare-tunnel-connections-limit/511249
• https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/
• https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/

nordvpn meshnet (like local area network)

• https://nordvpn.com/meshnet/

tunnel info

• https://www.reddit.com/r/selfhosted/comments/11t7gxd/self_hosting_game_servers_without_port_forwarding/

how do cloud servers handle power outage

• https://www.quora.com/What-if-a-cloud-server-was-cut-off-from-the-power-supply-Have-cloud-servers-ever-lost-power

wireguard allows connections between two devices

• https://www.wireguard.com/quickstart/

Why

i need a way to keep up with all the information i gather and it's the best if i write down everything i find (and need)

[srele96]

using wireguard to achieve something interesting (from https://www.reddit.com/r/selfhosted/comments/11t7gxd/self_hosting_game_servers_without_port_forwarding/ if it gets deleted):

I can help you, I created a linode nanode that does the same thing. Just late rn so I will make a writeup on the iptables needed to get it working. I created some scripts to automate it a tad but not to the extent I would like. Essentially you create vm in the cloud running wireguard then connect your containers or servers to the vm. From there it's all packet forwarding using iptables essentially turning the cloud vm into a nat router for your servers. (This will not require port-forwarding so you can technically run your servers anywhere there is internet)

Ping can be a problem however with wireguard I only notices a 1-4ms increase in ping however my experience is with fiber internet.

For the server that will be essentially be a proxy:

Wireguard wg0 config I use for the server.

[Interface]
PrivateKey = {Generated Server Private Key}
Address = 10.2.2.1/32
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
SaveConfig = true
ListenPort = 51820

[Peer]
PublicKey = {Client Public Key}
AllowedIPs = 10.2.2.10/32

to quickly add peers to your config you can use the command wg set wg0 peer {Client Public Key} allowed-ips 10.2.2.10/32 just remember to change the peer ip to what you want in your configuration. make sure to change eth0 to your interface name.
Client wireguard config.

[Interface]
PrivateKey =  {Generated Client Private Key}
ListenPort = 51820
Address = 10.0.2.35/32
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0

[Peer]
PublicKey =  {Server Public Key}
AllowedIPs = 10.2.2.0/24
Endpoint = 95.95.95.95:51820 #Change this to your vps public ip.
PersistentKeepalive = 30

To generate a key simply use the command wg genkey > privatekey
Routing Wireguard Traffic to the VPS
One time setup for the vps

• sysctl -w net.ipv4.ip_forward=1 This enables packet forwarding.

• sysctl -p save changes.

• sysctl --system apply changes.

• iptables -A FORWARD -i wg0 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT takes all packets from interface wg0 and forwards them to interface eth0, make sure to change eth0 to the actual public facing interface on your vps.

• iptables -A FORWARD -i eth0 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT takes all packets from interface eth0 and forwards them to interface wg0 once again make sure to adjust the name of your interface to the name of the interface on your vps.

• iptables -P FORWARD DROP This makes sure that all ports are closed until specified open by the router if you have ufw or firewalld then this command is useless.

Make sure that each time the server reboots the above iptable commands are saved or reapplied. If you use the 6th command make sure to open ssh port so you dont lock yourself out.
This next part is for each server you want to face publicly
Routing ports to hosts

`iptables -t nat -A PREROUTING -i eth0 -p tcp --dport [Port to open] -j DNAT --to-destination [Host]`

`iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport [Port to open] -d [Host] -j SNAT --to-source [VPS]`

`iptables -A FORWARD -i eth0 -o wg0 -p tcp --syn --dport [Port to open] -m conntrack --ctstate NEW -j ACCEPT`

When doing this make sure to again change the eth0 interface to the interface which your vps uses to face publicly. What this does is it acts like a router using NAT to forward packets to the internet from the server. Replace the [Host] with the ip you assigned to your server you want to forward. As promised I will also add my script as an example on how I forward all my websites and servers to my Wireguard server

#!/bin/sh
iptables -A FORWARD -i wg0 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
#iptables -P FORWARD DROP

#Routing the servers
echo "Routing Servers Now"

echo "Routing Games"
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25565 -j DNAT --to-destination 10.0.0.40
iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 25565 -d 10.0.0.2 -j SNAT --to-source 10.0.0.40
iptables -A FORWARD -i eth0 -o wg0 -p tcp --syn --dport 25565 -m conntrack --ctstate NEW -j ACCEPT

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 27051 -j DNAT --to-destination 10.0.0.11
iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 27051 -d 10.0.0.11 -j SNAT --to-source 10.0.0.1
iptables -A FORWARD -i eth0 -o wg0 -p tcp --syn --dport 27051 -m conntrack --ctstate NEW -j ACCEPT

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 27053:27054 -j DNAT --to-destination 10.0.0.11
iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 27053:27054 -d 10.0.0.11 -j SNAT --to-source 10.0.0.1
iptables -A FORWARD -i eth0 -o wg0 -p tcp --syn --dport 27053:27054 -m conntrack --ctstate NEW -j ACCEPT

#Websites
echo "Routing Websites"
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.13
iptables -A FORWARD -i eth0 -o wg0 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.0.0.13
iptables -A FORWARD -i eth0 -o wg0 -p tcp --syn --dport 443 -m conntrack --ctstate NEW -j ACCEPT

For my servers I used the subnet of 10.0.0.0/24 with multiple servers yours may vary. When doing this make sure to port forward every port you want to use for your servers and the wireguard port. This is my quick and dirty setup with a terrible explanation however if you have any questions feel free to ask. This will require you to install wireguard for either the clients or I did it with an opnsense vm that was a router behind a router and just routed all traffic to the vps.