#networking

So what do I do with the tracert log?

send it here

it gives us a view of the route that your data takes

Tracing route to one.one.one.one [1.1.1.1]
over a maximum of 30 hops:

1 64 ms 64 ms 63 ms 10.0.0.1
2 69 ms 64 ms 65 ms 45.8.229.1
3 69 ms 67 ms 66 ms GW-CloudFlare.retn.net [87.245.255.223]
4 66 ms 66 ms 66 ms one.one.one.one [1.1.1.1]

Trace complete.

that looks good

its using the tunnel.

@untold elbow what if one was to set AllowedIPs to 10.0.0.0/24

?

try to ssh from putty to 10.0.0.1 with the tunnel up

@tame carbon he'd only get to 10.0.0.1

that's the point, no?

and a bunch of unused IPs

all other traffic should go over another if

oh if that's the point then yeah

He only wants a NAT around his CG-NAT

sshed

through a public VPS

so he can host minecraft

His VPS host masquerades traffic from WAN through wireguard

WG is merely a LAN network to the client, it shouldnt be used as a gateway

i think i missed the first part of this where you were talking about what the purpose of all this was lol

Well basically I want to only route minecraft server traffic through the vps

That's it

If possible

@slate sonnet change AllowedIPs in the client config

to say 10.0.0.0/24 instead of 0.0.0.0/0

then restart tunnel

Done

see if you have internet, if yes: run another traceroute

that should now be using your regular network

instead of WG

First one is router gateway

so its going through 192.168.foo.bar?

yeah

Nice.

That's the first route

ok then: ping 10.0.0.1

64ms

Ok. we're set.

wait

well

yeah

You now have a tunnel endpoint from your VPS to your windows machine

Okay

so at this point..

start a minecraft server :D

coolest part of WG setup is the qr code stuff you can do

So in the server ip I post 10.0.0.1?

In the minecraft config

@slate sonnet no, leave the mincraft config ip= empty

with qrencode you can generate that qr code and scan it with your phone client to add the config

Okay

@slate sonnet if you leave it empty, the minecraft server will be active on all interfaces

And people can connect to my server with my vps ip

including the 10.0.0.1 interface

then, other users can use your public IP from the VPS

to connect

Okay

🤞

gotta get a friend lmao

1 sec

I have mc

what version?

he said a friend

to test

lol

1.16.4

https://i.imgur.com/7GhLSdp.png

starting...

is it up?

Starting

I hope this doesnt conflict with my network lol. I have bunch of russian IP prefixes nullrouted on my network

1 sec

what does that mean?

Server up

he doesnt like russians

^

Understandable

Same here tbh

its mostly hackers and such

bunch of ssh flooding I dont need

same with china

its not connecting...

mhh

Oh wait

I forgot to change the ip

1 sec

I can reach the server though

so ping works

starting again

you have stuff in the wg config to forward the minecraft ports to your windows system?

i wasnt here for that part

@untold elbow it shouldnt need to?

Try connecting

@untold elbow those configs on that tutorial reference to other computers on his /24 LAN

Mh. not responding no

Huh

I have the ip set to nothing as you said

it shouldnt have to be filled out

but for sake of trying

put 10.0.0.2 in there

starting again

Done

mh. still nothing

Hmm

@untold elbow does wireguard installation require a reboot of the host at all?

nope

I'm trying telnet on his 25565 port

i think you might need another iptables statement to forward minecraft port traffic

not even establishing a connection

iptables -t nat -A PREROUTING -p udp -i eth0 '!' --dport 25565 -j DNAT --to-destination 10.0.0.2;

if i had to guess

mp

no

@untold elbow that ! inverts

oh i dont know iptables either apparently lol

it was ! 22 meaning all ports except 22

oh hm

and minecraft is tcp

not udp

if i had to guess, it's looking at the VPS for a tcp 25565 service and not finding one

and that request has to somehow be forwarded through the tunnel

@slate sonnet go back to the config file on your wg host.

double check the iptable rules

True, but bedrock version is udp

@slate sonnet on your wg host you can verify the currently running iptable config with: iptables -S

that doesnt seem right

there's no NAT entry at all

@slate sonnet iptables -t nat -L

@untold elbow only reason I know a little about iptables, has to do with mikrotik, since their configurations are using iptables internally

ahh

that's where the ! comes from

xD

im not really a network guy so i know very little about it

know only slightly more than this guy https://www.youtube.com/watch?v=SXmv8quf_xM

@untold elbow https://i.imgur.com/zTYYJVR.png

fancy

i run pfsense... need to get some mikrotik gear

unifi switches are getting kind of crappy

@slate sonnet okay.. so far that looks to be alright

wait no

source is not even set.

