Friday, March 10, 2017

Running a service when your ISP doesn't like you

We are running out of IPv4.

It is more common that ISPs won't give you a public IP nowadays. Especially if you live in an apartment, they only give you a DHCP port usually. This is a bit inconvenient (or annoying?) for people who want to run services, which requires a public IP.

Here's a common solution:

1. Rent a VPN on DigitalOcean ($10/mo)
2. Connect my desktop with my VPN
3. Run the server on my desktop
4. Forward traffic from my VPN to my desktop

The issue here is that OpenVPN will take over the entire interface (all the traffic will route through the tun0 device). My solution to that is jailing OpenVPN under a Linux network namespace.

Recently I modified other's script to run different kinds of VPNs under a LInux network namespace: https://github.com/xatier/rc-files/blob/master/bin/v.sh

With the help of this script, I can just simply use iptables to perform a port forwarding on my VPS's public interface to the private IP of my desktop.

The overview of the design would be like this:


---------------------------------------------------------------
| VPS public IP (eth0 / x.x.x.x)
---------------------------------------------------------------
| openVPN (tun0 / 10.8.0.1)
| ---------------------------------------------------------------
| sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1234 -j DNAT --to 10.8.0.2:1234
| sysctl net.ipv4.ip_forward=1
===============================================================
|
| my ISP ( under NAT ... orz)
|
===============================================================
| Desktop interface (enp0s0 / 192.168.a.b)
---------------------------------------------------------------
| Linux network NS (vpn0 / 10.200.200.1)
| 
| ip netns exec  ip route add default via 10.200.200.1 dev vpn1
| iptables -t nat -A POSTROUTING -o en+ -s 10.200.200.0/24 -j MASQUERADE
| sysctl net.ipv4.ip_forward=1
| 
| Linux network NS (vpn1 / 10.200.200.2)
| ---------------------------------------------------------------
| openVPN (tun0 / 10.8.0.2)
| ---------------------------------------------------------------
| server running on port 1234
| ---------------------------------------------------------------

No comments:

Post a Comment