Comment on Setting Up a Secure Tunnel Between Two Machines
raldone01@lemmy.world 1 year agoCan you elaborate on the IP would not be unique part?
Comment on Setting Up a Secure Tunnel Between Two Machines
raldone01@lemmy.world 1 year agoCan you elaborate on the IP would not be unique part?
ninjan@lemmy.mildgrim.com 1 year ago
If you can fool the Internet that traffic coming from the VPS has the source IP of your home machine what stops you from assuming another IP to bypass an IP whitelist?
Also if you expect return communication, that would go to your VPS which has faked the IP of your home machine. That technique would be very powerful to create man in the middle attacks, i.e. intercepting traffic intended for someone else and manipulating it without leaving a trace.
IP, by virtue of how the protocol works, needs to be a unique identifier for a machine. There are techniques, like CGNAT, that allows multiple machines to share an IP, but really it works (in simplified terms) like a proxy and thus breaks the direct connection and limits you to specific ports. It’s also added on top of the IP protocol and requires specific things and either way it’s the endpoint, in your case the VPS, which will be the presenting IP.
pcouy@lemmy.pierre-couy.fr 1 year ago
Each time you send a packet over the internet, several routers handle this packet without touching the source and destination IP addresses.
There is nothing stopping him from configuring the VPS in a way that forwards packets from the home server, rewriting the destination IP (and optionally destination port as well) but leaving the source IP intact.
For outgoing packets, the VPS should rewrite the source (homeserver) IP and port and leave the destination intact.
With iptables, this is done with
MASQUERADErules.This is pretty much how any NAT, including ones behind home routers, work.
You then configure the homeserver to use the VPS as a gateway over wireguard, which should achieve the desired result.
ninjan@lemmy.mildgrim.com 1 year ago
Yeah, I was just confused about the direction/flow he was asking for. He clarified and his use case is fully solvable. Just not something I’ve personally dabbled in since he wants it for non http traffic.
raldone01@lemmy.world 1 year ago
That’s not what I want accomplish. The clients connecting to machine B should not know that their traffic was handled by machine A. I will use DNATs to accomplish my goal. It is possible because tailscale can do exactly that. Thank you for your input though.
Maybe I am wrong we will see soon. 🙃
ninjan@lemmy.mildgrim.com 1 year ago
Well thats just a normal proxy then. In my setup I use Caddy to send traffic through the NetBird managed wireguard tunnel to my home machine that runs Jellyfin but for any outside observer it look like it’s my VPS that is serving Jellyfin.
raldone01@lemmy.world 1 year ago
Jes exactly but without being http/https only and without decrypting the traffic on the vps.