@slate sonnet can you open your wg config once more. on the server

command? I really need to write it on my forehead lmao

nano /etc/wireguard/wg0.conf

And send it here?

leave out your private key

Yes

mostly i think crystal wants the postup and postdown lines

correct

@untold elbow I am unsure, but I think his host needs a restart

just as a cross-reference, here are the post-up and post-down lines from my wg server:

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens18 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens18 -j MASQUERADE

or at least, push a kernel config to /proc/sys

it's worth a shot

because by default linux distros dont do v4 forwarding..

i think if it's passing traffic from his windows client out to the internet, forwarding is working though

but i've never set it up going the other way

@untold elbow see the snat rule at the end on the first postup ?

that's for client -> server -> internet

source-nat

but we're port forwarding here, so we use DNAT

ahh ok

So what should I do?

I'm thinking

Oh, okay

reboot can't hurt in the meantime

yeah, reboot your server

I guess

might be worth a shot

rebooting

@untold elbow I'm looking at the sources provided by the tutorial

https://i.imgur.com/ZEJeUBM.png

which points to some information on reddit

these guys write some additional settings to the kernel

if you didn't run sysctl enable on the wg service, you'll need to manually start it again

note the first two postup

i believe ipv4 forward should already be 1, but not the arp proxy

but this is way over my head

that proxy arp is not nessesary

that's only if you wish to know about the hosts on the other side of the tunnel

Did that

@untold elbow I have proxy-arp running on my VPN bridge on my mikrotik

so that my VPN clients can interact with other devices on the LAN

but its tricky

and can lead to arppoisoning

if poorly configured

from here: https://github.com/mochman/Bypass_CGNAT isn't step 1b the same as that first postup rule?

/etc/sysctl.conf is read on startup

sysctl -p after it though

still worth a reboot just to try

I rebooted

net.ipv4.ip_forward = 1

after sysctl -p

reconnect your tunnel

So like disconnect and reconnect it?

Just connect.

Done I think

On client side, right?

yeah

the only difference in the setup we have, and the tutorial

is that the tutorial uses NAT a 2nd time

on the client, to then pass traffic to local devices

Well in the tutorial on the github page, there are postup and postdown lines

what's the server hostname and MC port?

And in them I'm assuming that some of them port forward

Why can't I do that with port 25565?

@slate sonnet currently, traffic would arrive at 10.0.0.2:25565

Dm

those postup rules on the client

only do this: https://i.imgur.com/EpXY47J.png

do you have the MC server up and the tunnel running?

Starting server

https://xkcd.com/2259/

Started

Lmao

Trying 194.87.80.92...
^C
root@wireguard:/etc/wireguard# telnet 194.87.80.92 22
Trying 194.87.80.92...
Connected to 194.87.80.92.
Escape character is '^]'.
SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.2
^C
Connection closed by foreign host.```

it doesn't see a service on 25565

@untold elbow it would interest me

but i guess we knew that

He should run telnet on his server

to 10.0.0.2

yeah

see if windows even properly exposes it

telnet 10.0.0.2 25565

@slate sonnet ^

run that on your server

Trying for a long time

doesn't see the service on that side either

Did 10.0.0.2

so that's a clue

Without 25565

yeah the port needs to be on there

telnet opens a tcp connection to that IP & port

Oh

and if there's a server on other side, we'll know

Said connected

so you have a session on port 25565?

cool, so at least that works

wait telnet 10.0.0.2 25565 says connected?

Oh wait

Idk

that's basically checking if it can see any service running on that port

ok cool

thats a good thing, it sees the MC service

The VPS can see the minecraft server.

your server just isn't forwarding it to the windows system

Huh

We're triangulating the problem right now

VPS -> Minecraft works

its just Public IP -> VPS that is finecky

def something with those cryptic postup iptables commands

iptables -t nat -A PREROUTING -p tcp -i eth0 '!' --dport 22 -j DNAT --to-destination 10.0.0.2;
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 1.2.3.4

those are the two commands on the first line

and it basically just says, for any traffic incoming on -i eth0

and any destination port that isnt 22

we port forward to destination <ip>

hm yeah that should work

I have it the other way around

how do you mean

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 1.2.3.4
iptables -t nat -A PREROUTING -p tcp -i eth0 '!' --dport 22 -j DNAT --to-destination 10.0.0.2;

oh thats fine i think

Or does it matter?

