S
S
SlavikF2020-10-16 00:14:03
VPN
SlavikF, 2020-10-16 00:14:03

Is there a way to make a TCP/UDP proxy (or NAT) so that the end machine sees the source IP address?

I have a Windows server at my house.
The provider is blocking incoming connections. That is, I cannot do port forwarding.

Task: how to make RDP connections to this server?

Here are two methods that work, but do not fit:
1) I take a VPS with a white IP, SSH tunnel to it.
This works, but there are three drawbacks:
- for all incoming connections, their IP is seen as the IP of the VPS. It becomes impossible to configure a firewall on the target system.
- only TCP, no UDP
- slows down due to SSH encryption

2) I take a VPS with a white IP, on it - rinetd, which proxy ports to a non-target system using WireGuard
Works much faster, but:
- for all incoming connections, their IP is seen as the IP of the VPS. It becomes impossible to configure a firewall on the target system.

Question:
Is there any solution how to forward traffic to the target system so that
- TCP & UDP
- the target system sees the real IP address of the source
?

Update November 22:
I found out that Wireguard + Nginx works very well for my case. It turns out that Nginx can do proxying at the TCP/UDP level:
https://docs.nginx.com/nginx/admin-guide/load-bala...
https://www.nginx.com/blog/tcp-load-balancing -udp-...
I configured it.

It turns out that Nginx still supports a special protocol that allows you to transfer client IP addresses to the backend, but I have not figured it out yet:
https://docs.nginx.com/nginx/admin-guide/load-bala...

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Y
younghacker, 2020-10-21
@SlavikF

As suggested before, try OpenVPN in udp mode.
For faster response, reduce the size of the receive and transmit buffers, and disable compression.
As for the real addresses of connecting machines on the target machine, you will need to ensure that packets are returned back to the VPN tunnel on the side of the target machine behind NAT. And for this you will need to use the default gateway towards the tunnel or static routes (if you know the addresses of incoming clients)
Further, on the side of the VPN server with a public IP where the clients connect, you will need to configure port forwarding (DNAT) to the vpn interface address of the target machine. Then the packets coming to the target machine will have the real ip of the visitor.
I have no experience with Wireguard, but for some reason it seems that you just need to correctly configure DNAT on the VPN server and default routing on the target machine and you will get real client addresses on the target machine.

O
OCTAGRAM, 2020-10-16
@OCTAGRAM

SSH also has tunneling (VPN). And then at both ends we set up such rules for port 3389 so that the packets go exactly through this new tunnel in both directions, and the addresses are broadcast at the right moments. For UDP on VPS side DNAT, on home network side SNAT

V
Vladimir Dubrovin, 2020-10-16
@z3apa3a

Instead of an SSH tunnel, use a VPN (such as OpenVPN) with static IP assignment per user. Also connect the end resource through the VPN tunnel.
This
is faster
- at the VPN level, you can limit the user by IP
- at the end resource level, you can differentiate by IP that the VPN assigns (that is, actually by users).

O
Oleg Volkov, 2020-10-16
@voleg4u

My provider (cheap) does double-NAT , so it’s unrealistic to get through for a bureaucratic reason. You need to dig from the inside - it always wins. Where and how to dig? depends only on you.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question