lopsided98 has quit [Quit: No Ping reply in 180 seconds.]
lopsided98 has joined #nixos-on-your-router
superherointj has joined #nixos-on-your-router
teto has joined #nixos-on-your-router
superherointj has quit [Quit: Leaving]
superherointj has joined #nixos-on-your-router
superherointj has quit [Quit: Leaving]
superherointj has joined #nixos-on-your-router
<hpfr>
I want to be able to access my home network remotely via a VPN. I'm behind a nasty CGNAT and there's no IPV6 (even a mesh solution like nebula failed to work with it), so I believe I'm forced to use a topology where I set up a site-to-site VPN on my router to a VPS with a public IP, and then on the VPS I set up the actual VPN to connect to from remote clients?
<hpfr>
if that's the correct approach, what do I need to do on the VPS to route traffic to my home LAN's subnet from clients to the exposed VPS VPN through the site-to-site VPN to my home LAN? I'll be using wireguard
<hpfr>
I've been trying to search the internet for this but I'm lacking the correct terminology for finding how to do the routing on the VPS for the local subnet through the site to site
<hpfr>
so if you know what I should search for that's all I need
<q3k>
i think what you're looking for is just plain port forward, no?
<hpfr>
I can't forward ports from my lan because of CGNAT, right?
<hexa->
Yes
<q3k>
you can forward it over the VPN
<q3k>
like step zero is to get things to route correctly between your home network and the VPN termination on your VPS
<hexa->
Onion service comes to mind honestly
<hpfr>
oh well I want to forward all ports over the VPN don't I? I want it to be as if I'm on my local network
<q3k>
i mean, it depends what you want
<hexa->
Oh nvm, different use case
<q3k>
if you instead want to magically give a public IP address to one of your home devices it's a bit more involved
<hpfr>
no I don't want to do that
<q3k>
so what do you want to do
<hpfr>
just want to access my lan from the road
<hpfr>
but cgnat makes it complexz
<q3k>
right
<q3k>
so set up some device on your network to be a wireguard client
<q3k>
into your VPS which will be a wireguard server
<q3k>
then, i don't know, set it up so 10.13.37.1 is your server's address on the wireguard tunnel, and 10.13.37.2 is your device's address on the wireguard tunnel
<q3k>
once that works, you can already ssh over into your network from the outside
<q3k>
just by doing `ssh -J vps.example.com 10.13.37.2`
<q3k>
(-J for jumphost)
<q3k>
then you can start applying more and more network trickery to for instance forward ports
<q3k>
instead of having to use an SSH jump host
<hpfr>
yeah I think I want wg to do the heavy lifting not ssh
<q3k>
i mean
<q3k>
it doesn't matter
<q3k>
first get that setup working
<q3k>
it's a prerequisite anyway
<q3k>
then once that works, set up more complex stuff on top of that
<hpfr>
ok
<q3k>
like there's some intricacies related to port forwarding over this sort of setup, where you have to usually both SNAT and DNAT
<q3k>
and it's easier to explain and solve that
<q3k>
once you have the wireguard tunnel up and verified to work
<hpfr>
sounds good. I'm pretty sure this is more of a layer 3 thing than a layer 4 thing though? I think if you configure wireguard to expose the IP's you shouldn't have to mess with port forwarding, no
<q3k>
doing this at l3 would mean 'moving' the entire VPS's IP into your network
<q3k>
which you can't do, because your VPS is using it
<q3k>
(notably, to terminate wireguard in the first place)
<q3k>
so you can only really emulate this at an l4+ level with a bunch of iptables trickery
<q3k>
even if you attach an extra IP to your VPS doing forwarding for that is nontrivial
<q3k>
and also very dependent on how that IP actually gets attached to your VPS
<q3k>
(which tends to already be mildly magical with more VPS setups)
<hpfr>
isn't this what wg interfaces are for though? can't you just say route traffic to these IP's over this interface?
<cransom>
yes, this is what tunnel interfaces are for. i agree with hpfr. there's no layer 4 trickery unless you are going to remap/proxy/whatever to tcp/udp ports
<q3k>
yes, but even if you set a public address on one side of the tunnel
<q3k>
how are you going to move packets into it?
