View previous topic :: View next topic |
Author |
Message |
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9824 Location: almost Mile High in the USA
|
Posted: Tue Feb 28, 2023 3:27 am Post subject: VPS/remote hosting static IP... |
|
|
Well right now I have static IPs to my home and I self host my own network infrastructure.
However this may become untenable due to impending limitations...
I've noticed a lot of people have switched to using a static IP on a VPS or remote host and use a VPN to connect to it, and have port fowarding from the VPS to your home private network that actually handles services whether it be SMTPD or HTTPD or sshd.
However this implies you also have to trust your VPS a bit more than just a router or other networking infrastructure... is this true or do most people treat their VPS, despite being 'yours', a potential risk to your machine? Meaning, what is to stop the VPS provider being an evil maid logging into root of your VPS instance and installing loggers/MITM/etc. whether being in control of the hypervisor there? Is this simply a risk one has to take? Or does that VPS pretty much need to remain outside your firewall?
Granted any ISP can do MITM, but this seems like a bigger risk if I want it to be part of my home network via VPN so the VPS can NAT to my home network? _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54578 Location: 56N 3W
|
Posted: Tue Feb 28, 2023 9:33 am Post subject: |
|
|
eccerr0r,
You have to trust your VPS provider, if you use one.
That's what the 'P' means. Private :) _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3433
|
Posted: Tue Feb 28, 2023 12:58 pm Post subject: |
|
|
Well, if the VPS provider really wants to screw you over, there's nothing you can do, so yes, you have to trust it with whatever you put there.
However, if you just use it for a stable IP address, you can put literally nothing of importance on this machine, and then it is basically a fancy router. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9824 Location: almost Mile High in the USA
|
Posted: Tue Feb 28, 2023 5:00 pm Post subject: |
|
|
I can trust my ISP more than I can trust a VPS IMHO, because the VPS server can hold state and ISPs should be stateless (since we're talking about IPv4/IPv6 packets). I guess that's why having my own static IP and self hosting the whole stack is preferable to VPS... If I get some VPS (or colo) to hold my static IP I want to make sure any routed packet from that box maintains the source of the packet, whether it's from outside the network or evil maid that injected packets...
So pretty much back to trust?
Ugh. Thought a solution was found but now back to square 1. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3433
|
Posted: Tue Feb 28, 2023 9:17 pm Post subject: |
|
|
You don't have to snat traffic incoming via a vps.
DNAT will be enough, and then you retain the origin's IP address. Not that it changes a lot.
On the receiving end you can set up something along the lines of reflective routing. I mean, there are ways to force replies down the same pipe the request arrived (like multiple routing tables with source IP match, perhaps wireguard with mark feature enabled would set reflective routing too). At least in case of TCP, stateless UDP may be more tricky.
And boom, it's just a router, and your outgoing traffic can even bypass it. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9824 Location: almost Mile High in the USA
|
Posted: Tue Feb 28, 2023 11:40 pm Post subject: |
|
|
Right, just that I worry about evil maid because the (vps/colo)remote server is not in my control - they can make packets that appear to be coming from "within" my own network because the VPN makes it part of my network...
if I have my own ip address... if I see a private source packet coming from my external ip network interface ... I can easily drop it!
It is all about trust, I'm just wondering if everyone has the same worries as I do but just don't worry about it? _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22673
|
Posted: Tue Feb 28, 2023 11:57 pm Post subject: |
|
|
You can arrange the VPN configuration such that the VPS is not part of your network. For example, give your home machines 192.168.0.x and give the VPS a VPN-internal IP of 172.16.0.1. Configure the home-side VPN endpoint to disallow VPN-delivered traffic with a source of 192.168.x.x, since the VPS should only be delivering its own traffic (172.16.0.1) or Internet-traffic (public IP range), never anything 192.168.x.x. You control that endpoint since it is in your home, so an evil maid cannot configure the VPS to bypass it. If the maid sets a VPS source IP of 192.168.x.x, the traffic gets dropped. If the maid sets it to use its intended VPS IP, then your other trust relationships can recognize it. Configure home machines to distrust 172.16.x.x to whatever degree makes you comfortable. You might set it that the VPS can ssh by key only to a restricted user account, but cannot connect to http. |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3433
|
Posted: Wed Mar 01, 2023 1:28 am Post subject: |
|
|
Quote: | if I have my own ip address... if I see a private source packet coming from my external ip network interface ... I can easily drop it! |
You can just treat it like ISP's router. ISP can SNAT too. Consider the interface created by vpn to be an external device.