@slate sonnet does your config say 1.2.3.4 ????

No

lmao

well thats good

Wait

In my config it says

AllowedIPs = 10.0.0.2/32

But on my client its /24

yeah that's correct

Everywhere

that's correct.

Okay

@untold elbow you think it might be worth removing the eth0 filter, and doing it by IP instead?

--dst 194.87.80.92 --dport 25565

instead of -i eth0

and we write our own iptable rule

hmmm not sure, might be worth a try. or adding -j LOG and checking kern.log while people are connecting

Wait

What does "!" mean again?

not

! 22 not 22

Okay

Hold on, writing a oneliner for iptables

Should I harden my vps in the mean time?

Or not yet

nah, lets not add any more barriers

Okay

iptables -t nat -A PREROUTING -j LOG && iptables -t nat -A POSTROUTING -j LOG

and then tail -f /var/log/kern.log

@tame carbon think that's worth looking at?

tcpdump lol

Perhaps

@untold elbow I came up with: iptables -t nat -A PREROUTING -p tcp --dst 194.87.80.92 --dport 25565 -j DNAT --to-destination 10.0.0.2;

as a custom rule, which only port forwards what we want

hmmmm would that work for the MC client's return traffic?

@untold elbow NAT does connection tracking

pretty sure it wont matter

ok, that might work then

SNAT is only for outgoing connections

Don't I have to have both tcp and udp?

nah just tcp

nah minecraft is just TCP

According to minecraft server tutorials lmao

They all say to port forward both

people do both tcp and udp when they're not sure which it uses

shotgun approach

Got it

in essence, that's all you need

Better take your IP out of there lol

@hollow marlin its a publicly routed one

doesnt trace back to my WAN

so you can DoS me

wont have an effect

@hollow marlin perhaps you can smarten us up

we've set up a WG tunnel

trying to NAT traffic through it

Ewww

@hollow marlin he's behind a CG-NAT

its prob not working because you leaked your ip in discord

Me

And we're using this as a workaround

Me?

I assume using a VPS for WG?

no im joking

Ye

Yes

ok so do we want to try my think or crystal's thing first

my thing*

do crystal's thing

friggen network debugging. love it 🔫

What point are you guys at? I assume WG tunnel is up and connected so far?

if this doesn't end up working, dynamic dns might be an easier route

WG works

WG host can see a tcp service on WG client

its just the public ip NAT that is not functional

wg host passes wg client traffic too

@hollow marlin

10.0.0.1 is the VPS, and 10.0.0.2 is the client

So basically Home --> WG --> VPS --x--> NAT --> internet?

other way around

well sort of

@hollow marlin https://github.com/mochman/Bypass_CGNAT/blob/main/Basic Topology.png?raw=true

https://github.com/mochman/Bypass_CGNAT

@hollow marlin his outgoing traffic should still be through his default gateway.

forward tcp port 25565 traffic from internet to VPS through wg tunnel to home system

incoming traffic on his VPS should be NATed through WG

[Interface]
PrivateKey = SHOULD_ALREADY_BE_FILLED_OUT
ListenPort = 55107
Address = 10.0.0.1/24

PostUp = iptables -t nat -A PREROUTING -p tcp -i eth0 '!' --dport 22 -j DNAT --to-destination 10.0.0.2; iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 1.2.3.4
PostUp = iptables -t nat -A PREROUTING -p udp -i eth0 '!' --dport 55107 -j DNAT --to-destination 10.0.0.2;

PostDown = iptables -t nat -D PREROUTING -p tcp -i eth0 '!' --dport 22 -j DNAT --to-destination 10.0.0.2; iptables -t nat -D POSTROUTING -o eth0 -j SNAT --to-source 1.2.3.4
PostDown = iptables -t nat -D PREROUTING -p udp -i eth0 '!' --dport 55107 -j DNAT --to-destination 10.0.0.2;

[Peer]
PublicKey = 
AllowedIPs = 10.0.0.2/32

this is the server config, as it stands

And I'm suspecting there's something wrong with those iptable rules

Oh boy, getting into IPtables

I have a question do you need any kind of portforwarding for nginx server setup??

