Using Wireguard (better performance)
- Home Server (Relay): Runs WireGuard Server. It accepts traffic from the internet on Sunshine ports (e.g., 47984, 47998…) and forwards it through the VPN tunnel to the Windows machine.
- Windows Server (Game Host): Runs WireGuard Client. It receives the game stream traffic from the Home Server’s tunnel IP.
Phase 1: Home Server (Linux) Configuration
Goal: Setup WireGuard interface and “Port Forwarding” rules to redirect traffic to Windows.
- Install WireGuard (if not installed):
sudo apt install wireguard- Generate Keys:
wg genkey | tee privatekey | wg pubkey > publickey- Create Config (/etc/wireguard/wg0.conf): Replace HOME_SERVER_PRIVATE_KEY with the key you just generated. Replace WINDOWS_PUBLIC_KEY with the key you will generate in Phase 2.
[Interface]
Address = 10.10.10.1/24
ListenPort = 51820
PrivateKey = uOXUaSIPlrvVWOYnFnfQX1uO3dGZRGAaNz6TXBXXfko=
# --- Port Forwarding Rules (The "Relay" Magic) ---
# These rules take traffic hitting your Public IP and shove it into the Tunnel to Windows (10.10.10.2)
# Enable IP Forwarding
PostUp = sysctl -w net.ipv4.ip_forward=1
# 1. Forward TCP Ports (HTTPS, Pin, Web, RTSP)
PostUp = iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dports 47984,47989,47990,48010 -j DNAT --to-destination 10.10.10.2
# 2. Forward UDP Ports (Video, Control, Audio)
PostUp = iptables -t nat -A PREROUTING -i eth0 -p udp -m multiport --dports 47998,47999,48000 -j DNAT --to-destination 10.10.10.2
# 3. Masquerade (Ensures Windows replies come back through the tunnel)
PostUp = iptables -t nat -A POSTROUTING -d 10.10.10.2 -j MASQUERADE
# --- Clean up rules when VPN stops ---
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp -m multiport --dports 47984,47989,47990,48010 -j DNAT --to-destination 10.10.10.2
PostDown = iptables -t nat -D PREROUTING -i eth0 -p udp -m multiport --dports 47998,47999,48000 -j DNAT --to-destination 10.10.10.2
PostDown = iptables -t nat -D POSTROUTING -d 10.10.10.2 -j MASQUERADE
[Peer]
# This is your Windows Cloud Server
PublicKey = /RT4ApXnHQjNfXDKnueMfiuOKXlwYkGtOLLQ5wofIxY=
AllowedIPs = 10.10.10.2/32Note
Replace
eth0with your actual network interface name (check withip addr)._
- Start Server:
sudo wg-quick up wg0Phase 2: Windows Cloud Server Configuration
Goal: Connect to Home Server and keep the connection alive.
- Install: Download WireGuard for Windows.
- Open WireGuard and click “Add Tunnel” → “Add empty tunnel…”
- Paste Configuration:
Replace WINDOWS_PRIVATE_KEY with the auto-generated one in the window. Replace HOME_SERVER_PUBLIC_KEY with the one from Phase 1.
[Interface]
PrivateKey = wPmOMCAFwlVmtQe2KqJ67PMz87ISbsK+wktiTDDMb3Y=
Address = 10.10.10.2/24
[Peer]
PublicKey = zT3jbaqKYduWG75sj7VAHZQ5OF0HvmreNs0NAg5CXg4=
AllowedIPs = 10.10.10.1/32
# Your Home Server's Public Address (from your rathole config)
Endpoint = lukaxzs.myaddr.io:51820
# Crucial for NAT Traversal (Keeps the tunnel open)
PersistentKeepalive = 25- Activate: Click Activate. You should see a green checkmark.
Troubleshooting
- Packet Loss/MTU: If the stream connects but black screens, WireGuard adds overhead. Lower the MTU in the [Interface] section on BOTH sides: MTU = 1280
- Firewall: Ensure your Home Server’s cloud firewall (AWS/GCP/Router) allows UDP 51820 (for WireGuard itself) AND the Sunshine ports (47984-48010) inbound.
Using Rathole
Using rathole for better performance compared to frp: https://github.com/rathole-org/rathole
We will setup an example that forwards all the traffics using the home server for Moonlight + Sunshine game streaming.
Home Server
server.toml
[server]
bind_addr = "0.0.0.0:2333" # The control port (replacing frp's 7000)
# Optional: specific default token for security
# default_token = "my_secret_token"
[server.services.sunshine-https]
bind_addr = "0.0.0.0:47984"
[server.services.sunshine-pin]
bind_addr = "0.0.0.0:47989"
[server.services.sunshine-web]
bind_addr = "0.0.0.0:47990"
[server.services.sunshine-rtsp]
bind_addr = "0.0.0.0:48010"
# --- UDP Services (Crucial for Streaming) ---
[server.services.sunshine-video]
type = "udp"
bind_addr = "0.0.0.0:47998"
[server.services.sunshine-control]
type = "udp"
bind_addr = "0.0.0.0:47999"
[server.services.sunshine-audio]
type = "udp"
bind_addr = "0.0.0.0:48000"Run it:
./rathole server.tomlHost that need to relay
client.toml
[client]
remote_addr = "lukaxzs.myaddr.io:2333" # Your home server address
# default_token = "my_secret_token" # Uncomment if you used it in server.toml
[client.services.sunshine-https]
local_addr = "127.0.0.1:47984"
[client.services.sunshine-pin]
local_addr = "127.0.0.1:47989"
[client.services.sunshine-web]
local_addr = "127.0.0.1:47990"
[client.services.sunshine-rtsp]
local_addr = "127.0.0.1:48010"
# --- UDP Services ---
[client.services.sunshine-video]
type = "udp"
local_addr = "127.0.0.1:47998"
[client.services.sunshine-control]
type = "udp"
local_addr = "127.0.0.1:47999"
[client.services.sunshine-audio]
type = "udp"
local_addr = "127.0.0.1:48000"Run it:
.\rathole.exe client.toml