#nixos-on-your-router on 2020-09-10

2019-08-19 13:17 eyJhb changed the topic of #nixos-on-your-router to: NixOS on your Router || https://logs.nix.samueldr.com/nixos-on-your-router

01:36 superherointj has quit [Quit: Leaving]

07:25 lopsided98 has quit [Quit: No Ping reply in 180 seconds.]

07:27 lopsided98 has joined #nixos-on-your-router

10:29 superherointj has joined #nixos-on-your-router

10:53 teto has joined #nixos-on-your-router

12:22 superherointj has quit [Quit: Leaving]

13:17 superherointj has joined #nixos-on-your-router

14:57 superherointj has quit [Quit: Leaving]

17:52 superherointj has joined #nixos-on-your-router

20:46 <hpfr> I want to be able to access my home network remotely via a VPN. I'm behind a nasty CGNAT and there's no IPV6 (even a mesh solution like nebula failed to work with it), so I believe I'm forced to use a topology where I set up a site-to-site VPN on my router to a VPS with a public IP, and then on the VPS I set up the actual VPN to connect to from remote clients?

20:47 <hpfr> if that's the correct approach, what do I need to do on the VPS to route traffic to my home LAN's subnet from clients to the exposed VPS VPN through the site-to-site VPN to my home LAN? I'll be using wireguard

20:51 <hpfr> I've been trying to search the internet for this but I'm lacking the correct terminology for finding how to do the routing on the VPS for the local subnet through the site to site

20:51 <hpfr> so if you know what I should search for that's all I need

20:54 <q3k> i think what you're looking for is just plain port forward, no?

20:55 <hpfr> I can't forward ports from my lan because of CGNAT, right?

20:55 <hexa-> Yes

20:55 <q3k> you can forward it over the VPN

20:55 <q3k> like step zero is to get things to route correctly between your home network and the VPN termination on your VPS

20:55 <hexa-> Onion service comes to mind honestly

20:55 <hpfr> oh well I want to forward all ports over the VPN don't I? I want it to be as if I'm on my local network

20:56 <q3k> i mean, it depends what you want

20:56 <hexa-> Oh nvm, different use case

20:56 <q3k> if you instead want to magically give a public IP address to one of your home devices it's a bit more involved

20:56 <hpfr> no I don't want to do that

20:56 <q3k> so what do you want to do

20:56 <hpfr> just want to access my lan from the road

20:56 <hpfr> but cgnat makes it complexz

20:56 <q3k> right

20:56 <q3k> so set up some device on your network to be a wireguard client

20:57 <q3k> into your VPS which will be a wireguard server

20:57 <q3k> then, i don't know, set it up so 10.13.37.1 is your server's address on the wireguard tunnel, and 10.13.37.2 is your device's address on the wireguard tunnel

20:57 <q3k> once that works, you can already ssh over into your network from the outside

20:58 <q3k> just by doing `ssh -J vps.example.com 10.13.37.2`

20:58 <q3k> (-J for jumphost)

20:58 <q3k> then you can start applying more and more network trickery to for instance forward ports

20:58 <q3k> instead of having to use an SSH jump host

20:58 <hpfr> yeah I think I want wg to do the heavy lifting not ssh

20:58 <q3k> i mean

20:58 <q3k> it doesn't matter

20:59 <q3k> first get that setup working

20:59 <q3k> it's a prerequisite anyway

20:59 <q3k> then once that works, set up more complex stuff on top of that

20:59 <hpfr> ok

20:59 <q3k> like there's some intricacies related to port forwarding over this sort of setup, where you have to usually both SNAT and DNAT

20:59 <q3k> and it's easier to explain and solve that

21:00 <q3k> once you have the wireguard tunnel up and verified to work

21:03 <hpfr> sounds good. I'm pretty sure this is more of a layer 3 thing than a layer 4 thing though? I think if you configure wireguard to expose the IP's you shouldn't have to mess with port forwarding, no

21:22 <q3k> doing this at l3 would mean 'moving' the entire VPS's IP into your network

21:22 <q3k> which you can't do, because your VPS is using it

21:22 <q3k> (notably, to terminate wireguard in the first place)

21:22 <q3k> so you can only really emulate this at an l4+ level with a bunch of iptables trickery

21:22 <q3k> even if you attach an extra IP to your VPS doing forwarding for that is nontrivial

21:23 <q3k> and also very dependent on how that IP actually gets attached to your VPS

21:23 <q3k> (which tends to already be mildly magical with more VPS setups)

21:32 <hpfr> isn't this what wg interfaces are for though? can't you just say route traffic to these IP's over this interface?

21:34 <cransom> yes, this is what tunnel interfaces are for. i agree with hpfr. there's no layer 4 trickery unless you are going to remap/proxy/whatever to tcp/udp ports

21:37 <q3k> yes, but even if you set a public address on one side of the tunnel

21:37 <q3k> how are you going to move packets into it?