So first thing is WG is L2 to the VPS, is there another subnet that was created to use that VPS? You are going to need routing here

10.0.0.0/24

wg is l3

not that it matters

yes, you'll need to forward http/https ports if you don't have them exposed to the internet on your web server

I thought it was L2, yeah looks to be L3. Even better. Never personally worked with it

does it need to be specifically http or any open port that I can configure

@tame carbon where is the sticking point at the moment? Just dying at the src NAT rules?

if you don't want to manually specify the port after your server address, yes. if you're okay doing <server address>:<non-standard port>, you can use any free port

ok thanks

@hollow marlin He has a minecraft server listening on his windows machine (port 25565)
On his VPS, he can use telnet to establish a connection to this windows machine

But the iptable rules that are ment to DNAT the traffic through wg from his public interface, do not work.

are you guys trying to host a minecraft server

I am

I have CGNAT

you don't need to host a full vps for palying minecraft

oh boy

you can simply use ngrok.exe

that isn't the issue @dense wolf

oo

@hollow marlin the rules set out by the tutorial (and the block of text I posted above) is what he's currently using.
It basically is ment to DNAT all traffic except ssh and wireguard

@dense wolf he's behind a CG-NAT, a shared public IP, and thus cannot port forward.

using a cheap ass VPS to route his traffic around

looking at iptables docs more, i'd try that dnat rule crystal made

and maybe even make it more general

well, maybe not more general

@untold elbow I am unsure if that input on eth0 is gonna work like that

might be better to do it on IP layer

which input? the one from the github? or the one you made?

-i eth0

instead of --dst <ip>

oh

worth a shot

i gotta step away for a bit... good luck and god speed

We'll definitely need it

if you hit a wall... look into dynamic dns instead

at this point, I am at a loss. Those are the last suggestions I have that we could try

I could try consult the 420-gods, but that doesnt always work

@tame carbon so what should I try?

@slate sonnet It is definetly an issue with iptables

but iptables is dark magic

ngrok does the same think but its simpliar

so I am hoping @hollow marlin has some enlightening perspective on this

Just looking through some of the IPtables syntax

@tame carbon so can you explain what the postup and postdown lines do in the github page?

@slate sonnet those are commands it will run when it connects and disconnects

PostUp is Post (after) it goes up

iptables controls the network stack on linux

we basically add a rule, to port forward all your traffic

but there's something awry.. not working properly..

Okay, but the lines pretty much say something along the lines of
"when connected, route this port to this ip, etc etc"?

Everything looks good, but I would assume you need a forwarding chain as well right?

that's what it is ment to do

@hollow marlin elaborate?

@hollow marlin https://github.com/mochman/Bypass_CGNAT#1c-installing-wireguard

Really, this is what we're doing

Well if that works, can't I just copy and paste with port 25565?

and either this doc is wrong

@slate sonnet might try to remove the existing postup rules in there, and replace it with the one I suggested.

iptables -t nat -A PREROUTING -p tcp --dst 194.87.80.92 --dport 25565 -j DNAT --to-destination 10.0.0.2;

make sure you add the same rule to the PostDown as well

replacing the -A with -D

-D = delete

Just add that to the bottom of the postup and postdown lists?

remove the existing ones, and put a new one in

that's centerlized

So completely remove everything?

That's postup and postdown

@slate sonnet remove the postup and postdown rules

I guess you can just host mc server on vps instead tunneling

and add a new PostUp =

with that ip table rule

@lean pebble its a $2 vps

Will I still have ssh?

@slate sonnet that rule doesnt forward all ports, only 25565.

So openvpn

@lean pebble wireguard.

I can host on my pc, literally no reason to get a vps just for that

But the VPN isnt the issue

also a good learning experience

the VPN works. its not the issue

its just the iptable settings that are applied by the VPN, that are incorrect

He can use wiregaurd on his network while having cgnat ? 🤔

@lean pebble yes. because the wg server is on his vps

client dials out to the vps

Like this?

and we use his VPS IP as a public endpoint

He don't need dedicated IP on his side ?

no

@slate sonnet yuh.

Oh ok good to know

Never used wg

it's a vpn just need a public IP on one side

How to restart wg?

@slate sonnet systemctl

@slate sonnet press arrow key up

until you find the command

Openvpn is vpn to and he can use it to connect to his server to I think.

wireguard is easier to setup :P

That's for sure

done

Everything is easier than openvpn

😆

@slate sonnet reconnect with your windows client

wireguard is more resource efficent

My openvpn working on my pfsense in cloud

Done

@slate sonnet ok, as a sanity check. Can you do the telnet again on your server

I want to make sure we didnt just break something else

just telnet?