Quote: | It is all about trust, I'm just wondering if everyone has the same worries as I do but just don't worry about it? | No, I have actually put more things on my vps than just vpn.
I took some actions to secure it against automated attacks, but it's purely a matter of inconveniencing the potential attacker, hoping I'm not important enough for actual people to bother with manual inspection.
Virtual machines can be snapshotted while running, including RAM. Even if you encrypt your hard drives, a sufficiently determined attacker with direct access to memory will eventually get in, and without waiting for the heat death of the universe.
Bare metal server is more difficult to tamper with, though being dedicated servers, they also come with management interfaces which has some potential to be abused. Not to mention deliberately modified hardware. However, there is nothing you can do to protect against this kind of attacks, so.... Well, if your process depends on trusting the machine, then you do implicitly trust the provider.
Still, if you are paranoid about VPS being compromised, simply don't give it the authority to claim a request comes from a trusted origin.
Use it's key only for terminating VPN. Restrict chit-chat from VPS to your home server (block it from leaking to other machines via vlans or whatever). Once traffic reaches your actual server, treat it as incoming from the internet. Can the origin IP be spoofed? Yes. But so it can on the internet.
Last edited by szatox on Wed Mar 01, 2023 1:32 am; edited 1 time in total |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9824 Location: almost Mile High in the USA
|
Posted: Wed Mar 01, 2023 1:32 am Post subject: |
|
|
so I'd need some sort of double NAT if I want to port forward from the colo/vpn static ip to my internal service?
Another ugly setup that would be good to avoid...?
Anyone actually do something like this? or opted to do something simpler as you trust your colo/vps? _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3433
|
Posted: Wed Mar 01, 2023 1:34 am Post subject: |
|
|
Why double NAT? What is the thing you're thinking about? |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9824 Location: almost Mile High in the USA
|
Posted: Wed Mar 01, 2023 1:58 am Post subject: |
|
|
was thinking outside -> 172.16.0.1/24 network, which will need some sort of NAT. Then at the border of my home network, another NAT needs to translate the 172.16.0.2/24 to the 192.168.0.1 network (since 172.16.x.x and 192.168.x.x are not routeable networks?) ... Will the outside address be maintained on the 192.168.0.1 address?
or is there a way to avoid this too? _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
spica Guru
Joined: 04 Jun 2021 Posts: 330
|
Posted: Wed Mar 01, 2023 3:23 am Post subject: |
|
|
eccerr0r wrote: | needs to translate the 172.16.0.2/24 to the 192.168.0.1 network |
Try to check ifconfig or ip addr at the moment when your vpn to the vps is up. I suspect both sides of vpn are in 172.16.0.2/24 subnet |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22673
|
Posted: Wed Mar 01, 2023 4:04 am Post subject: |
|
|
172.16.0.0/12 and 192.168.0.0/16 are both non-routeable on the public Internet, but it's quite possible to have a private LAN that sees both and routes among them. You never need (and often do not even want) NAT for connections from the Internet into the private range, because that obscures the public Internet IP from the eventual server, and offers no value in return. You need NAT for connections from the private range out to the Internet, because if you skip that, then you are telling Internet hosts to return their responses to 192.168.0.0/16, and they cannot, so they drop the response instead, and you get no connection. |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3433
|
Posted: Wed Mar 01, 2023 3:20 pm Post subject: |
|
|
eccerr0r wrote: | was thinking outside -> 172.16.0.1/24 network, which will need some sort of NAT. Then at the border of my home network, another NAT needs to translate the 172.16.0.2/24 to the 192.168.0.1 network (since 172.16.x.x and 192.168.x.x are not routeable networks?) ... Will the outside address be maintained on the 192.168.0.1 address?
or is there a way to avoid this too? |
They are only non-routable, because internet sucks at Among Us. You DO know which of those networks belongs to you, so as long as you have a wire (either physical or virtual) connecting those networks, you can route packets yourself. Actually, pretty much everyone with more than 1 SOHO router does that.