21:38 <q3k> like if you have a public address A on the public interface of the VPS

21:38 <q3k> those are already going into the kernel's network stack for that address

21:39 <q3k> how do you simultaneously want to keep using this public address and route it over to the other side of a network link?

21:39 <cransom> i don't see where anyone is binding a public address onto wg0

21:39 <q3k> okay, so how do you suggest to set this up?

21:44 <cransom> allocate a vpn subnet that you'll assign addresses to wg0. vps sets a static route to the lan subnet for the client that is the home router.

21:44 <cransom> i don' tknow if wireguard installs kernel routes when you configure the allowed prefixes, but if it doesn't, `ip route add` is it.

21:45 <q3k> sure

21:45 <q3k> that gives you l3 connectivity over some publically unroutable network between the two

21:45 <q3k> (and that's what i recommended as a starting point above)

21:45 <q3k> but that doesn't let you expose anything from the local device into the internet (yet)

21:46 <cransom> i don't think that was OPs need.

21:47 <hpfr> yeah I don't think I'm trying to expose things to the internet, I clarified I just want to use my laptop like it's essentially on my LAN

21:47 <q3k> oh

21:47 <q3k> apologies then, i misread and misassumed

21:47 <hpfr> no problem it was very helpful

21:47 <q3k> yeah, then you don't need any of of what i meantioned, wireguard will work ootb here

21:47 <q3k> epsecially if you use wg-quick, it will set up routes and everything automagically

21:48 <q3k> sorry for the confusion.

21:48 <hpfr> even with two hops or whatever?

21:48 <q3k> yep

21:48 <hpfr> I will look into the vpn subnet static route stuff

21:48 <q3k> yeah you just pick yourself a nice /24 from RFC1918

21:49 <q3k> and then on the clients (ie your LAN device and your laptop) route that entire /24 through wg (which wg-quick will do for you)

21:49 <hpfr> can I have wg do some DNS for those IP's

21:49 <q3k> what do you mean?

21:49 <cransom> if you weren't that interested in managing the vpn, but still wanted wireguard, you can look into tailscale as well.

21:50 <hpfr> like setting up name.domain to point to something in the /24 wg has

21:51 <q3k> as you will basically statically allocate there IPs

21:51 <hpfr> cransom: I looked in to nebula but it couldn't punch my cgnat. tailscale seems to be more robust with this but I'm not really interested in the stuff like setting up an account with them or using google or something as an identity provider, I want it self hosted

21:51 <q3k> you can use any sort of DNS service for that

21:51 <hpfr> alright

21:51 <q3k> wg itself doesn't provide a DNS service

21:52 <q3k> if it's just two hosts, you can even just drop stuff into /etc/hosts :P

21:52 <cransom> TIL about nebula. and then i ask why slack has engineers working on a mesh vpn.

21:52 <q3k> i think they're targeting datacenter deployments

21:53 <hpfr> yeah, on my router I've set up unbound with some dns records from a domain I own to a local IP so I want to preserve that for remote clients since the domain enables SSL for some services I'm hosting locally

21:53 <q3k> which might make sense if they have a bunch of compute resources around the world, but have no decent private conenctivity between them

21:53 <q3k> and for some reason don't want to use mTLS for auth

21:53 <hpfr> yeah nebula is definitely datacenter focused right now because it's pretty bad for consumer nat setups. relays through lighthouses are coming (I could get both peers to talk to my lighthouse vps but not each other)

21:54 <q3k> wg works fine across all NATs I've encountered so you should be good here

21:54 <q3k> also CGNAT and no v6 sounds like hell, i don't envy your ISP :P

21:54 <q3k> or well, you using this ISP

21:55 <hpfr> yeah I imagine the ISP has it easy since they haven't changed anything in decades probably lol

21:55 <hpfr> it's super frustrating

21:55 <q3k> cgnat is somewhat new, so they at least plopped that in recently

21:56 <q3k> basically it only became a thing since buying a /24 become more expensive than a CGNAT box :P

21:57 <hpfr> I don't even know if it's cgnat actually but I'm in this apartment with some janky setup where they have ethernet ports going to a few rooms that I have to plug in my own router to so it's probably just double nat to some router the ISP set up here

21:59 <cransom> that sounds more likely. 'netgear routers all the way down'

21:59 <hpfr> yup :(

21:59 <q3k> daisy chained airport express boxes are the bane of my existence

22:00 <q3k> i once worked with a company that had a network full of this shit

22:00 <q3k> everytime someone thought the network sucked

22:00 <q3k> they would just buy an airport extreme/express/we and just plug it into a random socket

22:00 <q3k> 'surely that would make things better', they thought

22:00 <q3k> narrator: it didn't

23:10 superherointj has quit [Quit: Leaving]

23:10 teto has quit [Ping timeout: 260 seconds]