Access nc through wireguard and vps

Hi, I have some issues getting access to my nc running at home from the internet.

I have nexcloud up and running on a raspberry pi 4 at my home. To access it from outside my home I rented a vps with a public ip and connected the pi via wireguard (my ISP only provides a public ipv6 and a non-configurable firewall -.- ). Also, I configured iptables on the vps for routing all traffic to port 80 and 443 to the pi and changing the source of outgoing traffic to the public ip of the vps. With this, I can ping the vps through wireguard, as well as the internet (from the pi).

But : I can’t access nc in the browser, I get a timeout message.
The really weird thing is that terminal tools, like curl or wget, do get messages from the nginx server running nc, like the expected 301 error when connecting over http.

I’m not very experienced with network stuff so I might have a stupid error somewhere and I’m very much out of ideas how to debug this situation.

Here are some more details:

  • DNS entry pointing on public ip of vps

On the my home network:

  • Nextcloud running on nginx
  • let’s encrypt certificate & certbot
  • no iptables rules
  • forwarding enabled in kernel & iptables
  • wireguard config:

Address =
PrivateKey =
ListenPort = 51653
PublicKey =
AllowedIPs =
Endpoint =
PersistentKeepalive = 25

On the vps:

  • forwarding enabled in kernel & iptables
  • wireguard config:

Address =
Address = fd13:3dae:bf12:8012::/64
SaveConfig = true
ListenPort = 51653
PrivateKey =
PublicKey =
AllowedIPs =
Endpoint = yyy.yyy.yyy.yyy:54089

  • External firewall of the vps allows ports 22,80,443,51653
  • iptables:

-A PREROUTING -i ens192 -p tcp --dport 80 -j DNAT --to-destination
-A PREROUTING -i ens192 -p tcp --dport 443 -j DNAT --to-destination
-A POSTROUTING -o ens192 -j SNAT --to-source (vps public ip)

Some tutorials suggested to also use

-A POSTROUTING -d -o wg1 -p tcp -j SNAT --to-source

but this didn’t help. Bonus question: Would the vps even be able to deliver responses from nc when this last rule replaces the real sender?

I also tried MASQUERADE instead SNAT.

Thanks for every idea or solution!

If let’s encrypt works i think the forwarding to http://your-dns (not https) must work. Can you access http://your-dns and https://your-dns ? Perhaps you can temporary replace nextcloud with a small html-test-page .
Also you can use network-analysis (F12) in your browser. Can you post details? Which http(s)-requests works? Post real data and anonymize only your-domain or domain.

Thanks for the reply!
I just tried renewing the certificates and expected this to fail, but it has worked somehow.
When I try to access via browser I get a timeout message for http as well as https. In the network analysis I found DNS lookup (26 ms), connection establishmend (10 ms)
Afterwards TLS configuration seems to fail (-1 ms).
For a test site all I have to do is replace the index.html? I tried, nothing changed.

Can you post details?

Sure, maybe I’m missing something, but the networkanalysis doesn’t provide much more info.
0B transmitted, no ‘requests’, no ‘answers’. If you have a suggestion how to approach this problem, I’d be very happy to do so.

I think the best solution is to change the provider and use DynDNS on the home router. Or you host nextcloud on the VPS.

Sadly not really an option as it’s the only one delivering good speed at a reasonable price :confused:
I captured the traffic from and to the vps with wireshark if this is usfull, I can’t read to much from this…

I found a solution: the problem was the MTU. After I lowered it in the wireguard configs to 1400 it worked! I found this after I posted on reddit here