The only NAT you need is DNAT on the gateway, so the incoming traffic will be sent to somewhere in your 192.168/16 network instead of being accepted or rejected as input.
I mean, you could use a proxy instead, but it would probably be more complicated and definitely more resource hungry, so don't do that unless you have a non-technical reason like e.g. keeping things consistent. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9824 Location: almost Mile High in the USA
|
Posted: Wed Mar 01, 2023 3:55 pm Post subject: |
|
|
so suppose I have a server at 192.168.0.2
You mean that it's possible for the VPS to directly specify that it can DNAT to 192.168.0.2 when it it's not in its routing table since it has no knowledge of the network, only of the 172.16.0.x network which it would know about due to the VPN?
perhaps there can be a static route on the vps to default via 172.16.0.3 or something which is the internal endpoint of the vpn on my side?
hmm...technically I could experiment with this setup today with VMs, but it all seems like a lot of work for continued hassles down the road... _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22673
|
Posted: Wed Mar 01, 2023 4:49 pm Post subject: |
|
|
When sending an IP packet, regardless of the destination, the kernel needs a routing table entry to tell it where to go. For directly adjacent systems on the LAN, the packet can go straight to that system. For any other system, the packet needs to go to a system which is better positioned than the local host to find the intended destination. None of this is specific to VPS, VPNs, or locally managed private networks. If your VPS has no specific route for 192.168.0.2, it will rely on its default route, which may well be a system that has no way to deliver the packet. Your VPS could be given specific static routes that direct both 192.168.x.x and 172.16.x.x to the home side of the VPN. That home side could then deliver the packets, if its firewall rules did not drop them. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9824 Location: almost Mile High in the USA
|
Posted: Wed Mar 01, 2023 5:01 pm Post subject: |
|
|
then the next question is finding a cheap reliable static ip vps/colo that I can do this with that doesn't appear on any smtp blacklists...
And I suspect I need to maintain it, so I'd ... have to... run Gentoo on it! This may be quite ugly, no GUI needed of course but it still needs to likely run gcc...and may want to have libX11 on it...
ultimately I need to reduce costs hence giving up my current setup, which I'd rather keep if things were the way it was 5 years ago...before this inflation thing... If they were scaling up speed with the cost then maybe I'd stick to them but it has not. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
pingtoo Veteran
Joined: 10 Sep 2021 Posts: 1248 Location: Richmond Hill, Canada
|
Posted: Wed Mar 01, 2023 5:56 pm Post subject: |
|
|
I don't see the vps/colo require Gentoo. especial I think Gentoo is wrong choice for this role. As you already point out Gentoo maintenance cost is a lot higher than those purposely build system.
In term of the purposely system, I recommend look into OpenWrt which is simple from functionally to maintenance, if you need more advance features you can try pfSense (or OPNsence (when must linux)).
All those purposely build system share same characteristics, easy to maintain, easy to operate, some more difficult setup than other. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54578 Location: 56N 3W
|
Posted: Wed Mar 01, 2023 6:12 pm Post subject: |
|
|
eccerr0r,
The private 'non routeable' address ranges, in both IPv4 and IPv6 are only a convention.
Users are not supposed to send them outside of their own LAN.
Doing so on a regular basis may result in a nastygram from your ISP. :)
If you want to route them, it works but don't expect anyone to route them on your behalf.
The convention is that they are dropped if they appear.
e.g. if you have a tunnel over the internet and control both ends, routing the private 'non routeable' address ranges through the tunnel works. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9824 Location: almost Mile High in the USA
|
Posted: Wed Mar 01, 2023 6:20 pm Post subject: |
|
|
Are there people here actually doing this?
Was it worth the effort? Are you running pfsense or whatnot on your VPS/colo? Or are you simply dumping all of your services on the VPS/colo because it's "trustable" and clearly simpler setup - and not using it as a router (and thus reduce one failure mechanism trading off security)? _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
pingtoo Veteran
Joined: 10 Sep 2021 Posts: 1248 Location: Richmond Hill, Canada
|
Posted: Wed Mar 01, 2023 6:34 pm Post subject: |
|
|
eccerr0r wrote: | Are there people here actually doing this?
