As my provider does not give me a public IPv4 Address, I am using a VPS combined with a Wireguard tunnel to make my homeserver reachable from the Internet (via Ipv4 and Ipv6).
On my homeserver, the traffic arrives first on a reverse proxy (Traefik). Currently, I am using rinetd to forward the incoming traffic of port 80/443 on the VPS to the Wireguard IP-Address of my Homeserver (10.10.0.2). This works but has the problem that the source IP of the packets is always the wireguard IP of my VPS (10.10.0.1). This is a known limitation of rinetd (https://manpages.ubuntu.com/manpages/bionic/man8/rinetd.8.html).
Plan: Internet <-> (ens192) VPS (wg1) <-> (wg1) homeserver
Solution:
For anyone having this problem at a later point, here is the solution.
Iptables config on the VPS:
iptables -I FORWARD -d 10.10.0.2 -p tcp -m conntrack --ctstate DNAT -j ACCEPT
iptables -I FORWARD -s 10.10.0.2 -p tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -t nat -I PREROUTING -p tcp -d [VPS public IP] -i ens192 --dport 80 -j DNAT --to-destination 10.10.0.2:80
iptables -t nat -I PREROUTING -p tcp -d [VPS public IP] -i ens192 --dport 443 -j DNAT --to-destination 10.10.0.2:443
iptables -t nat -A POSTROUTING -o ens192 -j SNAT --to-source [VPS public IP]
ip6tables -I FORWARD -d fdb0:926d:918e::2 -p tcp -m conntrack --ctstate DNAT -j ACCEPT
ip6tables -I FORWARD -s fdb0:926d:918e::2 -p tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT
ip6tables -t nat -I PREROUTING -p tcp -d [VPS public IP] -i ens192 --dport 80 -j DNAT --to-destination [fdb0:926d:918e::2]:80
ip6tables -t nat -I PREROUTING -p tcp -d [VPS public IP] -i ens192 --dport 443 -j DNAT --to-destination [fdb0:926d:918e::2]:443
ip6tables -t nat -A POSTROUTING -o ens192 -j SNAT --to-source [VPS public IP]
On the homeserver: Configure routing:
ip -4 route add default dev wg1 table 4242
ip -6 route add default dev wg1 table 4242
ip -4 rule add pref 500 from 10.10.0.2 lookup 4242
ip -6 rule add pref 500 from fdb0:926d:918e::2 lookup 4242
and also configure the wireguard allowedIPs to allow all IPs, except the local (home) network and the public IPv4 and IPv6 of my VPS.