Make your server available through a VPN endpoint IP
Let's say your ISP don't provide static IP and you want to self host your website, emails and stuff at home. Or you can't setup a rDNS. Or your usual Internet access is down and you want to keep your server up using your smartphone connection sharing capabilities.
Or reasons...
One may setup a VPN tunnel between its home server and a remote endpoint. To reach the home server from the endpoint, we'll have to configure appropriate redirections.
What will be described below can work with IKEv2, OpenVPN, Wireguard... Actually, you just need a working tunnel.
Good news, default routes are unchanged, it is not a RoadWarrior setup -- unless you want to.
Even better, it is very easy to achieve with OpenBSD. 😊
Notice:
- 192.0.2.42 is endpoint public IP
- 10.0.0.1 is endpoint private IP
- 10.0.0.2 is your server private IP
VPN Tunnel summary
As example, we show a minimal wireguard configuration.
For more, see solene's amazing tutorial (⚠️ default routes are modified)
Endpoint setup
# cat /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
# cat /etc/hostname.wg0
inet 10.0.0.1/24
inet6 fd19:6f4d:bea8:f63a::1/64
wgkey [...] # run ''openssl rand -base64 32'' to get it
wgport 4545
wgpeer [...] \
wgaip 10.0.0.2/32 \
wgaip fd19:6f4d:bea8:f63a::2/128
up
# cat /etc/pf.conf
block
# wireguard tunnel
pass in proto udp to port 4545
pass in on wg0
[...]
pass out
Server (client) setup
# cat /etc/pf.conf
[...]
pass in quick on wg0 from 10.0.0.1
[...]
pass out
# cat /etc/hostname.wg0
wgkey [...]
wgpeer [...] \
wgendpoint 192.0.2.42 4545 \
wgaip 0.0.0.0/0 \
wgaip ::0/0 \
wgpka 25
inet 10.0.0.2/24
inet6 fd19:6f4d:bea8:f63a::2/64
Generate wgkey with ''openssl rand -base64 32''.
Get wg pubkey for wgpeer with ''ifconfig wg0''.
Redirect traffic from endpoint to server
Edit endpoint's ''/etc/pf.conf'' and add appropriate ''nat-to'' and ''rdr-to'' rules.
serv_int = "10.0.0.2"
serv_ext = "192.0.2.42"
int_if = "wg0"
ext_if = "vio0"
block
# allow ssh on altenate port
pass in quick on egress proto tcp from any to port 4242
# wireguard tunnel
pass in proto udp to port 4545
pass in on wg0
# vpn ext to int redirection
pass in on $ext_if proto tcp from any to $serv_ext rdr-to $serv_int
match out on $ext_if from $serv_int to any \
nat-to $serv_ext static-port
# or
# match on $ext_if from $serv_int to any binat-to $serv_ext
match out on $int_if from any to $serv_int \
received-on $ext_if nat-to $int_if
pass out
As you can see, we first set macros.
Then, incoming ssh on an alternate port is ''quick''ly allowed. It is necessary since all traffic will be directed to your server, so you won't be able to remotely configure the endpoint. Make sure you edited ''/etc/ssh/sshd_config''.
As before, we let the wireguard tunnel in.
Then, two rules redirect traffic from the outside to your server, and back : ''rdr-to'' and ''nat-to''. It is equivalent to ''binat-to''. If you need to, you can add port range to the ''rdr-to'' rule.
Reload pf and check it is working:
nc -zv 192.0.2.42 80 Connection to 192.0.2.42 80 port [tcp/www] succeeded!
Yay \o/