<q3k>
like if you have a public address A on the public interface of the VPS
<q3k>
those are already going into the kernel's network stack for that address
<q3k>
how do you simultaneously want to keep using this public address and route it over to the other side of a network link?
<cransom>
i don't see where anyone is binding a public address onto wg0
<q3k>
okay, so how do you suggest to set this up?
<cransom>
allocate a vpn subnet that you'll assign addresses to wg0. vps sets a static route to the lan subnet for the client that is the home router.
<cransom>
i don' tknow if wireguard installs kernel routes when you configure the allowed prefixes, but if it doesn't, `ip route add` is it.
<q3k>
sure
<q3k>
that gives you l3 connectivity over some publically unroutable network between the two
<q3k>
(and that's what i recommended as a starting point above)
<q3k>
but that doesn't let you expose anything from the local device into the internet (yet)
<cransom>
i don't think that was OPs need.
<hpfr>
yeah I don't think I'm trying to expose things to the internet, I clarified I just want to use my laptop like it's essentially on my LAN
<q3k>
oh
<q3k>
apologies then, i misread and misassumed
<hpfr>
no problem it was very helpful
<q3k>
yeah, then you don't need any of of what i meantioned, wireguard will work ootb here
<q3k>
epsecially if you use wg-quick, it will set up routes and everything automagically
<q3k>
sorry for the confusion.
<hpfr>
even with two hops or whatever?
<q3k>
yep
<hpfr>
I will look into the vpn subnet static route stuff
<q3k>
yeah you just pick yourself a nice /24 from RFC1918
<q3k>
and then on the clients (ie your LAN device and your laptop) route that entire /24 through wg (which wg-quick will do for you)
<hpfr>
can I have wg do some DNS for those IP's
<q3k>
what do you mean?
<cransom>
if you weren't that interested in managing the vpn, but still wanted wireguard, you can look into tailscale as well.
<hpfr>
like setting up name.domain to point to something in the /24 wg has
<q3k>
as you will basically statically allocate there IPs
<hpfr>
cransom: I looked in to nebula but it couldn't punch my cgnat. tailscale seems to be more robust with this but I'm not really interested in the stuff like setting up an account with them or using google or something as an identity provider, I want it self hosted
<q3k>
you can use any sort of DNS service for that
<hpfr>
alright
<q3k>
wg itself doesn't provide a DNS service
<q3k>
if it's just two hosts, you can even just drop stuff into /etc/hosts :P
<cransom>
TIL about nebula. and then i ask why slack has engineers working on a mesh vpn.
<q3k>
i think they're targeting datacenter deployments
<hpfr>
yeah, on my router I've set up unbound with some dns records from a domain I own to a local IP so I want to preserve that for remote clients since the domain enables SSL for some services I'm hosting locally
<q3k>
which might make sense if they have a bunch of compute resources around the world, but have no decent private conenctivity between them
<q3k>
and for some reason don't want to use mTLS for auth
<hpfr>
yeah nebula is definitely datacenter focused right now because it's pretty bad for consumer nat setups. relays through lighthouses are coming (I could get both peers to talk to my lighthouse vps but not each other)
<q3k>
wg works fine across all NATs I've encountered so you should be good here
<q3k>
also CGNAT and no v6 sounds like hell, i don't envy your ISP :P
<q3k>
or well, you using this ISP
<hpfr>
yeah I imagine the ISP has it easy since they haven't changed anything in decades probably lol
<hpfr>
it's super frustrating
<q3k>
cgnat is somewhat new, so they at least plopped that in recently
<q3k>
basically it only became a thing since buying a /24 become more expensive than a CGNAT box :P
<hpfr>
I don't even know if it's cgnat actually but I'm in this apartment with some janky setup where they have ethernet ports going to a few rooms that I have to plug in my own router to so it's probably just double nat to some router the ISP set up here
<cransom>
that sounds more likely. 'netgear routers all the way down'
<hpfr>
yup :(
<q3k>
daisy chained airport express boxes are the bane of my existence
<q3k>
i once worked with a company that had a network full of this shit
<q3k>
everytime someone thought the network sucked
<q3k>
they would just buy an airport extreme/express/we and just plug it into a random socket
<q3k>
'surely that would make things better', they thought