VPS/remote hosting static IP...

[eccerr0r]

Well right now I have static IPs to my home and I self host my own network infrastructure.
However this may become untenable due to impending limitations...

I've noticed a lot of people have switched to using a static IP on a VPS or remote host and use a VPN to connect to it, and have port fowarding from the VPS to your home private network that actually handles services whether it be SMTPD or HTTPD or sshd.

However this implies you also have to trust your VPS a bit more than just a router or other networking infrastructure... is this true or do most people treat their VPS, despite being 'yours', a potential risk to your machine? Meaning, what is to stop the VPS provider being an evil maid logging into root of your VPS instance and installing loggers/MITM/etc. whether being in control of the hypervisor there? Is this simply a risk one has to take? Or does that VPS pretty much need to remain outside your firewall?

Granted any ISP can do MITM, but this seems like a bigger risk if I want it to be part of my home network via VPN so the VPS can NAT to my home network?
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[NeddySeagoon]

eccerr0r,

You have to trust your VPS provider, if you use one.
That's what the 'P' means. Private :)
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[szatox]

Well, if the VPS provider really wants to screw you over, there's nothing you can do, so yes, you have to trust it with whatever you put there.
However, if you just use it for a stable IP address, you can put literally nothing of importance on this machine, and then it is basically a fancy router.

[eccerr0r]

I can trust my ISP more than I can trust a VPS IMHO, because the VPS server can hold state and ISPs should be stateless (since we're talking about IPv4/IPv6 packets). I guess that's why having my own static IP and self hosting the whole stack is preferable to VPS... If I get some VPS (or colo) to hold my static IP I want to make sure any routed packet from that box maintains the source of the packet, whether it's from outside the network or evil maid that injected packets...

So pretty much back to trust?

Ugh. Thought a solution was found but now back to square 1.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[szatox]

You don't have to snat traffic incoming via a vps.
DNAT will be enough, and then you retain the origin's IP address. Not that it changes a lot.
On the receiving end you can set up something along the lines of reflective routing. I mean, there are ways to force replies down the same pipe the request arrived (like multiple routing tables with source IP match, perhaps wireguard with mark feature enabled would set reflective routing too). At least in case of TCP, stateless UDP may be more tricky.

And boom, it's just a router, and your outgoing traffic can even bypass it.

[eccerr0r]

Right, just that I worry about evil maid because the (vps/colo)remote server is not in my control - they can make packets that appear to be coming from "within" my own network because the VPN makes it part of my network...

if I have my own ip address... if I see a private source packet coming from my external ip network interface ... I can easily drop it!

It is all about trust, I'm just wondering if everyone has the same worries as I do but just don't worry about it?
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[Hu]

You can arrange the VPN configuration such that the VPS is not part of your network. For example, give your home machines 192.168.0.x and give the VPS a VPN-internal IP of 172.16.0.1. Configure the home-side VPN endpoint to disallow VPN-delivered traffic with a source of 192.168.x.x, since the VPS should only be delivering its own traffic (172.16.0.1) or Internet-traffic (public IP range), never anything 192.168.x.x. You control that endpoint since it is in your home, so an evil maid cannot configure the VPS to bypass it. If the maid sets a VPS source IP of 192.168.x.x, the traffic gets dropped. If the maid sets it to use its intended VPS IP, then your other trust relationships can recognize it. Configure home machines to distrust 172.16.x.x to whatever degree makes you comfortable. You might set it that the VPS can ssh by key only to a restricted user account, but cannot connect to http.

[szatox]

[eccerr0r]

so I'd need some sort of double NAT if I want to port forward from the colo/vpn static ip to my internal service?
Another ugly setup that would be good to avoid...?

Anyone actually do something like this? or opted to do something simpler as you trust your colo/vps?
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[szatox]

Why double NAT? What is the thing you're thinking about?

[eccerr0r]

was thinking outside -> 172.16.0.1/24 network, which will need some sort of NAT. Then at the border of my home network, another NAT needs to translate the 172.16.0.2/24 to the 192.168.0.1 network (since 172.16.x.x and 192.168.x.x are not routeable networks?) ... Will the outside address be maintained on the 192.168.0.1 address?

or is there a way to avoid this too?
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[spica]

[Hu]

172.16.0.0/12 and 192.168.0.0/16 are both non-routeable on the public Internet, but it's quite possible to have a private LAN that sees both and routes among them. You never need (and often do not even want) NAT for connections from the Internet into the private range, because that obscures the public Internet IP from the eventual server, and offers no value in return. You need NAT for connections from the private range out to the Internet, because if you skip that, then you are telling Internet hosts to return their responses to 192.168.0.0/16, and they cannot, so they drop the response instead, and you get no connection.

