[plug] Bypass CGNAT for hosting website and email

Alex H. alex at spottedmouse.com
Fri Feb 13 09:33:19 AWST 2026 

Hi James

Thanks for this. After reading the link you suggested more carefully (https://mjg59.dreamwidth.org/72095.html)

I got it working nicely. Learnt a lot as well in the process.

Kind regards
Alex


-----Original Message-----
From: Alex H. <alex at spottedmouse.com> 
Sent: Thursday, 12 February 2026 23:50
To: 'James Henstridge' <james at jamesh.id.au>
Cc: 'plug at plug.org.au' <plug at plug.org.au>
Subject: RE: [plug] Bypass CGNAT for hosting website and email

Thanks James,

I have followed your advice and installed a wireguard based solution to forward a number of ports to my internal server.

Did you find a solution to expose the original source IP address to the internal server. This would allow me to deploy fail2ban for extra security. Currently all requests on the internal server seem to be from the wireguard address. Which makes sense, since I am doing NAT with iptables.

Any suggestions or thoughts are appreciated.

Kind regards
Alex

-----Original Message-----
From: James Henstridge <james at jamesh.id.au> 
Sent: Friday, 24 October 2025 14:32
To: alex at spottedmouse.com
Cc: plug at plug.org.au
Subject: Re: [plug] Bypass CGNAT for hosting website and email

On Wed, 22 Oct 2025 at 14:25, <alex at spottedmouse.com> wrote:
> For some time I have been researching options to host a website and email behind CGNAT. Cloudflare tunnels seemed to address the website nicely, but doesn’t support SMTP etc.
>
> Hosting a VPS and directing traffic over a VPN is another option. Any recommendations ?
>
> Ideally I am not looking to spend a lot of money on this as it is only for my home lab.
>
> Much appreciate any guidance and advise.

Having gone through some of this with the recent PLUG server move, you will want a static IP address with reverse DNS pointing to your domain. Without that, you may have difficulty getting other servers to accept email from you.

This probably means renting a VM from some hosting provider. The new PLUG server is using Binary Lane (https://www.binarylane.com.au/), who are local and good value. They will set the PTR record for the IP address to whatever you want. They'll also give you console access to your VM via the website if you break things to a point where you can't ssh into the VM.

While you could run your services on the VM, you could try something like described here:

https://mjg59.dreamwidth.org/72095.html

In essence, run a Wireguard VPN tunnel between your home and the VPS, and then use destination NAT and routing tricks to direct traffic down the VPN to home. He's glossing over a few steps in his description of the setup (e.g. I suspect he's not forwarding the same IP address as he is using as the VPN endpoint), so it might not be a beginner friendly option.

James.

More information about the plug mailing list