TorGuard/Wireguard/port forwarding

Hello. I’m a novice at VPNs and have a little experience with port forwarding, so excuse anything stupid written here.

I have a GL-AR750S purchased as a travel router to be connected by USB to my phone as hotspot. For that, it works well.

At home, I’m testing T-Mobile High Speed Internet. As T-Mobile uses CGNAT and their internal network is IPv6 only, I cannot forward ports to my home server. As a workaround, I opened a TorGuard VPN account to create a public IPv4 address outside the T-Mobile network.

My goal is to forward traffic from the VPN public address to TCP 443 and UDP 3389 and 3391 on my server, and all other internal clients will use the router firewall through the WAN. I really don’t care about VPN functionality in terms of security. It’s just a way to create a tunnel through T-Mobile.

I set up a wireguard client connection on the AR750S to create a tunnel from TorGuard. I haven’t tested it fully but for the sake of this topic, assume it works and I can forward ports from the static IP provided by them to the AR750S.

One of the features I see on the AR750S setup is to restrict use of the VPN to specific MAC addresses. That’s what I prefer to do. If I do that, are ports forwarded by TorGuard further filtered by the firewall on the AR750S? E.g., if I forwarded everything (unrestricted) through the tunnel to the router, does the router then forward specified ports only to the MAC that routes through the VPN, blocks all VPN traffic to other MAC addresses, and the other MACs use the WAN normally?

Thanks for your patience and assistance.

The vpn policy (allowing to use vpn for specific mac address) is for outgoing traffic.

For port forword, you need to set up for each device. If you do not set up portfoward for one server, it is not accessible.

The vpn policy (allowing to use vpn for specific mac address) is not outgoing traffic.

Does the fact that the VPN policy is only for incoming traffic mean all outgoing traffic always goes through the VPN?

Sorry, typo.

VPN policy is only for outgoing traffic.

OK, Makes sense. If I set up the AR750S as a WireGuard client and the VPN server forwards ports, are those ports filtered further by the AR750S firewall? Am I correct in my understanding that they are, and that I have to forward those ports on to specific internal ip addresses and ports?

TorGuard won’t forward ports below 2048. I want access to 443 from the public IP address created by TorGuard. If I forward TCP 4430 from TorGuard to my router, I can then forward TCP 4430 to TCP 443 on my server, correct?

Also, the server I’m trying to make available includes a DDNS service. If I limit VPN use to that server, will the DDNS be set to use the public IP of the VPN?

Portforward will work regardless your vpn and vpn policy.

Yes you can port forward from 4430 to 443.

DDNS from the vpn service provider?