Dear ServerFault community,
I have recently bought a home-server. I did not want to host any content on my office IP (1.1.1.1) and I, therefore, bought an OVH VPS with 4 IPs and created a WireGuard tunnel to use the VPS' IP as the homeserver IP.
OVH VPS also forwards all the ports to my homeserver.
I am currently using 2 of the 4 OVH VPS' IPs (2.2.2.2) and (3.3.3.3).
I created two WireGuard tunnels on the VPS on different subnets. One on 10.0.0.0 and one on 10.1.0.0.
My AIM was to achieve a config so that listening to 10.0.0.2 would resolve to 2.2.2.2
and listening to 10.1.0.2 would resolve to 3.3.3.3
.
This does work for the first tunnel and for the second tunnel when running by themsleves on AllowedIPs = 0.0.0.0/0
.
The problem is that when running togheter on AllowedIPs = 0.0.0.0/0
Internet connection stops.
I tried changing WG1's Allowed IPs to 10.1.0.0/24
but then a WG1 has no internet connection working.
Here are my configuration files:
Server WG0 (OVH VPS):
[Interface]
Address = 10.0.0.1/24
ListenPort = 51821
PrivateKey = {CENSORED}
### Client vpn
[Peer]
PublicKey = {CENSORED}
PresharedKey = {CENSORED}
AllowedIPs = 10.0.0.2/32
Server WG1 (OVH VPS):
[Interface]
Address = 10.1.0.1/24
ListenPort = 51822
PrivateKey = {CENSORED}
[Peer]
PublicKey = {CENSORED}
PresharedKey = {CENSORED}
AllowedIPs = 10.1.0.2/32
OVH VPS' IPTables configuration:
# Generated by iptables-save v1.8.7 on Tue May 31 15:25:37 2022
*filter
:INPUT ACCEPT [1698:235639]
:FORWARD ACCEPT [1053:163056]
:OUTPUT ACCEPT [1451:166474]
:f2b-sshd - [0:0]
COMMIT
# Completed on Tue May 31 15:25:37 2022
# Generated by iptables-save v1.8.7 on Tue May 31 15:25:37 2022
*nat
:PREROUTING ACCEPT [435:15811]
:INPUT ACCEPT [428:15399]
:OUTPUT ACCEPT [32:2255]
:POSTROUTING ACCEPT [119:6298]
-A PREROUTING -d 2.2.2.2/32 -p tcp -m tcp -m multiport --dports 1000:51820 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -d 2.2.2.2/32 -p tcp -m tcp -m multiport --dports 51826:65534 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -d 2.2.2.2/32 -p udp -m udp -m multiport --dports 1000:51820 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -d 2.2.2.2/32 -p udp -m udp -m multiport --dports 51826:65534 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -d 2.2.2.2/32 -p tcp -m tcp -m multiport --dports 21,22,80,25,995,110,443,465,993,143 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -d 2.2.2.2/32 -p udp -m udp -m multiport --dports 21,22,80,25,995,110,443,465,993,143 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -d 3.3.3.3/32 -p tcp -m tcp -m multiport --dports 1000:51820 -j DNAT --to-destination 10.1.0.2
-A PREROUTING -d 3.3.3.3/32 -p tcp -m tcp -m multiport --dports 51826:65534 -j DNAT --to-destination 10.1.0.2
-A PREROUTING -d 3.3.3.3/32 -p udp -m udp -m multiport --dports 1000:51820 -j DNAT --to-destination 10.1.0.2
-A PREROUTING -d 3.3.3.3/32 -p udp -m udp -m multiport --dports 51826:65534 -j DNAT --to-destination 10.1.0.2
-A PREROUTING -d 3.3.3.3/32 -p tcp -m tcp -m multiport --dports 21,22,80,25,995,110,443,465,993,143 -j DNAT --to-destination 10.1.0.2
-A PREROUTING -d 3.3.3.3/32 -p udp -m udp -m multiport --dports 21,22,80,25,995,110,443,465,993,143 -j DNAT --to-destination 10.1.0.2
-A POSTROUTING -s 10.0.0.2/32 -p tcp -m tcp -m multiport --sports 1000:51820 -j SNAT --to-source 2.2.2.2
