Wireguard VPS as a way to bypass CGNAT but is there a way to forward users' ip?

[/u/MattyByte]

Hi everyone,

I’m running a Minecraft server on my home PC (Windows), but my ISP uses CGNAT. To bypass this, I rented a Linux VPS and set up a WireGuard tunnel to forward traffic to my home machine.

The Setup:

• VPS: Ubuntu running WireGuard + iptables forwarding.
• Home Host: Windows PC running the official WireGuard client.
• Traffic Flow: Player -> VPS (Public IP) -> WG Tunnel -> Home PC.

The Problem: Everything connects fine, but all players show up with the internal VPN IP (10.10.0.1) in the server console.

I know why this is happening: I had to enable MASQUERADE on the VPS PostUp rules. If I disable masquerading to preserve the source IP, the connection breaks. My Windows PC sees the real IP, tries to reply via my local ISP gateway (default route), and the packet gets dropped (Asymmetric Routing).

The Constraints:

1. I cannot use "Full Tunneling" (AllowedIPs = 0.0.0.0/0) on my home PC because this is my daily driver. I don't want my Netflix/YouTube traffic going through the VPS.
2. Host is Windows: I know this is trivial on Linux with ip rule / policy-based routing, but I’m stuck on Windows for now.
3. HAProxy: I tried wrapping the connection in HAProxy/Traefik on the VPS. It works for Java (with haproxy-protocol: true), but I’m looking for a cleaner network-level solution if possible, especially one that plays nice with Bedrock (UDP).

My Question: Is there a way to achieve "Split Tunneling by Application" on Windows so I can force only java.exe / bedrock_server.exe traffic back through the tunnel?

Or should I just ditch WireGuard and use something like FRP (Fast Reverse Proxy) or run Velocity/Geyser directly on the VPS?

Any advice on the "cleanest" setup for this scenario would be appreciated!

submitted by /u/MattyByte
[link] [comments]

Continue reading...