Mask public IP from your Home Server with a OpenVPN VPS

setup

The right picture shows an example service without a VPS (Virtual Privat Server) in front. It exposes the public IP of your home network to the world.

The left picture shows the example service with a VPS in front. It exposes the IP of your VPS machine fg. an IP of the Google Cloud Platform. The IP of your home network stays hidden.

Setup OpenVPN VPS Instance on GCP

Create instance

Go to: Compute Engine -> VM instances -> Create Instance

  • Set your desired name
  • Change the machine type to f1-micro
  • Configure Boot disk
    • OS image: Debian GNU/Linux 9 (stretch)
    • Boot disk type: Standard persistent disk
    • Size (GB): 10
  • Click Create

Assign static IP address

Go to: VPC Network -> External IP addresses -> RESERVE STATIC IP ADDRESS

  • Set your desired name
  • Change Attach to to your new OpenVPN instance
  • IP version: IPv4
  • Click Reserve

Add firewall rule for openvpn

Go to: VPC Network -> Firewall rules -> CREATE FIREWALL RULE

  • Set your desired name
  • Targets: All instances in the network
  • Source IP ranges: 0.0.0.0/0
  • Protocols and ports -> Specified protocols and ports: udp:1194
  • Click Create

Add firewall rule for http,https

Go to: VPC Network -> Firewall rules -> CREATE FIREWALL RULE

  • Set your desired name
  • Targets: All instances in the network
  • Source IP ranges: 0.0.0.0/0
  • Protocols and ports -> Specified protocols and ports: tcp:80,443; udp:80,443
  • Click Create

Configure the OpenVPN VPS Instance

Go to: Compute Engine -> VM instances & click on the SSH button of your new instance

  • Update the machine bash sudo apt update & sudo apt upgrade -y
  • Install and setup OpenVPN bash wget https://git.io/vpn -O openvpn-install.sh && sudo bash openvpn-install.sh
    • For Public IPv4 address / hostname enter the static IP address you defined under VPC Network -> External IP addresses -> RESERVE STATIC IP ADDRESS
    • Which protocol do you want for OpenVPN connections?: 1) UDP
    • What port do you want OpenVPN listening to?: 1194
    • Which DNS do you want to use with the VPN?: 3) Google
    • Finally, tell me a name for the client certificate.: You can just let it client
  • Install and enable UFW firewall bash sudo apt install ufw -y sudo ufw allow ssh && sudo ufw enable
  • Install and configure fail2ban

    sudo apt install fail2ban -y
    sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
    # you can make changes in the /etc/fail2ban/jail.local file
    # after that, restart fail2ban with
    sudo service fail2ban restart
  • Change DEFAULT_INPUT_POLICY and DEFAULT_FORWARD_POLICY to ACCEPT in /etc/default/ufw and then save and close the file.

  • Uncomment net/ipv4/ip_forward=1 in /etc/ufw/sysctl.conf

  • At the end of line after the line ““COMMIT” add the following in /etc/ufw/before.rules (replace YOUR_ETH0_IP_ADDRESS with the address you get from ip addr | grep eth0 fg. 10.172.0.2)

    *nat
    -F
    :PREROUTING ACCEPT [0:0]
    -A PREROUTING -i eth0 -d YOUR_ETH0_IP_ADDRESS -p tcp -m multiport --dports 23:65535 -j DNAT --to-destination 10.8.0.2
    -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j MASQUERADE
    COMMIT
  • Reboot the server

    sudo reboot

Configure the Home Server

  • Install OpenVPN bash sudo apt install openvpn -y
  • Copy the client config from your OpenVPN VPS which is stored under /root/client.ovpn to your home server
  • Connect the home server to the OpenVPN VPS (ATTENTION: after you connect you will lose the connection to your home server and it will only be accessible over the VPN… so you have to connect to it over the OpenVPN VPS and from there you can open an SSH session with ssh USERNAME@10.8.0.2) bash sudo openvpn client.ovpn

Further information

New the home server should be accessible over your OpenVPN VPS IP. So if you have any Domains that are linked to your Public Home IP you have to change them to your OpenVPN VPS IP.

Feel free to
;)
comments powered by Disqus