I self-host some stuff at home for friends as some sort of all-in-one solution regarding gaming, so game servers and TS3 for voice communications.
As all services are served from my residential connection I now tried to add a VPS in the connection chain to obfuscate services — and primarily protect myself from potential DDoS’ing.
The VPS is connected via WireGuard to my Router/Firewall/Security Appliance or whatever you want to call it. If you need a sketch please tell me.
So I tried to redirect traffic that is coming into my VPS to go to my local router using iptables rules but whenever one tries to connect (via FQDN) there is just an error. Checking the server logs shows that the traffic isn’t redirected so the TS3 client tries to connect to an instance on the VPS - which obviously does not exists as it should be a forwarding proxy to my internal servers.
I’ve created the following iptables rules setup on the VPS:
iptables -t nat -A PREROUTING -p udp --dport 9987 -j DNAT --to-destination 10.21.251.1:9987
iptables -t nat -A PREROUTING -p tcp --dport 10011 -j DNAT --to-destination 10.21.251.1:10011
iptables -t nat -A PREROUTING -p tcp --dport 30033 -j DNAT --to-destination 10.21.251.1:30033
iptables -A FORWARD -p udp --dport 9987 -d 10.20.30.1 -j ACCEPT
iptables -A FORWARD -p udp --dport 10011 -d 10.20.30.1 -j ACCEPT
iptables -A FORWARD -p udp --dport 30033 -d 10.20.30.1 -j ACCEPT
In the forwarding chain i also see that 12 packets and 1496 bytes were sent.
However the client logs only show the internet-facing IP from my VPS nothing about my internal network
|INFO |ClientUI |1 |Connect status: Connecting
|INFO |PktHandler |1 |server sent ciphers:1
|INFO |PktHandler |1 |Selected cipher:0
|DEVELOP |PktHandler |1 |Puzzle solve time: 6
|INFO |ClientUI |1 |Connect status: Connected
|INFO |ClientUI |1 |Connect status: Establishing connection
|INFO |ClientUI |1 |Connect status: Connection established
|INFO | | |requested new mytsid data
|INFO |ClientUI |1 |Connect status: Disconnected
|INFO |ClientUI |1 |Disconnected or forced to leave, want autoreconnect = 0
|INFO |ClientUI |1 |Connect to server: sub.domain.fqdn
|INFO |ClientUI |1 |Trying to resolve sub.domain.fqdn
|INFO |TSDNS | |A/AAAA DNS resolve for possible TSDNS successful, "domain.fqdn" =(h: 203.0.113.5 p:0)
|INFO |TSDNS | |A/AAAA DNS resolve for possible TSDNS successful, "sub.domain.fqdn" =(h: 203.0.113.70 p:0)
|INFO |TSDNS | |A/AAAA DNS resolve successful, "sub.domain.fqdn" =(h: 203.0.113.70 p:0)
|INFO |TSDNS | |SRV DNS resolve unsuccessful, "_ts3._udp.sub.domain.fqdn" Domain name not found
|INFO |TSDNS | |SRV DNS resolve unsuccessful, "_tsdns._tcp.domain.fqdn" Domain name not found
|INFO |TSDNS | |TSDNS queried unsuccessfully 203.0.113.5:41144
|INFO |TSDNS | |No TSDNS found
|INFO |TSDNS | |TSDNS queried unsuccessfully 203.0.113.70:41144
|INFO |TSDNS | |No TSDNS found
|INFO |ClientUI |1 |Lookup finished: ip=203.0.113.70 port=9987 query=sub.domain.fqdn error=0
|INFO |ClientUI |1 |Resolve successful: 203.0.113.70:9987
|INFO |ClientUI |1 |Initiating connection: 203.0.113.70:9987
|INFO |ClientUI |1 |Connect status: Connecting
|INFO |ClientUI |1 |Connect status: Disconnected
|INFO |ClientUI |1 |Failed to connect to server, want autoreconnect = 0
I changed the log entries a little bit; removed the timestamps and anonymised domain and IPs.
domain.fqdn is my domain
sub.domain.fqdn is the subdomain I am using for the VPS
203.0.133.5 is the IP of my domain
203.0.133.70 is the IP of my VPS
10.20.30.1 is the IP of my local WireGuard peer
At my domain’s registrar I just added a single CNAME entry, no SRV or TSDNS stuff, just to clarify.
Any ideas why the traffic does not get redirected to my local stuff or what I should change to achieve my goal?
