The main advantage of the method described in this post is that it preserves clients IP address, so the home server sees the real IP address of clients and can process them (e.g. block them in a firewall).
There are several posts on the internet on this topic however they are not complete, for example the method described in this post does not preserve IP address of clients and shows the wireguard server's IP address in requests instead.
Steps:
VPS Server:
1. Enable net.ipv4.ip_forward on the VPS
2. Wireguard config on the VPS server is simple and does not have anything special:
[Interface]
Address = 10.0.1.1
ListenPort = <Wireguard Listen Port>
PrivateKey = <Wireguard VPS Server Private Key>
# Home
[Peer]
PublicKey = <Wireguard on Home server Public Key>
AllowedIPs = 10.0.1.2/32
where 10.0.1.1 is the local IP address of wireguard on VPS server and 10.0.1.2 is the local IP address of wireguard on Home server behind NAT.
3. Now, to forward Traffic to the VPS server, you need to use the following rules in IP tables :
# To allow Forwarding IPs in IPtables:
iptables -A FORWARD -i wg0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT
# This rule can be used if it is not needed tp preserve clients IP
# iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
# This rule is needed to provide internet to Home server when preserving clients IP
iptables -t nat -A POSTROUTING -s '10.0.1.0/24' -o eth0 -j MASQUERADE
# Forward TCP / UDP ports here to the server home
# TCP Public:8080 -> Home:443
iptables -t nat -A PREROUTING -p tcp -d VPS.Public.IP.Address --dport 8080 -j DNAT --to-destination 10.0.1.2:443
# TCP Public:8822 -> Home:22
iptables -t nat -A PREROUTING -p tcp -d VPS.Public.IP.Address --dport 8822 -j DNAT --to-destination 10.0.1.2:22
# UDP Public:5060 -> Home:5060
iptables -t nat -A PREROUTING -p udp -d VPS.Public.IP.Address --dport 5060 -j DNAT --to-destination 10.0.1.2:5060
# UDP Range Public:11000-11200 -> Home:11000-11200
iptables -t nat -A PREROUTING -p udp -d VPS.Public.IP.Address --dport 11000:11200 -j DNAT --to-destination 10.0.1.2:11000-11200
Home server in NAT:
Wireguard config on the Home server is a bit more tricky. [Interface]
PrivateKey = <Wireguard on Home server Private Key>
Address = 10.0.1.2
[Peer]
PublicKey = <Wireguard VPS Server Public Key>
# This rule will not preserve clients IP
# AllowedIPs = 10.0.1.1/24
# This rule will preserve clients IP:
# This is a Sample range, you need to use the script provided below to
# exclude you VPS IP / Local NAT IP from 0.0.0.0/0 range, then use it here
AllowedIPs = 128.0.0.0/1, 64.0.0.0/2, 32.0.0.0/3, 16.0.0.0/4, 0.0.0.0/5, 12.0.0.0/6, 10.0.0.0/7, 9.0.0.0/8, 8.128.0.0/9, 8.64.0.0/10, 8.32.0.0/11, 8.16.0.0/12, 8.0.0.0/13, 8.12.0.0/14, 8.10.0.0/15, 8.9.0.0/16, 8.8.128.0/17, 8.8.64.0/18, 8.8.32.0/19, 8.8.16.0/20, 8.8.0.0/21, 8.8.12.0/22, 8.8.10.0/23, 8.8.9.0/24, 8.8.8.128/25, 8.8.8.64/26, 8.8.8.32/27, 8.8.8.16/28, 8.8.8.0/29, 8.8.8.12/30, 8.8.8.10/31, 8.8.8.9/32
Endpoint = <VPS PUBLIC IP>:<Wireguard Listen Port>
PersistentKeepalive = 25
One can use AllowedIPs = 10.0.1.1/24 here with iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE rule in iptables of the VPS, this will let the home server to be accessible through the forwarded ports, however the home server will not see the real IP address of clients, and will see all requests coming from 10.0.1.1, the IP address of wireguard VPS instead.
To let the home server accessible through the Public IP address of VPS and make it see the real IP address of clients, it is required to route packets that arrive to server home to come back through wireguard. So basically we need to add all IP ranges to AllowedIPs Except VPS IP address and other local network addresses that we dont want to go through wireguard.
It is not possible to use AllowedIPs = 0.0.0.0/0 directly, as wireguard will not be able to connect to our VPS IP address then. We also don't want our Local NAT IP range to go through Wireguard. So we use the following Shell script to exclude our VPS IP/Local IP range from 0.0.0.0/0 range :
#!/bin/bash
echo "enter the broader range e.g. 176.0.0.0/4"
read r1
echo "enter the exclude ip e.g. 18.20.18.8/32"
read r2
pshell=`cat <<EOF
import ipaddress
n1 = ipaddress.ip_network('$r1')
n2 = ipaddress.ip_network('$r2')
l = list(n1.address_exclude(n2))
print(l)`
python3 -c "$pshell" | sed -e "s,IPv4Network(',,g" | sed -e "s,'),,g" | sed -e "s,\[,,g" | sed -e "s,\],,g"
No comments:
Post a Comment