I wanted to do this for soooo long without any luck, and while the video is mostly a step-by-step guide, you took the time to explain in detail what each thing does/mean in the written version, I could not love this channel and this video more! Half of my homelab setup is because of you and your lessons 💜

I want to take a moment to commend you for how you structured this video. You give a short introduction so I know exactly what you’ll cover, then you do a SHORT ad read that is CLEARLY called out with text AND a timer so I know its scope. I actually listened to it, almost out of respect.

Ive been researching this exact issue yesterday whole day. Thank you!

Great. This is much better solution than anything else. You have absolute control including firewall rules. What's more required ? Thanks Lawrence for this. Only caveat is that one should harden vps properly before doing this.

@Lawrence Systems, as always, thank you very much for the video. I have replicated the setup and it works great. However, as I am running Crowdsec and other services behind pfSense which need the source IP of the incoming request, I was wondering if there is a possibility of retaining the source IP address trough the tunnel and port forwarding of pfSense? Thank you for any ideas!

I'm so glad to be subscribed to this channel

This video is explaining exactly what I am trying to achieve!

Great video. I was planning to do such guide for many years but ... Lawrence is way better in presenting that :)

Great tutorial. Would have loved it you made it years ago though 😂 I tried doing this a few years ago, but couldn't get the iptables (or masquerade rules, i can't remember now) rules setup properly. I got close, but got frustrated and gave up. I ended up installing pfsense on a linode and configured site to site tunnel, as I knew how to do that (in part thanks to your videos), and it's been working perfectly for the last 4 years. Pfsense works perfectly fine on the $5 linode plan. I kinda like a full blown pfsense on the other end anyways. I needed this so my hosted services would run on my backup 4G connection if my main connection went down, again thanks to your videos I was able to configure failover.

Nice its like a self hosted clodflare tunnel kind of architecture but more flexible

the iptables statements here are the real special sauce. interesting you use the VPS essentially as a proxy which does get the job done. i'd be curious to test this with some masquerade rules as well.

Thank you for another great article, Tom! How can the iptables be modified so that we can forward port 19999 to the pfsense router on port 8443? Thanks and Happy New Year!

Thanks for the video Tom! This actually will give me an idea how I can host my mail server at home and use VPS to route the e-mails since my Comcast public IP does not allow it and port 25 is blocked.

Hi, I tried Tailscale on my Truenas server yesterday, well in work's BUT I can't build a Direct connection.. So I am stuck on 30/10 speeds at ping 60.. with DERP reley. Public IP costs 2.90 USD (converted) at my provider so I will probably go that route.

Write-up appears incomplete when viewing.. "For this setup extra static routes are not needed and because all the traffic is ec"

I feel lucky that I can still have a static public IP address that I pay pennies for -_- though I wonder how long that will last.

Why ist MTU size 1420 and not 1500? 8:57

Could you suggest/spec how "big" (cores/mem/speed/data) the VPS should be?.... somewhere while researching trying to do this, I probably confused myself, but I saw something that made me "think" that once connected TailScale found the shortest/most direct path between devices..... If this is correct, does this mean that minimal traffic passes through the VPS?.....

I have an ASUS ax6000 as my router. Can I use it in place of pfsense? If not can I run PFsense with one connection to my lan only and do this?

is this a full data tunnel or just a reroute, curious the amount of xfer data i would need to say stream video non stop. the term is escaping me right now \o/

Is it also possible to configure this for a static IPv6. I have IPv6 from the provider but only dynamic and this is not suitable for a mail server.

can you show us this with wireguard-go instead please ?

Have been running similar setup for almost a year now, works great

I’m a Tailscale guy. Very nice demo

Great video! It would be nice to see you do a similar video showing how you can pass the real client IP over the VPN. Backend services only seeing the Wireguard IP could be problematic for a multitude of reasons including but not limited to general logging/reporting, implementing fail2ban, etc. One way I think this would be possible is to have HAProxy in tcp mode on the VPS using HAProxy on PFsense as a backend over the tunnel. The real client IP could be sent to HAProxy on PFsense via proxy protocol. All cert management could be handled by PFSense, and dynamic DNS updates should theoretically work from PFsense over the tunnel as well.

Useful stuff would this work in info to?

Hahaha!! That's "The It Crowd" internet representation 🤣

I did the same setup, but I used pfsense as a vps on the public side

I baffled at how to generate these private keys and public keys(which seem to be pre-generated) when you add a pool/tunnel? Im a total noob a this but I am ver interested inlearningt the craft as possibly fast as posssible. MAYBE NOT WITH THE BEST OF GRAMMER OR SPELLING, but pleas forgive that...Dave. Thanks for the video, and I will be doing this on the least loved platform for anything really, WINDOWS 10.....'(

I forgot linode existed.

Exactly what I was looking for to host on a starlink :)

I must admit that GUI in pfsense isnt that logical as i thought, its a headache at the begging. IPtables omg :p

This seems like a bad idea, you already have a public facing asset, just use it. Piping a server over a wire guard connection over a satellite or cellular connection, seems like a really bad idea.

Didnt know that was possible with pfsense, my current setup is probably way behind, CHR on cloud, wireguard here and there, port forward on the CHR, i have nodes on 5 different countries for different manual routing instead of auto route (lowers latency by quite a bit)

first

Nice.

hi, you complicated the things. :) you can use a easy script to install wireguard server on the vps, and on the client install wireguard. create a client with the automatic script and will work, doing this for years... :)

thanks . Great video .

This is needlessly complicated. Fast Reverse Proxy does the same thing but better in every way. Your future self will also be thankful for simple declarative config and hot reload of changes directly from local webui. Perhaps I'm missing something, but I don't see any reason to use wireguard for bypassing CGNAT - it is just a headache compared to other solutions