-A POSTROUTING -s 10.0.0.2/32 -p tcp -m tcp -m multiport --sports 51826:65534 -j SNAT --to-source 2.2.2.2
-A POSTROUTING -s 10.0.0.2/32 -p tcp -m tcp -m multiport --sports 21,22,80,25,995,110,443,465,993,143 -j SNAT --to-source 2.2.2.2
-A POSTROUTING -s 10.0.0.2/32 -p udp -m udp -m multiport --sports 1000:51820 -j SNAT --to-source 2.2.2.2
-A POSTROUTING -s 10.0.0.2/32 -p udp -m udp -m multiport --sports 51826:65534 -j SNAT --to-source 2.2.2.2
-A POSTROUTING -s 10.0.0.2/32 -p udp -m udp -m multiport --sports 21,22,80,25,995,110,443,465,993,143 -j SNAT --to-source 2.2.2.2
-A POSTROUTING -s 10.1.0.2/32 -p tcp -m tcp -m multiport --sports 1000:51820 -j SNAT --to-source 3.3.3.3
-A POSTROUTING -s 10.1.0.2/32 -p tcp -m tcp -m multiport --sports 51826:65534 -j SNAT --to-source 3.3.3.3
-A POSTROUTING -s 10.1.0.2/32 -p tcp -m tcp -m multiport --sports 21,22,80,25,995,110,443,465,993,143 -j SNAT --to-source 3.3.3.3
-A POSTROUTING -s 10.1.0.2/32 -p udp -m udp -m multiport --sports 1000:51820 -j SNAT --to-source 3.3.3.3
-A POSTROUTING -s 10.1.0.2/32 -p udp -m udp -m multiport --sports 51826:65534 -j SNAT --to-source 3.3.3.3
-A POSTROUTING -s 10.1.0.2/32 -p udp -m udp -m multiport --sports 21,22,80,25,995,110,443,465,993,143 -j SNAT --to-source 3.3.3.3
COMMIT
# Completed on Tue May 31 15:25:37 2022
Homeserver WG0 configuration:
[Interface]
PrivateKey = {CENSORED}
Address = 10.0.0.2/32
[Peer]
PublicKey = {CENSORED}
PresharedKey = {CENSORED}
Endpoint = 2.2.2.2:51821
AllowedIPs = 0.0.0.0/0
#AllowedIPs = 10.0.0.0/24
Homeserver WG1 configuration:
[Interface]
PrivateKey = {CENSORED}
Address = 10.1.0.2/32
[Peer]
PublicKey = {CENSORED}
PresharedKey = {CENSORED}
Endpoint = 3.3.3.3:51822
AllowedIPs = 10.1.0.0/24
With my current (pasted here) configuration I can bind (for example Apache2) to 10.0.0.2 and it correctly resolves and allows people to access the server from 2.2.2.2, but when I bind to 10.1.0.2, the IP address 3.3.3.3 is not accessible from the internet from any port and the interface WG1 has no internet connection (eg. when attempting curl --interface wg1 ifconfig.co
).
Thank you in advance for your time and help!
Best Answer
The simplest thing to do would be to add masquerading to your VPS's iptables rules -- that would rewrite the source address of packets forwarded to your Homeserver to use the IP address of the VPS's WireGuard interface through which the packets were forwarded (
10.0.0.1
forwg0
, and10.1.0.1
forwg1
). This allows your Homeserver to use the routes wg-quick sets up in your default routing table to send traffic back through the correct interface.To do that, add the following
POSTROUTING
rules to the end of your VPS's iptables config:Then for your Homeserver's
wg0.conf
, use this for the VPS peer:And for your Homeserver's
wg1.conf
, use this for the VPS peer:However, if you need to preserve the original source IP addresses of external packets (like for logging or authentication etc on your Homeserver), masquerading won't work for you. Instead, you need to add some custom policy routing rules for custom route tables on your Homeserver that will send packets back from services bound to
10.0.0.2
throughwg0
, and10.1.0.2
throughwg1
.To do that, change your Homeserver's
wg0.conf
to this:And your Homeserver's
wg1.conf
to this: