2

As my provider does not give me a public IPv4 Address, I am using a VPS combined with a Wireguard tunnel to make my homeserver reachable from the Internet (via Ipv4 and Ipv6).

On my homeserver, the traffic arrives first on a reverse proxy (Traefik). Currently, I am using rinetd to forward the incoming traffic of port 80/443 on the VPS to the Wireguard IP-Address of my Homeserver (10.10.0.2). This works but has the problem that the source IP of the packets is always the wireguard IP of my VPS (10.10.0.1). This is a known limitation of rinetd (https://manpages.ubuntu.com/manpages/bionic/man8/rinetd.8.html).

Plan: Internet <-> (ens192) VPS (wg1) <-> (wg1) homeserver

Solution:

For anyone having this problem at a later point, here is the solution.

Iptables config on the VPS:

iptables -I FORWARD -d 10.10.0.2 -p tcp -m conntrack --ctstate DNAT -j ACCEPT
iptables -I FORWARD -s 10.10.0.2 -p tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -t nat -I PREROUTING -p tcp -d [VPS public IP] -i ens192 --dport 80 -j DNAT --to-destination 10.10.0.2:80
iptables -t nat -I PREROUTING -p tcp -d [VPS public IP] -i ens192 --dport 443 -j DNAT --to-destination 10.10.0.2:443
iptables -t nat -A POSTROUTING -o ens192 -j SNAT --to-source [VPS public IP]

ip6tables -I FORWARD -d fdb0:926d:918e::2 -p tcp -m conntrack --ctstate DNAT -j ACCEPT
ip6tables -I FORWARD -s fdb0:926d:918e::2 -p tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT
ip6tables -t nat -I PREROUTING -p tcp -d [VPS public IP] -i ens192 --dport 80 -j DNAT --to-destination [fdb0:926d:918e::2]:80
ip6tables -t nat -I PREROUTING -p tcp -d [VPS public IP] -i ens192 --dport 443 -j DNAT --to-destination [fdb0:926d:918e::2]:443
ip6tables -t nat -A POSTROUTING -o ens192 -j SNAT --to-source [VPS public IP]

On the homeserver: Configure routing:

ip -4 route add default dev wg1 table 4242
ip -6 route add default dev wg1 table 4242

ip -4 rule add pref 500 from 10.10.0.2 lookup 4242
ip -6 rule add pref 500 from fdb0:926d:918e::2 lookup 4242

and also configure the wireguard allowedIPs to allow all IPs, except the local (home) network and the public IPv4 and IPv6 of my VPS.

Improve this question

1 Answer 1

Reset to default
0

Following this, I was able to make my homeserver availible using iptables, but the source IP was still only 10.10.0.1.

Because you added an SNAT rule to force the source IP, I would assume. The tutorial tells you to apply SNAT so that the homeserver would be tricked into correctly replying via the same WireGuard tunnel, instead of sending its replies to WAN IPs directly towards its regular default route. (Without it, clients would attempt to talk to your VPS IP but receive replies from your ISP public IP.)

Remove the SNAT rule from iptables of the VPS, then set up policy routing on the homeserver as an alternative, as documented in a few past threads. Use either ip rule or systemd-networkd's [RoutingPolicyRule] to ensure that if the replies are coming from the homeserver's WireGuard IP, they will be routed via WireGuard as well. (It might be useful to specify wg-quick's Table= option here, then you could create a rule that just references the table that wg-quick creates.)

Improve this answer
15
  • Thank you for your reply, I think I found and applied what you have said, I am not sure if I did it correctly though. I updated my original post if you want to have a look.
    – turbothorsten
    Commented Apr 3, 2023 at 9:44
  • Your remaining DNAT (port forwarding) rules seem to be missing any -d <ip> or -i <iface> check, so they accidentally catch outgoing HTTP connections as well, not just incoming ones. Limit them to only packets sent to the VPS's public IP, and/or arriving via the VPS's eth0 (ens192) interface.
    – grawity_u1686
    Commented Apr 3, 2023 at 9:48
  • (As for the "FORWARD" rules, I think those look okay, but I'd recommend using the typical --ctstate ESTABLISHED to permit all reply packets without the need for an explicit --sport rule for each port – and would probably try collapsing the individual --dport rules into a single --ctstate DNAT to automagically permit all packets that have gone through a DNAT rule.)
    – grawity_u1686
    Commented Apr 3, 2023 at 9:51
  • Thanks for your reply, I don't quite understand which rule to modify how yet. The iptables -t nat -I PREROUTING -p tcp -d <VPSpublicip> -i ens192 --dport 80 -j DNAT --to-destination 10.10.0.2:80 rule should be like this I guess, and the dport rules should be replaced by a single iptables -I FORWARD -d 10.10.0.2 -p tcp --ctstate DNAT -j ACCEPT and for the sport: iptables -I FORWARD -s 10.10.0.2 -p tcp --ctstate ESTABLISHED -j ACCEPT
    – turbothorsten
    Commented Apr 3, 2023 at 16:39
  • Can't edit my previous comment, but I forgot the -m conntrack
    – turbothorsten
    Commented Apr 3, 2023 at 16:51

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .