Retain source IP when proxying through VPS

Submitted ⁨⁨9⁩ ⁨months⁩ ago⁩ by ⁨SeeJayEmm@lemmy.procrastinati.org⁩ to ⁨selfhosted@lemmy.world⁩

So, I’m experimenting with running a Mailu instance on my home server but proxying all of the relevant traffic through a WireGuard tunnel to my VPS. I’m currently using NGINX Proxy Manager streams to redirect the traffic and it all seems to be working.

The only problem is that, all connections appear to come from the VPS. It’s really screwing with the spam filter. I’m trying to figure out if there’s a way to retain the source IP while still tunneling the traffic.

The only idea I have, and I don’t know if it’s a bad one, is to us iptables to NAT the ports inbound on the VPS and on my home router (opnsense) route all outbound traffic from that IP back through the VPS instead of the default gateway. This way I shouldn’t need to rewrite the destination port on the VPS side.

It sound a bit hacky tho, and I’m open to better suggestions.

Thanks

source

Comments

Sort:hotnew top

mholiv@lemmy.world ⁨9⁩ ⁨months⁩ ago
You want to set the appropriate X-Forwarded-For or Forwarded headers in Nginx. The final application server being proxied (if well written) should be able to handle that.

Documentation can be found here. www.nginx.com/resources/wiki/start/…/forwarded/

Contrary to that other comment reverse proxies with actual IPs forwarded through them via the appropriate headers are normal and used commonly. Almost 100% so at scale.

Don’t let the wannabe elitists get you down. I personally would not host my production email server at home but self hosting is a learning journey. If you learn how email serves work along with reverse proxies you got it! That’s a win. Hack away.

source
- SeeJayEmm@lemmy.procrastinati.org ⁨9⁩ ⁨months⁩ ago
  You nailed it on the head. This is a project for the experience and because I enjoy experimenting. If I can make this work to my satisfaction I may consider putting my primary domain behind it some day.
  
  Thanks for the info and the support.
  
  source
- Lichtblitz@discuss.tchncs.de ⁨9⁩ ⁨months⁩ ago
  Exactly this. This procedure is so common that you need to take care in situations where you don’t want the headers, as some tools set them per default.
  
  source
themoonisacheese@sh.itjust.works ⁨9⁩ ⁨months⁩ ago
Not really. Your VPS’s public IP is not yours to change, for obvious reasons, and it’s unlikely that your hosting provider will let you send packets from your VPS using a source address that is incorrect. if they let you, then any replies to those packets will evidently get routed to the actual IP, ie your home IP. If you really want to forward SMTP to your VPS (which has less chance of being on a Blocklist by virtue of not being a residential IP), I suggest declaring your VPS as your SMTP sender in SPF, instead of declaring your home IP and trying to make that work with the VPS IP. The VPS can then be configured as an SMTP relay (this is a key feature of SMTP) to your home instance, or you could forward all traffic on the appropriate ports at the TCP level, but I don’t advise doing this.

I hope you understand that if what you’re asking was possible, I could rent a VPS, spoof your IP and receive traffic meant for your IP without any issues. For the same reasons, I think the other commenter mentioning x-forwarded-for headers is wrong if you’re not using DKIM (and even then it’s iffy). Otherwise I could just write a payload with mailto: whatever, from:you@yourdomain and x-forwarded-for: your home IP and pass SPF checks without having control over your IP.

if you’re still confused about SMTP feel free to ask more questions

source
- ninjan@lemmy.mildgrim.com ⁨9⁩ ⁨months⁩ ago
  We have more stuff than SPF checks these days because they’re wholely inadequate alone. DNSSEC, DKIM and DMARC are all important in their own right if you want a secure mail server.
  
  That said I also don’t agree with your example, because you assume a proxy for outgoing which I see no real need for. Generally speaking you proxy incoming traffic due to CGNAT making port exposure on a residential IP unfeasible. Further SPF checks will always use the actual IP source not what’s in a X header.
  
  source
  - themoonisacheese@sh.itjust.works ⁨9⁩ ⁨months⁩ ago
    You need a proxy for outgoing to avoid your source server being on a residential adress, which all but guarantees all mailservers using spamhaus etc will block you by default. DKIM and DMARC are needed in their own right but an SPF fail will already make your mail fall into spam.
    
    source
    -> View More Comments
- SeeJayEmm@lemmy.procrastinati.org ⁨9⁩ ⁨months⁩ ago
  I don’t think I was clear in my post and I’m a little confused by your response. Rather than take the inbound traffic on the vps and proxy it over to the mailu server, I’d like to NAT (masquerade) that traffic so that source IP reports the actual source.
  
  source
  - themoonisacheese@sh.itjust.works ⁨9⁩ ⁨months⁩ ago
    So to be clear, you want traffic coming out of your VPS to have a source address that is your home IP?
    
    let’s go back to fundamentals and assume for a second that your VPS provider allows these packets out and your VPS initiates a TCP connection like that. It sends a TCP SYN with source: home address and dest: remote.
    
