this post was submitted on 06 Mar 2026
7 points (88.9% liked)

Linux

12676 readers
260 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev
7
How do I pass traffic on some port to a wireguard peer (lemmy.ml)
submitted 19 hours ago by lonesomeCat@lemmy.ml to c/linux@programming.dev
6 comments fedilink hide all child comments
 

So I have an http server on node A, and a VPS on node B. Both are connected through wireguard on a VPN which consists only of these two nodes. I'm trying to make all the requests that arrive on http/s on node B to be forwarded to A and processed there. Then of course the response must return to the original sender. I've seen a million ways to do it online and I'm hitting a brick wall so how would you do it properly on a fresh install (assuming my firewall, ufw in my case, is disabled. I'll figure it out once routing works as intended)

top 6 comments
sorted by: hot top controversial new old
[–] forestbeasts@pawb.social 2 points 11 hours ago* (last edited 11 hours ago)

We use nginx for that! It can proxy TCP/UDP in general. You can also have it be your TLS endpoint and then pass stuff back to the backend over plain HTTP, if you trust your VPS, but you don't have to.

nginx can preserve the source IP with its "proxy_protocol" feature, somewhat (might only work for HTTPS; with proxy_protocol, nginx on server A will then set the appropriate header with the IP it gets from server B). Or if you decrypt on the VPS, it can set the appropriate header for you before sending it back to server A.

I've got a guide on how we have ours set up: https://frost.brightfur.net/blog/selfhosting-with-a-bounce-vps-part-1/

-- Frost

[–] Scoopta@programming.dev 2 points 19 hours ago

Are the https requests being sent to an IP address assigned to node B? If so you either need an nginx reverse proxy on node B or NAT with port forwarding.

[–] possiblylinux127@lemmy.zip 1 points 18 hours ago* (last edited 18 hours ago)

You need to rewrite the incoming dest IP address to be the IP of node B. The important part is to make sure the source IP is unaltered.

The easiest solution would be to setup a reverse proxy on Node A and have it forward traffic to Node B.

[–] dgdft@lemmy.world 1 points 19 hours ago* (last edited 19 hours ago) (1 children)

SSH tunneling is the term for what you need here. You can set it up on either end, and it’ll transparently pipe data from a port on the VPS to your TLS box. Configure the web server to reverse-proxy that port, and you’re up and running.

[–] possiblylinux127@lemmy.zip 1 points 18 hours ago (1 children)

SSH tunneling is really slow and doesn't preserve the source IP

[–] dgdft@lemmy.world -1 points 15 hours ago* (last edited 15 hours ago)

SSH tunnels suffer from TCP over TCP, but it's not too much worse than OpenVPN or wg over TCP on the whole. E.g. https://asciinema.org/a/347146.

Nothing OP mentioned in the post required preserving the source IP, but as your root comment alludes to, standard practice is to set an X- header on the reverse proxy to keep source IP.