Was it worth the effort? Are you running pfsense or whatnot on your VPS/colo? Or are you simply dumping all of your services on the VPS/colo because it's "trustable" and clearly simpler setup - and not using it as a router (and thus reduce one failure mechanism trading off security)? |
I use OpenWrt as my router. It is running on a Nano Pi R4S, my ISP modem is in bridge mode and passing traffice direct to my OpenWrt for routing.
OpenWrt use openvpn as its default VPN setup. But you can also use WireGuard instead to create tunnel. If you find a VPS that allow you deploy your own OS it should not be too difficult to deploy OpenWrt. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9824 Location: almost Mile High in the USA
|
Posted: Wed Mar 01, 2023 6:41 pm Post subject: |
|
|
But you're in control of that machine (router) so not quite the same setup. Was wondering about people running a VPS/colo as a remote router that you don't have full control over, and VPN into this router to run services on your home machine (like smtpd, httpd) in which the VPS/colo merely maintains your static IP presence.
Was hoping this would be a one time deal and no (network) maintenance issues - and worried about other gotchas like having the VPN drop for no reason causing all your services to stop working - how much has this been a problem, etc.?
My current network setup is pretty much 100% reliable right now (heck I run a vpn endpoint so that I can VPN into my network if I'm on an insecure network). Short of ISP issues and problems I cause myself, this has been smooth sailing. This is what I'm worried about losing, but the isp cost now is just stupid...
(come to think of it, I'd probably have to lose my VPN endpoint and move it onto the VPS, so that's one thing that has to change with such new arrangement, so that's another infrastructure change...) _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
pingtoo Veteran
Joined: 10 Sep 2021 Posts: 1248 Location: Richmond Hill, Canada
|
Posted: Wed Mar 01, 2023 7:33 pm Post subject: |
|
|
eccerr0r,
I think we already establish the need to trust your VPS provider. I assume we don't need to discuss detail of VPS node security setting for preventing VPS provider's personal.
So your VPS node at your VPS provider site should not much different than the node in your premises,
What you really want is the VPS node is a easy to maintain as possible. at the same time it is secure enough that is not easy to tampered with from inside(VPS provider) or from outside(Internet)
OpenWrt is one such example. It is purposely build as router node. It is predefined with security in mind that it can be running as read-only node, so it is easy to recover and easy to discovery if been tampered with.
Now the main problem become the need to secure your on premises network to the VPS node. that is where the VPN come in. the VPN build the secure tunnel (a virtual wire) connect you home network to VPS router and now your VPS can route traffic between Internet facing NIC through the secure tunnel to you home network.
Disclaimer: I have no affiliation with DigitalOcean, I am just a user of DigitalOcean droplet.
You can search 'digitalocean vpn" or "digitalocean wiregarud", there are plenty of howto instruction. Or you can see DigtalOcean's own intro for VPN. As it said well "The safest VPN is the one you run yourself" |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54578 Location: 56N 3W
|
Posted: Wed Mar 01, 2023 7:38 pm Post subject: |
|
|
eccerr0r,
Is a service like no-ip any help?
That's not a recommendation. I've been with my ISP nearly 22 years. That's a recommendation.
When I signed up, they asked me if I wanted a single static IP or a /29 for the same price.
They still only do static IPv4. Unfortunately, the are a small UK provider. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3433
|
Posted: Wed Mar 01, 2023 7:47 pm Post subject: |
|
|
Quote: | Or are you simply dumping all of your services on the VPS/colo because it's "trustable" and clearly simpler setup | Yes.
And I will keep it that way for the simple reason a VPS at 3-4E/month is always online; I also have an almost full, file level backup at home, so I can rebuild it in reasonable time.
I didn't really have a need for a proper personal VPN so far, but making it this way is somewhere in my backlog. I'll do it once I feel like going all-out with bird, redundancy, blinking lights, bells and whistles, because it sounds fun.
Quote: | Was hoping this would be a one time deal and no (network) maintenance issues - and worried about other gotchas like having the VPN drop for no reason causing all your services to stop working - how much has this been a problem, etc.? | If you have a reliable connection, you should be fine.
Static routing is simple, you just enable IP forwarding in kernel and add a rule pointing to the next hop to the table. Oh, taking an interface down removes its rules, so make sure whatever vpn you use between VPS and home server adds them upon connect. |
|
Back to top |
|
|
|