    The packet gets routed to the remote. The remote accepts and responds SYN/ACK with source: remote and dest: home address.
    
    Where do you think this packet will get routed? When it gets there, do you think the receiving server (and NAT gateways in between) will accept this random SYN/ACK that doesn’t appear to have a corresponding outgoing packets sent first? If so, how?
    
    source
    -> View More Comments
Decronym@lemmy.decronym.xyz ⁨9⁩ ⁨months⁩ ago
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters More Letters

HTTP Hypertext Transfer Protocol, the Web

IP Internet Protocol

VPS Virtual Private Server (opposed to shared hosting)

nginx Popular HTTP server

[Thread #369 for this sub, first seen 23rd Dec 2023, 00:55] [FAQ] [Full list] [Contact] [Source code]

source
restlessyet@discuss.tchncs.de ⁨9⁩ ⁨months⁩ ago
I guess your OPNSense rule from Edit3 is not working because the source is not your mailu instance, because connections are initiated from the outside and mailu only answers (TCP ACK).

You may get this working if you set the “reply-to” option to the wg gateway on the firewall rule that allows VPS -> wg -> mailu traffic.

However there is a much cleaner solution using the PROXY protocol, which mailu seems to support: mailu.io/master/reverse.html

They are using traefik, but nginx also supports the PROXY protocol.

source
MSgtRedFox@infosec.pub ⁨9⁩ ⁨months⁩ ago
I don’t know what open sense calls this, but you want a route map in Cisco world.

A route map overrides the routing table based on ACL.

Your local router thinks unless there is a moreb specific route, then use default out WAN. Route map says ACL if source is mailu, then next hop will be VPS over tunnel. I did this with Cisco DMVPN between Germany and states.

Sorry I don’t know terms of open sense, but the concept is the same.

source
- SeeJayEmm@lemmy.procrastinati.org ⁨9⁩ ⁨months⁩ ago
  I believe the policy based routing is the same thing. I’m starting to think I’m encountering an opnsense bug.
  
  source
  - MSgtRedFox@infosec.pub ⁨9⁩ ⁨months⁩ ago
    When you did your dump of the tunneled traffic, was the VPS preserving the public IPs?
    
    I was only assuming since you mentioned seeing the traffic at each segment.
    
    source
    -> View More Comments
2xsaiko@discuss.tchncs.de ⁨9⁩ ⁨months⁩ ago
Since you mention nginx, I assume you’re talking about proxying HTTP and not SMTP/IMAP… For that, you have the X-Forwarded-For header which is exactly for that, retaining the real source IP through a reverse proxy.

You should be able to add proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; to your location block.

Alternatively, looks like there’s a Forwarded header (RFC from 2014) which I’ve never seen before but it seems cool: www.nginx.com/resources/wiki/start/…/forwarded/

I guess it comes down to what mailu supports, I have never used that.

If you are talking about SMTP and IMAP, I don’t think there’s a standard way to do this. You’d have to set up port forwarding on the VPS for the SMTP ports and IMAP port, and set up your home server to accept connections from any IP over the wireguard interface.

That’s exceedingly horrible though and there’s a better option for SMTP at least: set up an MTA (e.g. Postfix) on the VPS and have it forward mail to the real destination server. And for outgoing mail it never has to touch your home server (except your client copying it into the Sent inbox over IMAP), just send it out over the VPS directly. Or if you’re using some builtin web client, I guess do set the MTA on your local server to send mail to the VPS’s MTA.

source
- SeeJayEmm@lemmy.procrastinati.org ⁨9⁩ ⁨months⁩ ago
  
  Since you mention nginx, I assume you’re talking about proxying HTTP and not SMTP/IMAP… For that, you have the X-Forwarded-For header which is exactly for that, retaining the real source IP through a reverse proxy.
  
  I was using NGINX streams feature to proxy the various mail components (smtp, imap, etc…) but that was setting the source IP to the VPS.
  
  I was told in another comment that Mailu can handle being proxied behind traffik. I’m not sure if NGINX has similar support for the “PROXY” protocol. I need to dig into that.
  
  source

Fewer Letters	More Letters
HTTP	Hypertext Transfer Protocol, the Web
IP	Internet Protocol
VPS	Virtual Private Server (opposed to shared hosting)
nginx	Popular HTTP server