Dear ServerFault community,
I have an OVH VPS with 3 public IPs (1.1.1.1, 2.2.2.2, 3.3.3.3) and I am trying to forward them individually, with one tunnel for each IP, to a server in my office (IP 5.5.5.5) with port forwarding. This so that I can hide my office IP when running services on my office server.
1.1.1.1 is reserved for VPS's SSH. (All the ports are dropped except for port 23).
I forwarded one IP (2.2.2.2) through a WireGuard tunnel and IPTables and it works correctly with both curl --interface wg0 ifconfig.co and port forwarding (I can access Apache through 2.2.2.2:80).
WireGuard subnet:
1.0.0.1/32 for the VPS and 1.0.0.2/32 for the peer
For the second IP (3.3.3.3) I tried to create a second subnet and tunnel through the use of a GRE tunnel which as destination and source IP uses WireGuard's endpoints.
GRE Tunnel setup on OVH VPS:
iptunnel add gre1 mode gre local 10.0.0.1 remote 10.0.0.2 ttl 255
ip addr add 10.1.0.1/30 dev gre1
ip link set gre1 up
GRE Tunnel setup on Office Server:
iptunnel add gre1 mode gre local 10.0.0.2 remote 10.0.0.1 ttl 255
ip addr add 10.1.0.2/30 dev gre1
ip link set gre1 up
GRE subnet:
1.1.0.1/30 for the VPS and 1.1.0.2/30 for the peer
The GRE connection works as I can use it to access the internet. Moreover, with curl --interface gre1 ifconfig.co the correct IP is shown (3.3.3.3).
The only thing is that port forwarding is not working. I tried to TCPDump on both the VPS and the Office Server when visiting 3.3.3.3:80 and seems like the office server receives data from the VPS but no data is sent.
TCPDump from VPS (when visiting 3.3.3.3:80):
17:23:18.982509 IP {CENSORED}.52946 > 10.1.0.2.http: Flags [S], seq 1181521223, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
17:23:18.983462 IP {CENSORED}.52947 > 10.1.0.2.http: Flags [S], seq 2207908725, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
17:23:19.246446 IP {CENSORED}.52949 > 10.1.0.2.http: Flags [S], seq 13463282, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
17:23:19.992556 IP {CENSORED}1.52946 > 10.1.0.2.http: Flags [S], seq 1181521223, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
17:23:19.993397 IP {CENSORED}1.52947 > 10.1.0.2.http: Flags [S], seq 2207908725, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
17:23:20.258502 IP {CENSORED}.52949 > 10.1.0.2.http: Flags [S], seq 13463282, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
17:23:22.004496 IP {CENSORED}.52946 > 10.1.0.2.http: Flags [S], seq 1181521223, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
17:23:22.004531 IP {CENSORED}.52947 > 10.1.0.2.http: Flags [S], seq 2207908725, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
17:23:22.268496 IP {CENSORED}.52949 > 10.1.0.2.http: Flags [S], seq 13463282, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
TCPDump from Office server (when visiting 3.3.3.3:80):
19:26:22.313047 IP {CESNORED}.53010 > 10.1.0.2.http: Flags [S], seq 43942198, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
19:26:22.313051 IP {CESNORED}.53011 > 10.1.0.2.http: Flags [S], seq 2711874582, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
19:26:23.326891 IP {CESNORED}.53010 > 10.1.0.2.http: Flags [S], seq 43942198, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
19:26:23.327948 IP {CESNORED}.53011 > 10.1.0.2.http: Flags [S], seq 2711874582, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
19:26:25.336925 IP {CESNORED}.53011 > 10.1.0.2.http: Flags [S], seq 2711874582, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
19:26:25.337102 IP {CESNORED}.53010 > 10.1.0.2.http: Flags [S], seq 43942198, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
19:26:29.338287 IP {CESNORED}.53011 > 10.1.0.2.http: Flags [S], seq 2711874582, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
19:26:29.338290 IP {CESNORED}.53010 > 10.1.0.2.http: Flags [S], seq 43942198, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
OVH VPS' IPTables:
# Generated by iptables-save v1.8.7 on Tue May 31 15:25:37 2022
*filter
