Accessing OH2 server behind NAT, from VPS

Not sure what this is called or how to do it so forgive me in advance please.

I have an account with Digital Ocean (DO) and have setup an Algo server on one of their “Droplets”, and assigned their provided [static] “floating IP” to it. Lets call this server fIP

  • The DO Droplet running Ubuntu 18.
  • Droplet has its public IP on eth0.
  • DO have assigned one of their [static] floating IP fIP to the Droplet
  • Droplet has ufw installed but disabled.
  • Droplet has Algo (WireGuard) VPN server installed to create my VPS. .
  • VPN is on interface wg0 , both servers and all clients.
  • I have three VPN clients all behind NAT (my ISP router at home), these are: “Pi”, “Mobile” and “Laptop”. VPN id for these are 10.19.45.x
  • I edited Droplet’s /etc/hosts to declare the VPN IPs for the three clients, of the form 10.19.45.x, and all are reachable from the VPS through the VPN .
  • My cellular Mobile (hostname “mobile” is running WireGuard as a client.
  • My mobile is using JuiceSSH app…


  1. Trying to access my OH2 server, my mobile can ssh into my VPS at fIP either when mobile In OR Outside the VPN.(i.e. mobile WireGuard client deactivated OR activated). Doesn’t sound secure?

  2. Bizarrely, “mobile” can ssh into my LAN “Pi” ssh server via the VPS ssh server, even when WireGuard is not running on the mobile (doesn’t sound right). This LAN ssh server is also my Openhab server.

  3. My OpenHAB server (also VPN client to VPS) is running on my LAN and accepting http on port 8080… On my LAN it has the IP on eth0. On the VPN it has address on wg0.
    Using algo or wireguard, how do I route fIP:8080 on my cloud VPS, through the VPN, to VPN client ?

  4. My ssh doesnt sound right does it?

Ive no idea what files this config occurs in for the various services, so please ask and I will post.

Thanks in advance.

my head hurts.