I self-host some stuff at home for friends as some sort of all-in-one solution regarding gaming, so game servers and TS3 for voice communications.
As all services are served from my residential connection I now tried to add a VPS in the connection chain to obfuscate services — and primarily protect myself from potential DDoS’ing.
The VPS is connected via WireGuard to my Router/Firewall/Security Appliance or whatever you want to call it. If you need a sketch please tell me.
So I tried to redirect traffic that is coming into my VPS to go to my local router using iptables rules but whenever one tries to connect (via FQDN) there is just an error. Checking the server logs shows that the traffic isn’t redirected so the TS3 client tries to connect to an instance on the VPS - which obviously does not exists as it should be a forwarding proxy to my internal servers.
I’ve created the following iptables rules setup on the VPS:
In the forwarding chain i also see that 12 packets and 1496 bytes were sent.
However the client logs only show the internet-facing IP from my VPS nothing about my internal network
|INFO |ClientUI |1 |Connect status: Connecting
|INFO |PktHandler |1 |server sent ciphers:1
|INFO |PktHandler |1 |Selected cipher:0
|DEVELOP |PktHandler |1 |Puzzle solve time: 6
|INFO |ClientUI |1 |Connect status: Connected
|INFO |ClientUI |1 |Connect status: Establishing connection
|INFO |ClientUI |1 |Connect status: Connection established
|INFO | | |requested new mytsid data
|INFO |ClientUI |1 |Connect status: Disconnected
|INFO |ClientUI |1 |Disconnected or forced to leave, want autoreconnect = 0
|INFO |ClientUI |1 |Connect to server: sub.domain.fqdn
|INFO |ClientUI |1 |Trying to resolve sub.domain.fqdn
|INFO |TSDNS | |A/AAAA DNS resolve for possible TSDNS successful, "domain.fqdn" =(h: 203.0.113.5 p:0)
|INFO |TSDNS | |A/AAAA DNS resolve for possible TSDNS successful, "sub.domain.fqdn" =(h: 203.0.113.70 p:0)
|INFO |TSDNS | |A/AAAA DNS resolve successful, "sub.domain.fqdn" =(h: 203.0.113.70 p:0)
|INFO |TSDNS | |SRV DNS resolve unsuccessful, "_ts3._udp.sub.domain.fqdn" Domain name not found
|INFO |TSDNS | |SRV DNS resolve unsuccessful, "_tsdns._tcp.domain.fqdn" Domain name not found
|INFO |TSDNS | |TSDNS queried unsuccessfully 203.0.113.5:41144
|INFO |TSDNS | |No TSDNS found
|INFO |TSDNS | |TSDNS queried unsuccessfully 203.0.113.70:41144
|INFO |TSDNS | |No TSDNS found
|INFO |ClientUI |1 |Lookup finished: ip=203.0.113.70 port=9987 query=sub.domain.fqdn error=0
|INFO |ClientUI |1 |Resolve successful: 203.0.113.70:9987
|INFO |ClientUI |1 |Initiating connection: 203.0.113.70:9987
|INFO |ClientUI |1 |Connect status: Connecting
|INFO |ClientUI |1 |Connect status: Disconnected
|INFO |ClientUI |1 |Failed to connect to server, want autoreconnect = 0
I changed the log entries a little bit; removed the timestamps and anonymised domain and IPs. domain.fqdn is my domain sub.domain.fqdn is the subdomain I am using for the VPS 203.0.133.5 is the IP of my domain 203.0.133.70 is the IP of my VPS 10.20.30.1 is the IP of my local WireGuard peer
At my domain’s registrar I just added a single CNAME entry, no SRV or TSDNS stuff, just to clarify.
Any ideas why the traffic does not get redirected to my local stuff or what I should change to achieve my goal?
Why would I use SNAT? I want to alter the destination, not the source, so I use DNAT.
Or do you mean there is no route back from the local server to my router back to the VPS and then out the internet? IMO this should work without it because it depends on the initiation so there’s already a communication channel open.
Need more explanation on that, please.
При использование ВПН нужно прописывать таблицу маршрутизации - иначе пакеты будут уходить на сторону провайдера.
И есть такая ошикба, когда ты опдключаешся по SSH к серверу через ВПН и у тебя прописана маршрутизация ты подключишся к серверу и попробуешь сделать трассировку или пинг локальный устройств через ВПН - пакеты будут идти. Но, но если физически подойти к серверу и от туда сделать трассировку и пинг - ты увидешь что трафик будет игнорироваться и все запросы будут идти мимо ВПН к провайдеру… Вот такой у меня был опыт работы с ВПН…
@Gamer92000 Was that your whole set of rules?
Which of the IP’s is you VPS and which one’s the router on your home network?
I get the idea but can’t wrap my head around what I actually need to change here
Like I already said I can reach my home router and my local TS3 server from the VPS so that cyrillic stuff doesn’t even contribute to finding a solution.
Also, when connecting through the TS3 client the traffic is recognized on the VPS side but there’s no traversind/redirection/whateveryouwannacallit to my home router/fw
Edit: Love you @Gamer92000!!
Instead of waiting for another reply (I know, its the christmas holidays but I’m impatient ) I firstly deleted all existing rules and then added your ruleset but with my IP addresses - and it worked! You are such a saint!
Although I need to figure out which entry does what, but that’s obviously on me now.
Edit2: I am stupid, I connected to the local hostname instead of the remote one because I was using the bookmarks. So this isn’t resolved unfortunately.
Dude, you are such a savior!
As I am managing some firewall related stuff through my VPS provider I actually just need three rules and don’t need the extra stuff you are doing as they’re already firewalling basic stuff.
But your last message made me think and test some more. The above iptables rules are enough like I said and I was able to connect to the server with correct routing!
What I haven’t thought of was that WireGuard automatically drops the connection if no data is being send for a while - in your last reply I noticed the PersistentKeepalive which I never needed until now
I am usually fine with VPN connections dropping when they aren’t needed but in this case I actually need it to not drop.
So after your previous reply I had all the correct stuff in place but since the WireGuard connection dropped when I was trying to figure stuff out the other night I just didn’t notice it
Thank you so much for also providing your wg.conf so I could figure out why I’m such a dumbass