I'm currently setting up my homelab network, which includes a DMZ subnet at 192.168.3.0/24. On my Docker node at 192.168.3.123, I run an nginx proxy manager that manages subdomains and Let's Encrypt certificates. My setup forwards HTTP and HTTPS (ports 80 and 443) through my firewall to this Docker node.
However, my cable provider is not great, and I'm looking to improve my internet connection without waiting for fiber to become available. Currently, I have a VPS in Canada and another in Germany that host my slave DNS servers.
Here's where I run into trouble: I'm trying to set up a WireGuard tunnel to forward traffic from the VPS to my internal nginx proxy. I have established the tunnel, and I can ping devices in my DMZ subnet from the VPS, where the tunnel IPs are 10.9.0.1 (server) and 10.9.0.2 (client).
I even tried to install nginx on the VPS, but I'm having issues securing the admin UI. Instead, I set up NAT and MASQUERADE rules in iptables on the VPS, but when I try accessing my domain (emby.domain.tld), it times out.
I've double-checked that IP forwarding is enabled on both the VPS and the tunnel endpoint, but I'm at a loss on how to forward HTTP and HTTPS traffic correctly through the WireGuard tunnel to reach my internal nginx proxy manager. Can anyone offer guidance?
1 Answer
It sounds like there might be some MTU issues due to the WireGuard tunnel. You might want to try enabling MSS clamping. The overhead from the tunnel can lead to packets being dropped if the MTU size is lower than expected. Adjusting MSS can help manage this.
That makes sense! I think the incoming traffic has an MTU of 1500, while the tunnel might be trying to send through something lower, like 1420. How would I go about changing the MSS clamping settings?