Sounds complicated! I suspect my requirements could be met without the need for involving additional cloud based resources.YES it can, just not through PROTON.
You could host a CHR on VPS for example ( cloud server ) or linux OS etc.............
(1) All users would go directly to the public IP of the CHR vice your public IP to connect to a server.
(2) The CHR would then port forward that traffic INTO a wireguard TUNNEL
(3) The wireguard tunnel is between the CHR and the MT ROUTER, transparent to the users that are connecting via public IP to the CHR.
I personally dont like the idea of using any public IP for Serving,,,,,,,,, and the CHR/VPS method is one way around that.
Another is using container function of zerotrust cloudflare tunnel which uses a third party so thats a personal choice but allows you to provide servers without exposing public IP.
The answer to my original question: Is port forwarding possible through Proton VPN using WireGuard on a Mikrotik router running RouterOS 7 to a downstream system? appears to be NO.
I think a solution might be Route all traffic to VPN (With exceptions). All outbound traffic is routed via WireGuard except for traffic originating from, in my case, the Home Assistant system which is routed directly to my ISP over, in my case, ether2. Other exceptions could be made for any destination addresses that fall foul of VPN blockers. However, I couldn't see how exceptions were handled in that thread. Apologies if I have missed something obvious. I have little experience with firewalls and routers.
This doesn't seem a particularly uncommon requirement for home users who wish to use a VPN and also be able to connect remotely to home automation or similar systems. Maybe a recipe for this would be useful?
My current thoughts are that two WANs could be used: one for direct connections via the ISP; the other for connection through WireGuard. My local addresses are from 192.168.199.0/24 and I was thinking that 192.168.199.2-192.168.199.247 would use WireGuard and 192.168.199.248/29 would be direct (and be suitable targets for port forwarding). Would it be possible to use something like this for routing?
- 192.168.199.0/25 => WireGuard
- 192.168.199.128/26 => WireGuard
- 192.168.199.192/27 => WireGuard
- 192.168.199.224/28 => WireGuard
- 192.168.199.240/29 => WireGuard
- 192.168.199.248/29 => direct (eg. homeassistant = 192.168.199.252)
Is this a plausible approach? Or am I going in totally the wrong direction?
I would still be interested to know how the Proton VPN recommended setup is misleading. If it can be clarified then perhaps others and I wouldn't be mislead?By the way, its recommended setup is actually misleading, and I would request assistance so that you do it properly once all the network facts are known.
Thanks again for the assistance.
Statistics: Posted by JohnConnett — Thu Jan 04, 2024 4:27 pm