Using gateway to forward traffic from a VPN to LAN host running node

Continuing the series of opuses dedicated to organizing the hardware and services logically from Simpler way to configure Oracle VPS as a VPN to get around CGSNAT for node hosting purposes:

So far I’ve been running nodes in FreeBSD jails, and if the network did not have public ip — I would add two services to the jail:

  • wireguard client, as described in the linked post, and
  • inadyn, to update the DDNS when and if VPN exit server changes. This required to send traffic originating in the jail thoug the same vpn endpoint. See linked post for details.

However, ideally, node jail should have no business messing with networking, vpns, forwarding, and DDNS. Its job is to handle data. It’s the network gateway’s job to figure out routing.

So I moved my wireguard client at every location that needed it from jail to the gateway. They are all Ubiquiti Dream Machines, and it’s now possible for some time (a year or so) to make all necessary configuration right in the UI:

  • configure wireguard vpn client
  • Define traffic policy to send traffic from the internal host node runs on to the tunnel
  • Define Destination NAT to send traffic received from the vpn channel at specific ports to the specific hosts in the lan — i.e. to the node
  • Define firewall policy to make this work in a contained fashion.

I’ve described this with screenshots here: Hosting services behind Ubiquiti Unifi Dream Machine over Wireguard VPN connection with port forwarding | Trinkets, Odds, and Ends

This still requires running inadyn in the nodes jail to keep the DDNS up to date for VPN services that can and do change endpoint from time to time — but we’ll tackle that next time.

The real reason behind this is to simplify node setup to the point of being able to migrate to TrueNas Scale on one of the locations. (Just one! Due to some requirements beyond my control! The rest stay on FreeBSD!)

2 Likes