I am using WireGuard, which I have installed on my VPS, to be able to forward ("open") some ports that I need to run SoulSeek, even when my ISP has put me behind a CG-NAT. I imagine that these instructions (after some adjustments) can be used for other VPN solutions and other applications that need you to forward some ports to run properly such as BitTorrent clients and such.
This tutorial assumes that you already have WireGuard installed and running. If not, you can use any other tutorial or script to install WireGuard.
The easy way would be to install the WireGuard client on Windows and then load your configuration file, but that would mean that all your traffic gets routed through your VPN, which is something that I want to avoid.
WireGuard
First we need to install the WireGuard client and make some changes to the client configuration file so, by default, no traffic goes through the VPN. Every connection has what we call a "metric" which is something like the priority of that connection. We have to tell WireGuard to change the metric of the VPN interface to a high value so this interface is never used by default.
This post explains it well: Split Tunneling in WireGuard on Windows (archive)
iptables
We need to use iptables to forward all incoming connections to the WAN interface of our VPS to the VPN interface. We use the following command once for every port that we need to forward:
iptables -t nat -A PREROUTING -p tcp -d <WAN IP> --dport 51211 -j DNAT --to <VPN client IP>
In this case, WAN IP is the public IP address of our VPS, while the VPN client IP is the IP address that our client gets when it logs into WireGuard. You can see it in the Interface -> Address option of your WireGuard .conf file.
Since iptables rules are reset on reboot we need to figure a way of making the rules persistent. I use iptables-persistent; configuring it is beyond the scope of this article.
SoulSeek (or any other application)
We have to tell the application that we want it to bind to the VPN client address instead of the default address. Most network-oriented applications allow you to specify what IP address you want to bind to, but some don't, and SoulSeek is one of those that don't. But there's a solution: ForceBindIP.
We need to find what the GUID of our VPN tunnel is. Using the Registry Editor, we have to go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces and find that interface. In the case of WireGuard you will recognise it because of the NameServer values. Copy the GUID and turn it into uppercase to bypass a bug in ForceBindIP. Then you can launch SoulSeek by creating a shortcut like this:
Target: C:\Software\ForceBindIP\ForceBindIP64.exe {DD63324A-14EB-D556-77E6-C4120A4D65A4} "C:\Program Files (x86)\SoulseekQt\SoulseekQt.exe"
Start in: "C:\Program Files (x86)\SoulseekQt"
You have to use either ForceBindIP.exe or ForceBindIP64.exe depending on whether the application is 32-bit or 64-bit.
Once the application launches and you have configured the ports that you forwarded before (and restarted the application if necessary), you can try one of those online services that check for open ports. Use your VPS IP address and the port(s) you forwarded and they should display as open.
Take into account that the fact that the port shows as open doesn't mean that the application has managed to bind to the IP address of our VPN client, since most applications accept connections on every interface, including the VPN interface. How to check which IP address the application is using will depend on the application. In the case of SoulSeek, we can try Nicotine+ from another computer, which allows us to see the IP address of other users. You can also check if you can browse your own shares and download stuff.
