Want to port forward but your ISP uses carrier grade NAT (also called ISP NAT or double NAT)?
This is more of an outline rather than a tutorial. I will assume you already have a linux server with root user or sudo access. I will also assume that you are a little bit familiar with some basic linux commands and you have some networking knowledge.
1) download and run the wireguard-install script. (Please take note of the IPs and server port you pick. I recommend port 8080 but you are welcome to use the default or pick something else. Another potential good choice is 443 or 80.)
$ curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh && chmod +x wireguard-install.sh && sudo ./wireguard-install.sh
2) Copy the client config to your local computer. (check the folder you ran the script in)
3) after wireguard is running on the server (check with "systemctl status wg-quick@your-value" or htop) test it with: $ wg-quick up /location/of/your-config
4) You should be able to browse the internet using the VPN but the port forwarding isn't set up yet.
5) Now to setup and enable the firewall. I will show you my firewall.sh script as an example. I save the rules as a shell script so if you accidentally block SSH all you have to do is reboot using your VPS/server control panel for the rules to be removed. You can choose to make these rules persistent once you get it working. If you leave it as is make sure to run the script again each time after you reboot. Make sure you change the ports and IPs to match whatever you picked.
#!/bin/bash
# default policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
ip6tables -P INPUT DROP
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD DROP
# loopback interface
iptables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
# drop invalid
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
# established/related connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELAT
ED -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELA
TED -j ACCEPT
# ping (you can remove if you want)
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCE
PT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEP
T
ip6tables -A INPUT -p icmpv6 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 -j ACCEPT
# SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
ip6tables -A OUTPUT -p tcp --sport 22 -j ACCEPT
# wireguard (udp/8080) - VPN
iptables -A INPUT -p udp --dport 8080 -j ACCEPT
iptables -A OUTPUT -p udp --sport 8080 -j ACCEPT
# allow forwarding for wireguard (because we DROP on FORWARD chain by default. Change "ens3" to "eth0" if you are using the old network interface names)
iptables -A FORWARD -i wg0 -o ens3 -j ACCEPT
iptables -A FORWARD -i ens3 -o wg0 -j ACCEPT
ip6tables -A FORWARD -i wg0 -o ens3 -j ACCEPT
ip6tables -A FORWARD -i ens3 -o wg0 -j ACCEPT
# port forwarding rules
bash /root/port-forward.sh
I save the above as firewall.sh
And here are the port forwarding rules for UDP, TCP, and IPv4 and IPv6. If your server doesn't support IPv6 you can ignore the lines that contain "ip6tables". The example below assumes that you are using port 48319 on Tixati.
# Tixati - TCP
iptables -t nat -A PREROUTING -d YOUR-SERVER-PUBLIC-IPV4 -p tcp --dport 48319 -j DNAT --to
-dest 10.66.66.2:48319
iptables -t filter -A INPUT -p tcp -d 10.66.66.2 --dport 48319 -j ACCEPT
ip6tables -t nat -A PREROUTING -d YOUR-SERVER-PUBLIC-IPV6 -p tcp --dport 48319
-j DNAT --to-dest [fd42:69:69::2]:48319
ip6tables -t filter -A INPUT -p tcp -d fd42:69:69::2 --dport 48319 -j ACCEPT
# Tixati - UDP/uTP
iptables -t nat -A PREROUTING -d YOUR-SERVER-PUBLIC-IPV4 -p udp --dport 48319 -j DNAT --to
-dest 10.66.66.2:48319
iptables -t filter -A INPUT -p udp -d 10.66.66.2 --dport 48319 -j ACCEPT
ip6tables -t nat -A PREROUTING -d YOUR-SERVER-PUBLIC-IPV6 -p udp --dport 48319
-j DNAT --to-dest [fd42:69:69::2]:48319
ip6tables -t filter -A INPUT -p udp -d fd42:69:69::2 --dport 48319 -j ACCEPT
You can include this in firewall.sh or put it in a separate file. In my firewall.sh, I have it run port-forward.sh (See last line)
6) Connect to the VPN and bind Tixati to your VPN interface IP(s). Run a few torrents and check for incoming connections. You do not need to use UPnP for the port forwarding because the port is already forwarded.
If you have any questions or need me to clarify anything, let me know. Again, this is more of an outline rather than a proper tutorial.