nihilist`s Blog
Previous Page

nihilist - 21 / 08 / 2023

portforwarding Setup

In this tutorial we're going to look at how to port forward services from being local to VPSes.

Initial Setup

Situation: you want to run some services locally. But you want them to be publicly accessible without revealing your public IP.

Solution 1: install openvpn, and port forward through iptables, as seen on 


wget https://raw.githubusercontent.com/ech1/serverside/master/ovpn/openvpn-install.sh
chmod +x openvpn-install.sh
./openvpn-install.sh

#then install it, then run it again to add an user

./openvpn-install.sh

Tell me a name for the client.
Use one word only, no special characters.
Client name: nothing

Do you want to protect the configuration file with a password?
(e.g. encrypt the private key with a password)
   1) Add a passwordless client
   2) Use a password for the client
Select an option [1-2]: 2
⚠️ You will be asked for the client password below ⚠️

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1j  16 Feb 2021
Generating an EC private key
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-4185644.tXXER0/tmp.mzvtcc'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-4185644.tXXER0/tmp.prBOSr
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'nothing'
Certificate is to be certified until Apr 13 15:51:09 2024 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Client nothing added.

The configuration file has been written to /root/nothing.ovpn.
Download the .ovpn file and import it in your OpenVPN client.





#then  make it a systemd service to run openvpn on the client (from where the service runs):

[ 10.8.0.5/24 ] [ /dev/pts/22 ] [~]
→ sudo vim /etc/systemd/system/vpn.service

[ 10.8.0.5/24 ] [ /dev/pts/22 ] [~]
→ cat /etc/systemd/system/vpn.service
[Unit]
Description=VPN
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
ExecStart=/usr/bin/openvpn /root/nothing.ovpn
ExecStop=kill -9 $(pidof openvpn)
Restart=always

[Install]
WantedBy=multi-user.target

[ 10.8.0.5/24 ] [ /dev/pts/22 ] [~]
→ systemctl daemon-reload ; systemctl enable --now vpn ; ping 10.8.0.1






#on the VPN server we forward the ports to the local VM via iptables: (change ens3 to the correct network interface + the correct ip)

root@mail-gw:~# cat iptables_forwardrules.sh
#!/bin/bash
iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 25 -j DNAT --to-destination 10.8.0.2:25
iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 80 -j DNAT --to-destination 10.8.0.2:80
iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 443 -j DNAT --to-destination 10.8.0.2:443
iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 143 -j DNAT --to-destination 10.8.0.2:143
iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 465 -j DNAT --to-destination 10.8.0.2:465
iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 587 -j DNAT --to-destination 10.8.0.2:587
iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 993 -j DNAT --to-destination 10.8.0.2:993

root@mail:~# chmod +x iptables_forwardrules.sh
root@mail:~# ./iptables_forwardrules.sh

#from the VM we allow the packets to be forwarded to us:

root@mail-nihilism:~# cat iptables_forwardrules.sh
#!/bin/bash
iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 143 -j ACCEPT
iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 465 -j ACCEPT
iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 587 -j ACCEPT
iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 993 -j ACCEPT
iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 443 -j ACCEPT
iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 80 -j ACCEPT

root@mail-nihilism:~# chmod +x iptables_forwardrules.sh
root@mail-nihilism:~# ./iptables_forwardrules.sh

you also need to allow the ip forwarding (change ens3 to the correct network interface):


root@mail-gw:~# sysctl net.ipv4.conf.ens3.forwarding=1
net.ipv4.conf.ens3.forwarding = 1
root@mail-gw:~# sysctl net.ipv6.conf.ens3.forwarding=1
net.ipv6.conf.ens3.forwarding = 1
root@mail-gw:~# echo " net.ipv6.conf.ens3.forwarding=1" >>/etc/sysctl.conf
root@mail-gw:~# echo " net.ipv4.conf.ens3.forwarding=1" >>/etc/sysctl.conf
root@mail-gw:~# sysctl -p
net.ipv6.conf.ens3.forwarding = 1
net.ipv4.conf.ens3.forwarding = 1

#for arch users, install libvirt:
sudo pacman -S libvirt
vim /etc/sysctl.d/30-ipforward.conf
cat /etc/sysctl.d/30-ipforward.conf
net.ipv4.ip_forward=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1

[ nihilism ] [ /dev/pts/1 ] [~]
→ sysctl net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1

If that doesnt work, do it via nginx:


#on the server:

apt install nginx libnginx-mod-stream -y
systemctl stop nginx

[ Datura Network ] [ /dev/pts/7 ] [~]
→ vim /etc/nginx/nginx.conf

[ Datura Network ] [ /dev/pts/7 ] [~]
→ cat /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;

events {
	[...]
}

http {
	[...]
}

stream {
        server {
                listen 3389; # tcp port forwarding
                proxy_pass 10.8.0.3:3389;
        }
        server {
                listen 25565; # tcp port forwarding
                proxy_pass 10.8.0.2:25565;
        }
    server {
                listen 25565 udp; # udp port forwarding
                proxy_pass 10.8.0.2:25565;
                proxy_responses 0;
        }
}

[ Datura Network ] [ /dev/pts/7 ] [~]
→ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

[ Datura Network ] [ /dev/pts/7 ] [~]
→ systemctl start nginx
	
# then just test if the ports are opened:

[ Datura Network ] [ /dev/pts/7 ] [~]
→ nmap 10.8.0.2 -p 25565
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-21 17:15 CEST
Nmap scan report for 10.8.0.2
Host is up (0.022s latency).

PORT      STATE SERVICE
25565/tcp open  minecraft

Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds

[ 10.0.2.2/24 ] [ /dev/pts/26 ] [~/Nextcloud/blog]
→ nmap datura.network -p 25565
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-21 17:15 CEST
Nmap scan report for datura.network (116.202.216.190)
Host is up (0.023s latency).

PORT      STATE SERVICE
25565/tcp open  minecraft

Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds

Nihilism

Until there is Nothing left.

My Links

RSS Feed
Matrix Chat

About nihilist

Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8


Contact: nihilist@nihilism.network (PGP)