Hosting services behind a restrictive firewall/CG-NAT using DNAT with iptables on a VPS hosted wireguard endpoint
This is a short description of how to host services, using STORJ node as an example, on a host behind CG-NAT, or otherwise restrictive firewall, by forwarding packets through WireGuard endpoint on a relatively fast nearby VPS. This is not specific to Storj, and can be adopted to hosting other services.
Here we will use Oracle Cloud instance to host VPN server; free tier still provides 10TB of monthly traffic that is sufficient for most node operators. Just make sure to create an account in a closest datacenter to minimize extra latency.
Notes on configuring the cloud instance
- Create the new Oracle compute instance (ideally, Ampere, because they are awesome, but if that is not available, any other will do too).
- Pick any OS you prefer, here we’ll describe Ubuntu, as a most popular one.
- Configure public IP address (this is the default), and upload SSH key to access the instance.
- Then edit the
Ingress Rules
in the Default Security List in the VCN associated with the instance and rules to allow:- Traffic from anywhere
0.0.0.0/0
, any port, to destination port28967
, one for udp, one for tcp. This is for storj. -
UDP to port
51820
, for WireGuard. It does not need to be this specific port, any will do, just adjust the rest accordingly. The source network can also be narrowed down to your ISP’s address range, if desired.Statless Source IP Protocol Source Port Range Destination Port Range Type and Code Allows Description No 0.0.0.0/0 TCP All 28967 TCP Traffic for port 28967 Storj TCP No 0.0.0.0/0 UDP All 28967 UDP Traffic for port 28967 Storj UDP No 0.0.0.0/0 UDP All 51820 UDP Traffic for port 51820 Wireguard
That’s all that needs to be done in Oracle console.
- Traffic from anywhere
- Optionally, configure the A record to point to the public IP with your DNS provider, to use DNS name and not an ugly IP address in the subsequent configuration and as your storj node external address.
Installing and configuring wireguard tunnel
-
ssh to your new instance, update software, and install wireguard:
sudo apt update && sudo apt upgrade sudo reboot sudo apt install wireguard -y
-
Configure wireguard tunnel between your node and VPS. There are tons of tutorials, here are the steps for reference:
On the VPS:
- Initialize the config file
(umask 077 && printf "[Interface]\nPrivateKey= " | sudo tee /etc/wireguard/wg0.conf > /dev/null) wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickey
- Add peer information (public key and address) after configuing it below
- Enable ipv4 forwarding: in
/etc/sysctl.conf
uncomment# Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1
and for the change to take effect load it:
sudo sysctl -p
Note: it is possible to configure this key in a number of other configuration files, see
man sysctl
, but in this case either provide path to file to-p
argument or simply usesudo sysctl --system
, that will parse all configuration files. - Enable and start the wireguard service:
sudo systemctl enable wg-quick@wg0 sudo systemctl start wg-quick@wg0
On the client, assuming it’s a TrueNAS, and storj runs in the jail, we would need few things:
- In the jail properties tick the
allow_tun
flag. (e.g.iocage set allow_tun=1 jailname
) - On the host under System -> Tunables add
LOADER
variableif_wg_load
with the valueYES
, to load wireguard kernel module. - Initialize the wireguard config file and create keys just like above, noting that in FreeBSD the default configuration file location is
/usr/local/etc/wireguard/wg0.conf
- In the jail, in the
/etc/rc.conf
addwireguard_enable="YES" wireguard_interfaces="wg0"
Generally, the config files shall look like so:
- On the server:
/etc/wireguard/wg0.conf
[Interface] PrivateKey = <server private key> ListenPort = 51820 Address = 10.0.60.1 # Allow WireGuard through the firwall PreUp = iptables -I INPUT 6 -p udp --dport 51820 -j ACCEPT PostDown = iptables -D INPUT -p udp --dport 51820 -j ACCEPT [Peer] PublicKey = <client public key> AllowedIPs = 10.0.60.2/32
- On the client:
/usr/local/etc/wireguard/wg0.conf
[Interface] PrivateKey = <client private key> Address = 10.0.60.2 [Peer] PublicKey = <server public key> AllowedIPs = 10.0.60.1/32 Endpoint = sub.example.com:51820 PersistentKeepalive = 25
- Start the service on the client:
service wireguard start
At this point the client shall be able to ping the server, and the server shall be able to ping the clinet, at
10.0.60.1
and10.0.60.2
addresses, respectively. - Initialize the config file
Packet forwarding
Now the very last thing, the meat of this tutorial. In the [Interface]
section on the server in the /etc/wireguard/wg0.conf
add the following PreUp
and PostDown
rules (PostDown rules are copies of PreUp rules, but with -A
or -I
options replaced with -D
, to delete the rule):
# Allow forwarding to and from wireguard interface
PreUp = iptables -I FORWARD -i %i -j ACCEPT
PreUp = iptables -I FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT
PostDown = iptables -D FORWARD -o %i -j ACCEPT
# Turn on masquarading
PreUp = iptables -t nat -I POSTROUTING -o %i -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o %i -j MASQUERADE
# Note: in the next section we are inserting the ALLOW rules before the default REJECT rule
# that on Oracle VMs is at position 6 by default. Your VPS may have similar default rules; adjust accordingly.
# Allow Wireguard ports through the firewall
PreUp = iptables -I INPUT 6 -p udp --dport 51820 -j ACCEPT
PostDown = iptables -D INPUT -p udp --dport 51820 -j ACCEPT
# Allow STORJ ports through the firewall
PreUp = iptables -I INPUT 6 -p tcp -m state --state NEW --dport 28967 -j ACCEPT
PreUp = iptables -I INPUT 6 -p udp --dport 28967 -j ACCEPT
PostDown = iptables -D INPUT -p tcp -m state --state NEW --dport 28967 -j ACCEPT
PostDown = iptables -D INPUT -p udp --dport 28967 -j ACCEPT
# Any other ports for additinal applications can be added similarly.
# ...
# DNAT Storj ports to the client on the other side of the tunnel
PreUp = iptables -t nat -I PREROUTING -p tcp --dport 28967 -j DNAT --to-destination 10.0.60.2:28967
PreUp = iptables -t nat -I PREROUTING -p udp --dport 28967 -j DNAT --to-destination 10.0.60.2:28967
PostDown = iptables -t nat -D PREROUTING -p tcp --dport 28967 -j DNAT --to-destination 10.0.60.2:28967
PostDown = iptables -t nat -D PREROUTING -p udp --dport 28967 -j DNAT --to-destination 10.0.60.2:28967
These accomplish few things:
- Allow traffic to Wireguard port, so that your server can connect to establish the tunnel .
- Allow new tcp and udp connections to Storj port (note inserting the rule before rule 6, on oracle instances rule 6 is reject).
- Allow Storj packet forwarding to wireguard interface.
- Turn on masquerading, to facilitate the correct routing of response packets.
On the server, restart the wireguard service:
sudo systemctl restart wg-quick@wg0
On the client, restart the wireguard service:
service wireguard restart
In the config.yaml
of the storage node modify the external address to point to your vps:
# the public address of the node, useful for nodes behind NAT
contact.external-address: sub.example.com:28967
[Re]start the node, and check the status page. It shall be now happily connected.
This was originally posted as a GitHub gist.