This post describes an approach to let your Linux machine behind a NAT be reachable from the public internet, using a cheap VPS and Wireguard.
It's similar to this post in Ralph's Blog, but with with one distinction: it preserves the source IP of the incoming connection. This may be important depending on your use. For me, I was running a PHP web app for which I needed the $_SERVER["REMOTE_ADDR"] field to be the true and correct IP of the client, and not just the IP of the gateway that forwarded the traffic.
Values used in this example:
- 192.168.51.0/24 is the private VPN network between the cloud VPS host and the server you want to expose.
- 192.168.51.1 is the VPN network IP of the cloud VPS.
- 192.168.51.2 is the VPN network IP of the server you want to expose.
- 50.40.30.20 is the public IP of the cloud VPS.
- 59014 the UDP port number I randomly chose for WireGuard on the VPS.
- 80 and 443 are the TCP port numbers I want to forward from my VPS to my local server.
On the cloud VPS:
mkdir -p /etc/wireguard cd /etc/wireguard wg genkey | tee privatekey | wg pubkey > publickey chown 600 privatekey cat privatekey cat publickey # Replace the PrivateKey in the [Interface] section with the actual privatekey value generated above. # Replace the PublicKey in the [Peer] section with the publickey value you generate ON YOUR LOCAL SERVER in the later steps. cat > /etc/wireguard/wg0.conf <<EOF [Interface] Address = 192.168.51.1 PrivateKey = KF+X0SO2lkBFnxTCK4R5PCv/FC6+wgH6rt6wWHkVVHE= ListenPort = 59014 [Peer] PublicKey = y700qaTgjDjMrLc9tGF7+PKFrX7uHyIJJ/s2zvadKVY= AllowedIPs = 192.168.51.2/32 EOF chmod 600 wg0.conf # Start the VPN server wg-quick up wg0 echo 0 > /proc/sys/net/ipv4/ip_forward iptables -P FORWARD DROP iptables -A FORWARD -i eth0 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i wg0 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i wg0 -o eth0 -m conntrack --ctstate NEW -j ACCEPT iptables -A FORWARD -i eth0 -o wg0 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT iptables -A FORWARD -i eth0 -o wg0 -p tcp --syn --dport 443 -m conntrack --ctstate NEW -j ACCEPT iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.51.2 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 192.168.51.2 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward
On your local server, instead of using wg-quick, we will set up the interface a bit more manually. This is in order to have finer control over routing. We want connections originating on this server to exit via this server's normal internet connection, and not via the WireGuard VPN connection. However, packets part of TCP connections that got forwarded to us on the VPN from the VPS should be routed back via the VPS.
On your local server:
mkdir -p /etc/wireguard cd /etc/wireguard wg genkey | tee privatekey | wg pubkey > publickey chown 600 privatekey cat privatekey cat publickey # Replace the PrivateKey in the [Interface] section with the actual privatekey value generated above. # Replace the PublicKey in the [Peer] section with the publickey value you generated ON YOUR CLOUD VPS in the earlier steps. cat > /etc/wireguard/wg0.conf <<EOF [Interface] PrivateKey = YIOy80YJdcMqI1WCMROoyUfsfkc6GhP0KqRS3BfcoEs= [Peer] PublicKey = i1VQnnODEBbf+P9cyd9XmB9G58qEpM53TbMXn1UAJx8= Endpoint = 50.40.30.20:59014 AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 25 EOF chmod 600 wg0.conf # Set up VPN connection ip link add wg0 type wireguard wg setconf wg0 /etc/wireguard/wg0.conf ip address add 192.168.51.2 dev wg0 ip link set mtu 1420 up dev wg0 ip rule add from 192.168.51.2 table 51820 ip rule add iif wg0 table 51820 ip route add 192.168.51.0/24 dev wg0 ip route add 0.0.0.0/0 via 192.168.51.1 dev wg0 table 51820 # Shut down VPN connection (don't run these steps now, but keep them handy) ip rule delete from 192.168.51.2 table 51820 ip rule delete iif wg0 table 51820 ip link delete dev wg0
You should now be able to receive TCP traffic on port 80 and 443 on your local server, and the src IP address of the actual real client will be preserved all the way to your local server.
No comments:
Post a Comment