Never had resource issues with it

the whole command

@slate sonnet just arrow key up, its still in your history :)

telnet 10.0.0.2 25565

If we can figure out what we did wrong, I will fork this tutorial and write my own :)

I was bored so I made my openvpn work with tls / ssl on TCP

I'm trying to telnet while my server is off

That's a 200iq move

Connected

Ok. let me try from over here

rip

Rip

@hollow marlin anything?

Make sure your server cfg pointing to the vpn internal IP

It is

Let me do some googling

one sec

And you enabled Eula

@lean pebble shhhh

I've started the server

Lol

Got some plugins and stuff

Ok

@lean pebble He can connect to his port 25565 from his wg host.

I used to play with my friends with zerotier

Ok but not from outside ?

@lean pebble instead of minecraft, we're using telnet to see if there's a server listening

But I don't want them do download an app and stuff

A little annoying step

@lean pebble his VPS has two interfaces

Ok

wg0 and eth0

wg0 is on 10.0.0.1/24

and eth0 is his public address

Ok

but I can't for the life of me figure out how to NAT this

its trivial.

this shouldnt be difficult.

He should nat on his port to the internal IP

@slate sonnet gimme a moment

Im doing some reading

No problem

He uses iptables or firewalld / ufw

ufw is disabled

I think

@lean pebble ufw is off

we've been at this since early afternoon

its evening now.

We've only got 1 hitch left.

90% is working

Lol I know it's evening

You say no routing to the port right ?

Telnet not working

@slate sonnet ok remove the iptable rule

and replace it with

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 25565 -j DNAT --to-destination 10.0.0.2:25565; iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 25565 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Looks to follow the page you linked. I still think or would assume a forward chain is needed which is not in the guide. Just like Mikrotik, PREROUTING -> FORWARD -> POSTROUTING. Without a forward the packet matches the PREROUTING, makes the changes, then drops. My assumption anyway

@hollow marlin read above ^

lol yeah typed at the same time

Both postup and postdown? @tame carbon

@slate sonnet Yes. Please pay attention, there's a ; in the middle, these are two commands on a single line

You have to modify both -A's

Okay

I had the same issue 2 months ago

@hollow marlin so NAT is two components

PREROUTING does the translation

and then you still need to accept the packet when it comes to the moment to decide on forward

Depends on when and where you want to make the chain, and yeah you need a FORWARD chain in the middle to actually accept and route the traffic

Does there have to be a space after the ';'?

In the middle

I'm assuming not

https://i.imgur.com/8GLe280.png

no

xD

Okay

Done

telnet connected

I've restarted wg before telnet

@hollow marlin still doesn't work

wait, don't we need SNAT as well?

in POSTROUTING

Yes, else its not going to go back out the WG tunnel

@slate sonnet add another PostUp and PostDown, put this in: iptables -A POSTROUTING -t nat -p tcp -d 10.0.0.2 --dport 25565 -j MASQUERADE

Now telnet can't connect

No route to host

lol

We did something right though

That means that you can technically connect?

Im logged in

it works

:D

Oooooo

Yeeeeeee

@hollow marlin You're a god.

https://i.imgur.com/rBDkQOH.png

Only little sad thing is that I can't ipban

But I think I can just do that on the vps

you can use ufw for that

I'll read into that later then

@slate sonnet do you know how to set up ssh key authorization?

might be a good time now to lock down your vps a bit

No?

ok

Yeah

which machine do you log on with ?

your windows box?

yes

And I've logged in with my phone

okay, but we're setting up an ssh key on your windows machine first

But I think I'm mostly gonna use my windows pc

Okay

do you have git installed perhaps?

Lemme check

https://git-scm.com/

@slate sonnet git-scm

has a full package

with ssh tools

installing it

oh

well I just installed git

well

you need ssh-keygen

which I usually install with git-scm

it has a little windows bash interpreter

https://i.imgur.com/SHwOzgw.png

git clone https://github.com/git/git

Did that

It has nothing to do with git :(((

Oh

i ment to say git-scm

its a toolkit

xD

No?

Oof

just, grab that real quick

its like 15mb

https://i.imgur.com/uIbNVuu.png

Oh

Like on pc?

ye

on your windows machine

Oooooh

Lmao

1 sec

I already have the installer

@hollow marlin I'm using POSTROUTE masquerade now, this however changes the source address...

is there a way to not overwrite source IP?

