ON VPS
FIX the wireguard peers TO:
/interface wireguard peers
add allowed-address=192.168.254.2,192.168.100.0/24 interface=WG_VPS \
name=peer_WG_VPS public-key= "----"
Remove the funky nat rule.
/ip firewall nat
add action=dst-nat chain=dstnat comment=\
"RDP-Forwarding to local Router through WireGuard" dst-address=\
123.123.123.123 dst-port=3389 in-interface=ether1 protocol=tcp \
to-addresses=192.168.254.2
and replace with
/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1
add chain=srcnat action=masquerade out-interface=WG_VPS
The idea being that you want all traffic hitting the home router as coming from the wireguard IP of the VPS, makes life at the home router easier.
What is MISSING is your port forwarding rule here........
SO
/ip firewall nat
add chain=dstnat action=dst-nat in-interface=ether1 dst-port=3389 \
protocol=tcp to addresses=192.168.100.31
Now, it would be safer if you didnt use a well hacked port as the incoming you could use 12009 for example and then have something like
/ip firewall nat
add chain=dstnat action=dst-nat in-interface=ether1 dst-port=12009 \
protocol=tcp to addresses=192.168.100.31 to-ports=3389
Even better if you can limit to your sources coming in like a src-address-list
Much safer is you give users wireguard access (via vps) and then through firewall rules ONLY to the server. (WHAT I WOULD DO!)
ON HOME ROUTER
Fix Peer Settings:
/interface wireguard peers
add allowed-address=192.168.254.0/24 endpoint-address=123.123.123.123 endpoint-port=\
51820 interface=WG_HOME name=peer_WG_HOME persistent-keepalive=25s \
public-key="======"
Replace Nat Rules:
/ip firewall nat
add action=src-nat chain=srcnat comment="All Local clients to Internet" \
out-interface=ether1WAN to-addresses=192.168.178.2
add action=dst-nat chain=dstnat comment=\
"RDP-Forwarding WG_HOME to 192.168.100.31" dst-port=3389 in-interface=\
WG_HOME protocol=tcp to-addresses=192.168.100.31
add action=masquerade chain=srcnat comment="SNAT replies via WG" \
out-interface=WG_HOME src-address=192.168.100.0/24
WITH:
/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1
To ensure the incoming wireguard reaches the server you simply need firewall rule.
However you have no firewall rules on either device which means all traffic is allowed which is not a very safe setup.
As those being port forwarded would be able to reach and hack your router including anybody scanning the vps for one of the most hacked ports 3389.
In other words this is not a good plan.
Furthermore your requirement dont mention the LAN members using VPS for their internet connection, so it needs to be stated clearly.
Thus rethink access to your router, it can be done through wireguard safely, and also you need firewall rules.
FIX the wireguard peers TO:
/interface wireguard peers
add allowed-address=192.168.254.2,192.168.100.0/24 interface=WG_VPS \
name=peer_WG_VPS public-key= "----"
Remove the funky nat rule.
/ip firewall nat
add action=dst-nat chain=dstnat comment=\
"RDP-Forwarding to local Router through WireGuard" dst-address=\
123.123.123.123 dst-port=3389 in-interface=ether1 protocol=tcp \
to-addresses=192.168.254.2
and replace with
/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1
add chain=srcnat action=masquerade out-interface=WG_VPS
The idea being that you want all traffic hitting the home router as coming from the wireguard IP of the VPS, makes life at the home router easier.
What is MISSING is your port forwarding rule here........
SO
/ip firewall nat
add chain=dstnat action=dst-nat in-interface=ether1 dst-port=3389 \
protocol=tcp to addresses=192.168.100.31
Now, it would be safer if you didnt use a well hacked port as the incoming you could use 12009 for example and then have something like
/ip firewall nat
add chain=dstnat action=dst-nat in-interface=ether1 dst-port=12009 \
protocol=tcp to addresses=192.168.100.31 to-ports=3389
Even better if you can limit to your sources coming in like a src-address-list
Much safer is you give users wireguard access (via vps) and then through firewall rules ONLY to the server. (WHAT I WOULD DO!)
ON HOME ROUTER
Fix Peer Settings:
/interface wireguard peers
add allowed-address=192.168.254.0/24 endpoint-address=123.123.123.123 endpoint-port=\
51820 interface=WG_HOME name=peer_WG_HOME persistent-keepalive=25s \
public-key="======"
Replace Nat Rules:
/ip firewall nat
add action=src-nat chain=srcnat comment="All Local clients to Internet" \
out-interface=ether1WAN to-addresses=192.168.178.2
add action=dst-nat chain=dstnat comment=\
"RDP-Forwarding WG_HOME to 192.168.100.31" dst-port=3389 in-interface=\
WG_HOME protocol=tcp to-addresses=192.168.100.31
add action=masquerade chain=srcnat comment="SNAT replies via WG" \
out-interface=WG_HOME src-address=192.168.100.0/24
WITH:
/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1
To ensure the incoming wireguard reaches the server you simply need firewall rule.
However you have no firewall rules on either device which means all traffic is allowed which is not a very safe setup.
As those being port forwarded would be able to reach and hack your router including anybody scanning the vps for one of the most hacked ports 3389.
In other words this is not a good plan.
Furthermore your requirement dont mention the LAN members using VPS for their internet connection, so it needs to be stated clearly.
Thus rethink access to your router, it can be done through wireguard safely, and also you need firewall rules.
Statistics: Posted by anav — Mon Apr 21, 2025 7:06 pm
