You are reading content from Scuttlebutt
@Hendrik Peter %GY+LomceJyUAgHRd2bYtKr8tL4kU67N7CLeTdYAmzpo=.sha256
Re: %d6flNRxg+

SSH

So I started of by just reverse-tunneling in SSH.

You basically put a random VPS somewhere in the cloud, toggle GatewayPorts yes in /etc/ssh/sshd_config and then:

ssh -R 3001:localhost:3001 -R 3002:localhost:3002  user@server

The downside of using reverse tunnels is that SSH is TCP-only. So all my UDP toys remained offline.

OpenVPN

I ended up installing openVPN using the git.io/vpn script, which is super well described in this article by Vivek Gite.

There are some things you need to do after the installation (before rebooting the server):
As long as you use each client certificate on one connected client (so make different certificates by re-executing the setup script for each different connected client) that client will always have the same IP-address assigned to them.

Connect your first client, then with that client connected execute sudo systemctl stop openvpn@server on the VPN server. ending the server process will create a file /etc/openvpn/server/ipp.txt which contains (and locks) whatever clients were connected to that IP-Address.

Toggle port-forwarding on on the VPN server by executing

sudo sysctl net.ipv4.ip_forward

Reconnect your first VPN client and add your first port-forwarding rule (make sure to put all the port forwarding rules in a txt file somewhere since you need to execute the exact same command (replacing the -A with -D) to remove these forwarding rules later.

sudo iptables -t nat -A PREROUTING -p tcp -d "your-vpn-public-ip" --dport 80 -j DNAT --to-destination 10.8.0.2:80
sudo iptables -t nat -A PREROUTING -p tcp -d "your-vpn-public-ip" --dport 443 -j DNAT --to-destination 10.8.0.2:443
sudo iptables -t nat -A PREROUTING -p tcp -d "your-vpn-public-ip" --dport 8008 -j DNAT --to-destination 10.8.0.2:8008
sudo iptables -t nat -A PREROUTING -p udp -d "your-vpn-public-ip" --dport 8008 -j DNAT --to-destination 10.8.0.2:8008

(where 10.8.0.2 is the default address of the first connected client)

The first 2 on this list are your default port 80 and 443 web ports, the last 2 are an example for ssb-rooms
then if you want to add a port-range to your VPN-client MOSH server you can add (where port 1875 is the example ssh port of your client):

sudo iptables -t nat -A PREROUTING -p tcp -d "your-vpn-public-ip" --dport 1875 -j DNAT --to-destination 10.8.0.2:22
sudo iptables -t nat -A PREROUTING -p udp -d "your-vpn-public-ip --dport 60000:61000 -j DNAT --to-destination 10.8.0.2:60000-61000

After you've added your Port forwarding rules make sure to store the basic-vpn rules that were added in the installation as well as your custom port forwarding rules in a permanent store (iptables are wiped between reboots):

sudo apt-get install iptables-persistent
sudo -i
/sbin/iptables-save > /etc/iptables/rules.v4
exit

From here you can go 2 paths when it comes to "masquerading" each option here has its advantages and disadvantages:

If you want the client that connects to the VPN to download data and connect to the internet outside of the VPN (so browse the internet, download data and system updates without tunneling it all through the VPN) then you can execute:

sudo iptables -t nat -A POSTROUTING -j MASQUERADE
sudo -i
/sbin/iptables-save > /etc/iptables/rules.v4
exit

If you do this, then all incoming packages of internet traffic get rewritten to have the source-ip of your VPN server.

Then on the client-side open the certificate and add the following 2 rows:

vpn-bigloop.png

This first line will turn all traffic tunneling off and then the second line will emit all traffic from the VPN internal network back into the VPN internal network.

There are 2 drawbacks with this solution:

  • Since package headers are rewritten all traffic sources are 10.8.0.1. This will hurt if you rate-limit (ssh access for example) by ip-address.
  • If you port-forward 80 and 443 and turn on MASQUERADE on, then the VPN server itself won't be able to download stuff anymore. so you need to turn masquerade off (and hit your connected clients with extra down-time) every time you want to perform system updates.

If you're okay with routing all client traffic through the VPN

then do nothing or turn POSTROUTING -j MASQUERADE off and revert the changes to your client config.

The drawback here is that everything your client does on the internet will add some extra strain on your VPN connection and system updates on the client side will be a bit slower since you're dealing with the extra hop.
(I've chosen this option for my VPN, since I do like to rate-limit ssh attempts, etc.)

Join Scuttlebutt now
AGPLv3 © ssb-viewer 38c61a5