Accessing Server Behind Double NAT

[Abdy]

Hi,

I decided this week wire my house and build a home network, As part of my home network, I purchased an old Xserve from 2009 and I installed macOS Sierra, But the problems start when I try to access the server outside of my network, I forwarded the ports on my Router but I found another problem, My router is inside a big NAT from my ISP. (I stole a diagram from ServerFault that shows my situation)

So I thought in two possible solutions:

• Get a Dedicated IP from my ISP
• Use a VPN

First of all, I called to my ISP asking for a dedicated IP address, unfortunately they only offer dedicated IP in business plans (that are kinda expensive), so it's not an option for me.

So I decided to go with the second option, use a VPN. I purchased a small VPS with two dedicated IP address (x.x.x.x and y.y.y.y) from a very know cloud provider, and then I proceed to install xl2tpd with IPsec in the VPS.

Installing XL2TPD with IPsec in CentOS 6

Searching on Google, I found very easy-to-use installation script, that you can find on GitHub here: https://github.com/hwdsl2/setup-ipsec-vpn

It's very recommendable first of all update the OS dependencies execution "yum update", and then install IPsec. You can do all this in one step:

yum -y update && wget https://git.io/vpnsetup-centos -O vpnsetup.sh && sudo sh vpnsetup.sh && chkconfig ipsec on

And that's been all, You will see in the terminal at the end of the installation your VPN access details, Save this in a secure place.

Enabling IP Forwarding

After the installation I tested the VPN on my computer and my Android Phone, and the navigation works pretty well. So in order to get access to my server from the Internet, I configured the VPN on the server, You can find here a detailed explanation how to configure your new VPN in your OS: https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md

Now when your server is connected to the VPN, we need to check what is the Local IP assigned by the VPN to our server, For explanation purposes I will use the IP z.z.z.z, The installation script by default adds a DROP policy to the Iptables firewall, so first we need to remove them.

First we must activate the IP forwarding, to activate it you must modify the following parameters as shown below

net.ipv4.ip_forward = 1

net.ipv6.conf.all.accept_ra=2
net.ipv6.conf.eth0.accept_ra=2

These parameters must be modified, or if they do not exist add them at the end, in the file

/etc/sysctl.conf

Now we will save all the Iptables rules in a file called "rules.v4"

mkdir /etc/iptables/
iptables-save > /etc/iptables/rules.v4

Then open the new file with vi or nano.

nano /etc/iptables/rules.v4

Now you need to find those lines in the file and remove them and save the file:

-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A INPUT -j REJECT --reject-with icmp-host-prohibited

After save the file you need to restore them to Iptables, to update the new rules:

iptables -F
iptables-restore < /etc/iptables/rules.v4
service iptables save
service iptables reload

Now the final step, you need enable IP Forwarding at the OS level:

echo "1" > /proc/sys/net/ipv4/ip_forward && sysctl net.ipv4.ip_forward=1

Now, reboot your VPS.

Forward Local IP

Now to access your server from the Internet, we need forward the Local IP (z.z.z.z) to the Public IP, I will forward the server to the y.y.y.y IP.

This step is easy, we only need add some rules to Iptables, this rules will forward all the ports to the local IP.

iptables -t nat -A POSTROUTING -o eth0 -s z.z.z.z -j SNAT --to-source y.y.y.y
iptables -t nat -A PREROUTING -i eth0 -d y.y.y.y -j DNAT --to-destination z.z.z.z
iptables -A FORWARD -s y.y.y.y -j ACCEPT
iptables -A FORWARD -d z.z.z.z -j ACCEPT
service iptables save
service iptables reload

And that is all! Now you can access your amazing server from http://y.y.y.y/ 

[timnboys]

1 hour ago, cyandark said:

Hi,

Inspired by this thread: 

 

I decided this week wire my house and build a home network, As part of my home network, I purchased an old Xserve from 2009 and I installed macOS Sierra, But the problems start when I try to access the server outside of my network, I forwarded the ports on my Router but I found another problem, My router is inside a big NAT from my ISP. (I stole a diagram from ServerFault that shows my situation)

So I thought in two possible solutions:

• Get a Dedicated IP from my ISP
• Use a VPN

First of all, I called to my ISP asking for a dedicated IP address, unfortunately they only offer dedicated IP in business plans (that are kinda expensive), so it's not an option for me.

So I decided to go with the second option, use a VPN. I purchased a small VPS with two dedicated IP address (x.x.x.x and y.y.y.y) and then I installed xl2tpd with IPsec. After the installation I tested the VPN on my computer and my Android Phone, and the navigation works pretty well. So in order to get access to my server from the Internet, I configured the VPN in the server (with the IP z.z.z.z) and I set up the forwarding for 80 and 443 ports from z.z.z.z to y.y.y.y with iptables using the following rules:

iptables -t nat -A PREROUTING -p tcp -d y.y.y.y --dport 80 -j DNAT --to-destination z.z.z.z:80
iptables -t nat -A PREROUTING -p tcp -d y.y.y.y --dport 443 -j DNAT --to-destination z.z.z.z:443

If I access to http://y.y.y.y/ from my computer or phone (that are connected to the VPN) the site works fine, But if I try to access outside the VPN, don't works. Any ideas how I can make my server public over y.y.y.y using a VPN?

try this

https://serverfault.com/questions/431531/tunneling-a-public-ip-to-a-remote-machine

and note I don't recommend hosting a server or servers from your house these days unless you have DDoS protection due to port scanning, DDoS attacks etc that made it not worth it to run any servers from my house which is why I have all of my physical dedicated servers in datacenters usually with DDoS protection to get around that and well my internet isn't powerful to handle running a public server anyway 

[Abdy]

Thanks, I will give a try. All my servers are colocated in Datacenters, but this server is only for my own use, for fun and testing. 

EDIT: Unfortunately doesn't work, because the link is intended for OpenVPN users. I'm using L2TP/IPSec. Thanks anyway.

[Abdy]

I finally found a solution, I re-installed the VPS with CentOS 6 (originally I deployed Debian 9) and I used the following rules:

Quote

iptables -t nat -A POSTROUTING -o eth0 -s z.z.z.z -j SNAT --to-source y.y.y.y
iptables -t nat -A PREROUTING -i eth0 -d y.y.y.y -j DNAT --to-destination z.z.z.z
iptables -A FORWARD -s y.y.y.y -j ACCEPT
iptables -A FORWARD -d z.z.z.z -j ACCEPT

Now, I can access my server from the internet.  

[timnboys]

3 hours ago, cyandark said:

I finally found a solution, I re-installed the VPS with CentOS 6 (originally I deployed Debian 9) and I used the following rules:

Now, I can access my server from the internet.  

I am glad you found out CentOS 6 is better than Debian 9 lol

[Abdy]

56 minutes ago, timnboys said:

I am glad you found out CentOS 6 is better than Debian 9 lol

Thanks, CentOS it's much better than Debian IMHO. I will make a last update, When I connect my computer to the VPN I can't access the Server, I can access the server only from the Internet but not inside the VPN, So I added this additional rules: I hope this thread some day can help other people with a similar problem.

iptables -t nat -A POSTROUTING -s z.z.z.z -j SNAT --to-source y.y.y.y
iptables -t nat -A PREROUTING -d y.y.y.y -j DNAT --to-destination z.z.z.z
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

 

[Paul]

Very nice! I love posts like this.  

[Abdy]

I updated this thread to make it from a question to a full-detailed tutorial.