[szatox]

[eccerr0r]

so suppose I have a server at 192.168.0.2
You mean that it's possible for the VPS to directly specify that it can DNAT to 192.168.0.2 when it it's not in its routing table since it has no knowledge of the network, only of the 172.16.0.x network which it would know about due to the VPN?

perhaps there can be a static route on the vps to default via 172.16.0.3 or something which is the internal endpoint of the vpn on my side?

hmm...technically I could experiment with this setup today with VMs, but it all seems like a lot of work for continued hassles down the road...
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[Hu]

When sending an IP packet, regardless of the destination, the kernel needs a routing table entry to tell it where to go. For directly adjacent systems on the LAN, the packet can go straight to that system. For any other system, the packet needs to go to a system which is better positioned than the local host to find the intended destination. None of this is specific to VPS, VPNs, or locally managed private networks. If your VPS has no specific route for 192.168.0.2, it will rely on its default route, which may well be a system that has no way to deliver the packet. Your VPS could be given specific static routes that direct both 192.168.x.x and 172.16.x.x to the home side of the VPN. That home side could then deliver the packets, if its firewall rules did not drop them.

[eccerr0r]

then the next question is finding a cheap reliable static ip vps/colo that I can do this with that doesn't appear on any smtp blacklists...
And I suspect I need to maintain it, so I'd ... have to... run Gentoo on it! This may be quite ugly, no GUI needed of course but it still needs to likely run gcc...and may want to have libX11 on it...

ultimately I need to reduce costs hence giving up my current setup, which I'd rather keep if things were the way it was 5 years ago...before this inflation thing... If they were scaling up speed with the cost then maybe I'd stick to them but it has not.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[pingtoo]

I don't see the vps/colo require Gentoo. especial I think Gentoo is wrong choice for this role. As you already point out Gentoo maintenance cost is a lot higher than those purposely build system.

In term of the purposely system, I recommend look into OpenWrt which is simple from functionally to maintenance, if you need more advance features you can try pfSense (or OPNsence (when must linux)).

All those purposely build system share same characteristics, easy to maintain, easy to operate, some more difficult setup than other.

[NeddySeagoon]

eccerr0r,

The private 'non routeable' address ranges, in both IPv4 and IPv6 are only a convention.
Users are not supposed to send them outside of their own LAN.
Doing so on a regular basis may result in a nastygram from your ISP. :)

If you want to route them, it works but don't expect anyone to route them on your behalf.
The convention is that they are dropped if they appear.

e.g. if you have a tunnel over the internet and control both ends, routing the private 'non routeable' address ranges through the tunnel works.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[eccerr0r]

Are there people here actually doing this?
Was it worth the effort? Are you running pfsense or whatnot on your VPS/colo? Or are you simply dumping all of your services on the VPS/colo because it's "trustable" and clearly simpler setup - and not using it as a router (and thus reduce one failure mechanism trading off security)?
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[pingtoo]

[eccerr0r]

But you're in control of that machine (router) so not quite the same setup. Was wondering about people running a VPS/colo as a remote router that you don't have full control over, and VPN into this router to run services on your home machine (like smtpd, httpd) in which the VPS/colo merely maintains your static IP presence.
Was hoping this would be a one time deal and no (network) maintenance issues - and worried about other gotchas like having the VPN drop for no reason causing all your services to stop working - how much has this been a problem, etc.?

My current network setup is pretty much 100% reliable right now (heck I run a vpn endpoint so that I can VPN into my network if I'm on an insecure network). Short of ISP issues and problems I cause myself, this has been smooth sailing. This is what I'm worried about losing, but the isp cost now is just stupid...

(come to think of it, I'd probably have to lose my VPN endpoint and move it onto the VPS, so that's one thing that has to change with such new arrangement, so that's another infrastructure change...)
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[pingtoo]

eccerr0r,

I think we already establish the need to trust your VPS provider. I assume we don't need to discuss detail of VPS node security setting for preventing VPS provider's personal.

So your VPS node at your VPS provider site should not much different than the node in your premises,

What you really want is the VPS node is a easy to maintain as possible. at the same time it is secure enough that is not easy to tampered with from inside(VPS provider) or from outside(Internet)

OpenWrt is one such example. It is purposely build as router node. It is predefined with security in mind that it can be running as read-only node, so it is easy to recover and easy to discovery if been tampered with.

Now the main problem become the need to secure your on premises network to the VPS node. that is where the VPN come in. the VPN build the secure tunnel (a virtual wire) connect you home network to VPS router and now your VPS can route traffic between Internet facing NIC through the secure tunnel to you home network.

Disclaimer: I have no affiliation with DigitalOcean, I am just a user of DigitalOcean droplet.

You can search 'digitalocean vpn" or "digitalocean wiregarud", there are plenty of howto instruction. Or you can see DigtalOcean's own intro for VPN. As it said well "The safest VPN is the one you run yourself"

[NeddySeagoon]

eccerr0r,

Is a service like no-ip any help?

That's not a recommendation. I've been with my ISP nearly 22 years. That's a recommendation.
When I signed up, they asked me if I wanted a single static IP or a /29 for the same price.
They still only do static IPv4. Unfortunately, the are a small UK provider.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[szatox]