:INPUT ACCEPT [1698:235639]
:FORWARD ACCEPT [1053:163056]
:OUTPUT ACCEPT [1451:166474]
:f2b-sshd - [0:0]
-A INPUT -s 1.1.1.1/32 -p tcp -m tcp --dport 23 -j ACCEPT
-A FORWARD -p GRE -j ACCEPT
-A INPUT -p GRE -j ACCEPT
-A INPUT -s 1.1.1.1/32 -j DROP
COMMIT
# Completed on Tue May 31 15:25:37 2022
# Generated by iptables-save v1.8.7 on Tue May 31 15:25:37 2022
*nat
:PREROUTING ACCEPT [435:15811]
:INPUT ACCEPT [428:15399]
:OUTPUT ACCEPT [32:2255]
:POSTROUTING ACCEPT [119:6298]
-A PREROUTING -d 2.2.2.2/32 -p tcp -m tcp -m multiport --dports 1000:51820 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -d 2.2.2.2/32 -p tcp -m tcp -m multiport --dports 51826:65534 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -d 2.2.2.2/32 -p udp -m udp -m multiport --dports 1000:51820 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -d 2.2.2.2/32 -p udp -m udp -m multiport --dports 51826:65534 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -d 2.2.2.2/32 -p tcp -m tcp -m multiport --dports 21,22,23,80,25,995,110,443,465,993,143 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -d 2.2.2.2/32 -p udp -m udp -m multiport --dports 21,22,80,23,25,995,110,443,465,993,143 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -d 3.3.3.3/32 -p tcp -m tcp -m multiport --dports 1000:51820 -j DNAT --to-destination 10.1.0.2
-A PREROUTING -d 3.3.3.3/32 -p tcp -m tcp -m multiport --dports 51826:65534 -j DNAT --to-destination 10.1.0.2
-A PREROUTING -d 3.3.3.3/32 -p udp -m udp -m multiport --dports 1000:51820 -j DNAT --to-destination 10.1.0.2
-A PREROUTING -d 3.3.3.3/32 -p udp -m udp -m multiport --dports 51826:65534 -j DNAT --to-destination 10.1.0.2
-A PREROUTING -d 3.3.3.3/32 -p tcp -m tcp -m multiport --dports 21,22,23,80,25,995,110,443,465,993,143 -j DNAT --to-destination 10.1.0.2
-A PREROUTING -d 3.3.3.3/32 -p udp -m udp -m multiport --dports 21,22,80,23,25,995,110,443,465,993,143 -j DNAT --to-destination 10.1.0.2
-A PREROUTING -p gre -j DNAT --to-destination 10.1.0.2
-A POSTROUTING -s 10.1.0.2/30 ! -o gre+ -j SNAT --to-source 149.202.147.64
-A POSTROUTING -s 10.0.0.2/32 -p tcp -m tcp -m multiport --sports 1000:51820 -j SNAT --to-source 2.2.2.2
-A POSTROUTING -s 10.0.0.2/32 -p tcp -m tcp -m multiport --sports 51826:65534 -j SNAT --to-source 2.2.2.2
-A POSTROUTING -s 10.0.0.2/32 -p tcp -m tcp -m multiport --sports 21,22,23,80,25,995,110,443,465,993,143 -j SNAT --to-source 2.2.2.2
-A POSTROUTING -s 10.0.0.2/32 -p udp -m udp -m multiport --sports 1000:51820 -j SNAT --to-source 2.2.2.2
-A POSTROUTING -s 10.0.0.2/32 -p udp -m udp -m multiport --sports 51826:65534 -j SNAT --to-source 2.2.2.2
-A POSTROUTING -s 10.0.0.2/32 -p udp -m udp -m multiport --sports 21,22,23,80,25,995,110,443,465,993,143 -j SNAT --to-source 2.2.2.2
-A POSTROUTING -s 10.1.0.2/30 -p tcp -m tcp -m multiport --sports 1000:51820 -j SNAT --to-source 3.3.3.3
-A POSTROUTING -s 10.1.0.2/30 -p tcp -m tcp -m multiport --sports 51826:65534 -j SNAT --to-source 149.202.147.64
-A POSTROUTING -s 10.1.0.2/30 -p tcp -m tcp -m multiport --sports 21,22,23,80,25,995,110,443,465,993,143 -j SNAT --to-source 3.3.3.3
-A POSTROUTING -s 10.1.0.2/30 -p udp -m udp -m multiport --sports 1000:51820 -j SNAT --to-source 3.3.3.3
-A POSTROUTING -s 10.1.0.2/30 -p udp -m udp -m multiport --sports 51826:65534 -j SNAT --to-source 3.3.3.3
-A POSTROUTING -s 10.1.0.2/30 -p udp -m udp -m multiport --sports 21,22,23,80,25,995,110,443,465,993,143 -j SNAT --to-source 3.3.3.3
COMMIT
# Completed on Tue May 31 15:25:37 2022
Result on Office Server for curl --interface wg0 ifconfig.co:
2.2.2.2
Result on Office Server for curl --interface gre1 ifconfig.co:
3.3.3.3
(Internet connection works for both)
With Apache listening on 0.0.0.0:80 I can access the webserver through 2.2.2.2:80 but not through 3.3.3.3:80.
Even if Apache binds to 10.1.0.2 I still cannot access the webserver.
Any help will be very appreciated!
Thank you very much for your time!
Best Regards,
Nicolò