@hollow marlin iptables -A POSTROUTING -t nat -p tcp -d 10.0.0.2 --dport 25565 -j MASQUERADE

What git editor should I use?

@slate sonnet just hit next

whatever is default is ok

Use openssl library?

ye. just hit next next next

Okay

No POSTROUTING rule will do that after a forward, or to make sure PREROUTING is not translating also

Installed git

Run git bash?

@slate sonnet yes

@hollow marlin how come in SOHO when you port forward, you can still see the source IP ?

even I can do that here

Thats dst. NAT, MASQUERADE is source NAT

https://i.imgur.com/qSO2Dr0.png DST NAT

Basically "change source IP of the exiting interface"

@hollow marlin so I'm doing something wrong

so what should POSTROUTING do?

just -j ACCEPT ?

instead of masquerade?

because we added that

and it started working

I'm confused with the pre and post now

It started working because when traffic was routed and leaving 10.0.0.1, the SRC was changed. Now on return, 10.0.0.0/24 points to the WG tunnel and its routed back out. Without this, traffic will come in the VPS, be routed without src. NAT, and return traffic will be sent out his WAN then will be dropped by the remote FW

Asymmetrical routing

@tame carbon what do I do in git?

@slate sonnet run ssh-keygen -t rsa -b 4096 -C "your_email@example.com" replace that with whatever email

@hollow marlin I'm at a loss, what would you change?

"enter file in which to save the key"

Prerouting is used to alter a packet prior to routing, say for firewall filter as you go down the rules. Postrouting is the same but after routing has been done. Really a case by case.

iptables -A POSTROUTING -t nat -p tcp -d 10.0.0.2 --dport 25565 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 25565 -j DNAT --to-destination 10.0.0.2:25565
iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 25565 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

this is what we have running rn

.ssh?

That is correct, you will want src. NAT in this situation

@slate sonnet just hit enter

@slate sonnet default name is what you should use

passphrase

you can put one on there, if you want to encrypt your key

Kinda like a password?

Ok

otherwise anyone can use your private key

Done

Now what?

@hollow marlin yes, but can the host not translate packets from WG -> WAN to be masqueraded

while packets from WAN -> WG are not translated?

or does that not follow through, because this is L3 and not L2 ?

ayyye you got MC working

gj

Yup :D

This is networking at its finest

Want to thank everyone who helped out

and why ipv4 sucks.

USE IPV6!

stupid NAT.

Router doesn't have ipv6 lmao

garbage ISP

Yup

Only one available though :(

@slate sonnet did you create the key?

Can't wait till I move out from my mom's house

Yes

ok now run

ssh-copy-id root@194.87.80.92

Where?

putty?

in git bash

Okay

you'll have to enter your password for your VPS

"are you sure you want to continue?"

yes

Just enter

this copies your public key to the server

its kinda like we did with WG

you guys still working on it?

:D

Logged into the vps

@dense furnace it works now

wow :o

just hardening the vps now

congratz

yeah took a while

probably

iptables -A POSTROUTING -t nat -p tcp -d 10.0.0.2 --dport 25565 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 25565 -j DNAT --to-destination 10.0.0.2:25565
iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 25565 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

the solution ^

oh god

@tame carbon so now try connecting on putty?

@slate sonnet nah, you can just run ssh root@ip now

in git bash

you dont need putty per-se

you could. make a preset for it

you just have to tell putty to use that private key

but git bash just has ssh

logged in

nice

oh you even secured the server?

@slate sonnet now modify /etc/ssh/sshd_config

@dense furnace well, the wireguard stuff @untold elbow helped out with, while I was eating dinner

What do I modify?

then it was a matter of modifying the kernel's IP table configuration to properly port forward the minecraft packets over the VPN

which took the longest

oof

better write that down for the future @slate sonnet :D

that = everything you did today

"Write that down, write that down!"

xD

reverse ssh tunnel would have taken 20 minutes

rofl

:D

I wanted to learn networking and stuff

@slate sonnet search (CTRL + W) for PasswordAuthentication

Now I'm not so sure lmao

@slate sonnet on a router like mikrotik this is much easier

PasswordAuthentication no and PubkeyAuth yes?

