snork.ca: Welcome to the brown age of computing! Mainly Clear, 24.2°C [H: 29°C] - No precip

Update: Home-Hosting Behind A Small Wireguard VPS 2021-04-21

metawish wanted to know if the home server would be able to pick up a letsencrypt cert, so I added an nginx definition for the hostname:

/etc/nginx/sites-available/pansy server {
  listen 80;
  root /var/www/pansy;
  index index.html index.htm;
  server_name pansy.snork.ca;
  location / {
    try_files $uri $uri/ =404;
  }
}

Then linked it to sites-enabled and reloaded nginx:

# ln -s /etc/nginx/sites-available/pansy /etc/nginx/sites-enabled/pansy
# nginx -s reload

Then added a couple more lines to my iptables rules:

# iptables -A FORWARD -i eth0 -o wg0 -p tcp --syn --dport 443 -m conntrack --ctstate NEW -j ACCEPT
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 192.168.9.2

Finally, installed and ran certbot:

# apt-get install python3-certbot-nginx
# certbot --nginx

And BAM! there it was, https in all its glory. :-)


Home-Hosting Behind A Small Wireguard VPS 2021-04-20

If you want to have your own web site (or any other service) you can pay someone else to host it for you, get free hosting that usually comes with ads or other unwanted behaviour, you can rent a VPS and host it yourself, or you can host it at home on any old piece of hardware. The last two options probably require a little more reading and following instructions than the other methods but is really not that hard, and gives you a lot of freedom to host however [and whatever] you like.

In some cases, someone might wish to host services on a computer at home but are unable to because their ISP blocks ports or routes/filters traffic in some way. In my case I live in Canada and use American AT&T phone services as my home Internet (because Canadian cell providers have even worse data plans than US ones). AT&T chops up my traffic based on the destination port and routes it through various exit networks. They are also frequently thought of as a total gobshite company that abuses customers. Unfortunately they are the only unlimited LTE provider I seem to be able to get my hands on. As a result, I went looking for a way to host services from home by using a small cheap VPS. Here's a diagram made by someone with a serious lack of artistic skills:

myfreakinimage No, I am not an artist.

Basically your connection travels through your ISP to my VPS, and as far as you can tell, that is your final destination. However, secretly (well, not-so-secretly) my VPS forwards the traffic through an encrypted tunnel [the red line] to the real server which is here at my desk. That server could be a web server, an email server, an xmpp server, or whatever I want to serve up. The bonus is that the "server" in this setup is at home and completely under my control. And it doesn't have to be a big loud power-sucker like this... it can be an old laptop or even a little Single Board Computer.

So, how did I set it up? Well, the VPS is a pretty small [512MB memory] virtual machine from Racknerd for about $12 a year. I installed Wireguard on it and on the home server. On Devuan Beowulf I had to add backports to my sources.list, and install with apt. On the home server I also installed nginx as my web server.

/etc/apt/sources.list

deb http://deb.devuan.org/merged beowulf-backports main

# apt-get update
# apt-get upgrade
# apt-get install wireguard linux-headers-`uname -r`

One of the things Wireguard fanbois love to go on about is how few lines of code it is. What they fail to mention is that it requires over 250MB of dependencies (including the linux-headers package seen in above apt-get line). Even my browser isn't that big. Anyways, once installed, it requires a little bit of configuration. On both your VPS and your home server you will want to create some keys and a wg0.conf file that has the required connection info:

On both your VPS and your home server

# cd /etc/wireguard/
# umask 077; wg genkey | tee privatekey | wg pubkey > publickey
# cat privatekey
# cat publickey
# nano /etc/wireguard/wg0.conf

Then fill in your wg0.conf files like so:

/etc/wireguard/wg0.conf - on the VPS

[Interface]
PrivateKey = <VPS privatekey>
ListenPort = 51820
Address = 192.168.9.1

[Peer]
PublicKey = <home server publickey>
AllowedIPs = 192.168.9.2/32

/etc/wireguard/wg0.conf - on the home server [Interface]
PrivateKey = <home server privatekey>
ListenPort = 51820
Address = 192.168.9.2

[Peer]
PublicKey = <VPS publickey>
AllowedIPs = 0.0.0.0/0
Endpoint = X.X.X.X:51820
PersistentKeepalive = 25

The X.X.X.X address is the public IP address of your VPS, and this will create a private network where the VPS is 192.168.9.1 and the home server is 192.168.9.2. The PersistentKeepalive setting will send a packet between them every 25 seconds just to help keep the connection established. Once those config files are in place, you can start Wireguard on the VPS:

# wg-quick up wg0

If there are no errors then do the same to start Wireguard on the home server. If that produces no errors then you should be able to ping 192.168.9.1 from the home server and 192.168.9.2 from the VPS. If that works you now have a Wireguard private network between the two. As adorable as that may seem, it doesn't make the server publicly accessible on the Internet. That... requires a little firewall magic, which I eventually got working with some help from unicorn. Start by enabling IP forwarding on the VPS. Edit your /etc/sysctl.conf file and uncomment the line that says

net.ipv4.ip_forward=1

Then run

# sysctl -p

Now that forwarding is enabled, the following iptables commands will allow the home server to talk out to the Internet and will forward port 80 in to your home server.

# iptables -P FORWARD DROP
# iptables -t nat -I POSTROUTING -s 192.168.9.0/24 -o eth0 -j MASQUERADE

# iptables -A FORWARD -i eth0 -o wg0 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT
# iptables -A FORWARD -i eth0 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD -i wg0 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.9.2

This is just an example, you can forward whatever ports you like. If you are going to forward port 80 then of course you'll probably also want to forward 443 for https. If you installed nginx as I did at the beginning of these instructions then you should be able to see the default page by trying to browse to http://X.X.X.X/ (the public IP of your VPS) from any other machine. You can also throw these commands in a script and cron it to run @reboot. If I'm feeling adventurous I may setup (and document) a little script that is cron'ed to run every couple of minutes, checks for connectivity on wg0, and restarts Wireguard if it can not connect to the other end. Most of this content was lifted from this Alex fellah, I just added some embellishment and dirty talk. :-)

Made with Notepad++ & FastStone, without javascript, cookies, or Clippy's help. Hosted on Devuan with nginx & powered by NK shrooms.