Found it

@slate sonnet that commandline crap on linux looks like this on here: https://i.imgur.com/XSrkwZN.png

@slate sonnet ok set it to no

if its commented, uncomment it

Still confusing, but at least don't have to keep going through the history lol

So uncomment it and set it to no

Done

@slate sonnet this is NAT on mikrotik: https://i.imgur.com/atyYpTl.png

you just dont need to memorize IPs

everything uses aliases

Save and exit out of the config file?

make sure PubkeyAuthentication is set to yes

and then save and exit

then run: systemctl restart ssh

Okay

I guess I don't understand, PRE/POST rules will automatically apply the same in reverse with connection tracking

Yeah that's why I was confused too lol

because usually if you apply a NAT rule

it just tracks immediately

Done

@slate sonnet ok now, you can only log in on ssh with that keyfile

password is now blocked

you can try it from your phone, and test

that key is 4096 bits

which takes longer than the age of the universe to compute

so its safe

unless someone steals that key ofcourse and brute forces the passphrase xD

That's a whole 4kbits

nowadays

@slate sonnet on your linux system you can do the same ssh-key-gen

and then you just cat ~/.ssh/id_rsa.pub

Yup

Permission denied

we don't know about the future O:

😆

So all good now ?

I think so

@slate sonnet public keys on the server are stored in: ~/.ssh/authorized_keys one key per line

for root this is /root/.ssh/authorized_keys

Got it

@slate sonnet ofcourse you can use that vps for all sorts of stuff

like even hosting a small website

it has 20GB storage

which is not bad

@dense furnace https://i.imgur.com/644bS5p.png

with nginx e.g.

wait

you're on pr0 too?

_>

just don't talk about it ok

why imgur tho

@dense furnace this is my bad habbit of rehosting

and this was like 30 mins after they came back on

service was still laggy

Oooo

True!

where r you from crystal?

@slate sonnet as @dense furnace said, nginx is perfect for this

its small footprint, like 5MB memory

@dense furnace Netherlands

Though I have dual citizenship

and speak three languages xD

German, Dutch, English

ohhhh

nice

I'm like 5 mins from the border

half my family is german

nice

laughed hard about this

I like all the memes

these datacenter memes are extra spicy

Well anyway, thank you @tame carbon @untold elbow @hollow marlin @peak cloak

so much good oc

🙂

It was fun learning a little bit about all of this

@slate sonnet if you ever want to learn more, you can always get a small router

and run your wireguard client on there

I do something opposite of what you did today. I run a VPN server on my router

so my phone always has a LAN ip when I am outside using LTE

I also use this

but I guess this wont be of any use to ya with the ISP you have right now

but you have a tunnel now, which is a start

and a raspberry pi with pi-hole

you can always set up more tunnels on your wg vps

for your phone and such

did the same thing

except on a VM

backdoor with a very strong lock :)

I'm gonna experiment more once I move into my own place where I don't have a crappy isp

I bet crystal is working in IT

beta version of RouterOS has wireguard in this list too: https://i.imgur.com/fxxWwnL.png

sadly this is still v6

@dense furnace developer

Written a lot of server applications

and that comes with its share of linux & networking

and this is the only LTT channel where we can talk about Linux and dis on windows without starting an OS 🔥 war

rofl

y windows bad

👀

because

no there is no because here

you know what we just did with that iptable stuff right?

you need windows server for that to work

which costs $$$

routing doesnt work on normal windows

you can only do a LAN bridge with connection sharing

that's it.

Like, I can go on and on

windows is just garbage in every single way

package distribution, updates, system layout

driver stack

network stack

and it costs money

currently I use win10 for gaming only

same

but my work laptop runs ubuntu

and my servers debian

I know there is stuff like wine, but meh

native games work just fine on linux

Oh I see you're a man of culture aswell

currently playing ksp

that's an horrible good game

native linux support

y

@dense furnace my laptop is the place, where i need to quickly be able to get something to work

many steam games have native linux support now

hence ubuntu, easier to find stuff for online

debian is slightly different, sudo for example is not a thing

true

and its also less bloated

I run debian as a host OS

my vm with my own mc server, that's a broken install with ubuntu 18

that i managed to repair to the point of running java

ubuntu has a great community but I also like to use debian for my servers

I moved a year ago to this place

and all the fiber things changed

my company currently uses centos but will switch soon

maybe to ubuntu

because of update policie

but centos is so nice

was so nice*

the thing is

If they want support but currently have centos why not just go to redhat

rocky linux will replace it

software support for linux is slowly improving

centos is dying

and those who first start adding support, often add fedora and ubuntu first

everything else comes after

so if you just use a debian based system

you get the largest market share of compatible packets

unless ofcourse you run ARCH

Arch best

https://scontent-frx5-1.xx.fbcdn.net/v/t1.0-0/p526x296/109618601_1759578370849589_736435313539592753_o.jpg?_nc_cat=100&ccb=1-3&_nc_sid=8024bb&_nc_ohc=mbd__t8YCckAX-JZe-x&_nc_ht=scontent-frx5-1.xx&tp=6&oh=a1af3736541c12ee1bf33a7c85017f3b&oe=606F19B9

^

but I've used arch for 3 months, until it updated itself and broke, the day I had important meetings

never again.

I rather run an outdated LTS kernel

you don't use arch because you want an easy life

than to run arch

you use arch to flex

Im on mint on my laptop, but wanna switch to kali lol

lol why

I've noticed that there's some like lag on my mc server. That can only be fixed by using a better quality vps provider?

because csec major

kali is leak af

huh?

As if there's a lot of latency between me and my server

@slate sonnet yeah probably

no way

no fw, no default security in place, everything is root.

connect locally

from your machine

does it lag too?

Well I know I can connect locally

do it to test it

But my friends will lag which is worse than zerotier lol

you're adding an extra network hop, that's gonna add latency

It's fine if I do it locally

O_O

that's funny

So basically no real way around it huh

not without a different VPS, no

that's weird tbh

By different vps you mean different vps location?

@slate sonnet try pinging 46.243.190.1 how much latency do you get?

From my pc?

dynamic dns would let you have a hostname that doesn't change mapped to your CGNAT IP address and doesn't require an extra network hop

do YOU also lag if you connect trough the vps?

@untold elbow he's connecting to his own VPS endpoint, that's gonna have an RTT of 4x

no wonder it will lag.

yeah but it'll be roughly the same experience as his friends connecting

avg ping is 89ms

oof

I'm on fiber optics

5ms from amsterdam exchange

what

wait

82 ms then

this ip? i got 25ms

@untold elbow he's not that far away

I can say I live in krasnodar krai

@slate sonnet your internet has bad ping, and the route to your VPS is suboptimal.

So kinda near europe

y it's not the vps or the server

@slate sonnet it's you right now

he has 60ms to his gateway

What?

but that's 60ms to a host in a datacenter, which is pretty close for everyone else

@slate sonnet ping your vps

or do a traceroute to your vps

was that ip not his vps?

that was mine xD

o

69ms ping (nice)

just wanted to see how bad it is

oh

so this is yours? 46.243.190.1

that's a router of mine yes

hackin u now

it's ok for me

rofl

@untold elbow that's my public /29

its routed through my WAN, but doesnt show in traces

it's definitely you scratch

and the rDNS is not set

perform a speedtest @slate sonnet

@dense furnace basically:

traceroute to 1.1.1.1 (1.1.1.1), 64 hops max
  1   46.243.190.1  0.004ms  0.006ms  0.225ms 
  2   46.243.152.3  6.025ms  6.253ms  6.098ms 
  3   46.249.55.194  6.899ms  6.713ms  6.969ms 
  4   185.8.179.33  7.108ms  6.993ms  7.105ms 
  5   80.249.211.140  8.683ms  8.864ms  9.322ms 
  6   1.1.1.1  8.186ms  8.354ms  8.103ms 

nice

its quite nice, when you have your own Public IPs

especially for local use >_>

and firewall it off

15ms ping @dense furnace

huh

Yet on my phone its 1ms

This is weird

@slate sonnet from experience, anything below 150ms on minecraft, you don't really feel/notice

but to your vps you get 69ms??

Yup

It's located in moscow

minecraft runs at 20tps, so it has a change in gamestate every 50ms

so at most, you lag 3 ticks behind

but that's for the game logic, not the players position?

or am I missing something

Yes

That's only for game logic

@dense furnace network thread is asynchronous from the gamethread

so you definetly feel a ping of 70~

Yes, there is latency

but not a lot

I can send a vid

You'd have a bigger issue if this was a shooter

minecraft isnt that sensitive

may I ask for the server ip to join the minecraft server? I want to see if there's any lag for me. You can dm me

Oh I didnt even test that lol

@slate sonnet its really not that bad

you had.. 89ms

https://i.imgur.com/JAh6Fnu.png

hmmm

the question is

18ms added by the tunnel

is it the vps?

no

its his internet.

because speedtest told him 15ms

Your internet connection is coming from amsterdam?

@tame carbon

Yes

I'm like 3 hops from the exchange

mine is also 107ms

germany