selfhosting-blogposts/portforwarding/index.md

---
search:
  exclude: true
---
# portforwarding Setup 

In this tutorial we're going to look at how to port forward services from being local to VPSes.

## **Initial Setup**

Situation: you want to run some services locally. But you want them to be publicly accessible without revealing your public IP.

Solution 1: install openvpn, and port forward through iptables, as seen on [](../../opsec/mailprivate/index.md)
    
    
    wget https://raw.githubusercontent.com/ech1/serverside/master/ovpn/openvpn-install.sh
    chmod +x openvpn-install.sh
    ./openvpn-install.sh
    
    #then install it, then run it again to add an user
    
    ./openvpn-install.sh
    
    Tell me a name for the client.
    Use one word only, no special characters.
    Client name: nothing
    
    Do you want to protect the configuration file with a password?
    (e.g. encrypt the private key with a password)
       1) Add a passwordless client
       2) Use a password for the client
    Select an option [1-2]: 2
    ⚠️ You will be asked for the client password below ⚠️
    
    Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
    Using SSL: openssl OpenSSL 1.1.1j  16 Feb 2021
    Generating an EC private key
    writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-4185644.tXXER0/tmp.mzvtcc'
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:
    -----
    Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-4185644.tXXER0/tmp.prBOSr
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    commonName            :ASN.1 12:'nothing'
    Certificate is to be certified until Apr 13 15:51:09 2024 GMT (825 days)
    
    Write out database with 1 new entries
    Data Base Updated
    
    Client nothing added.
    
    The configuration file has been written to /root/nothing.ovpn.
    Download the .ovpn file and import it in your OpenVPN client.
    
    
    
    
    
    #then  make it a systemd service to run openvpn on the client (from where the service runs):
    
    [ 10.8.0.5/24 ] [ /dev/pts/22 ] [~]
    → sudo vim /etc/systemd/system/vpn.service
    
    [ 10.8.0.5/24 ] [ /dev/pts/22 ] [~]
    → cat /etc/systemd/system/vpn.service
    [Unit]
    Description=VPN
    After=network-online.target
    Wants=network-online.target
    
    [Service]
    Type=simple
    ExecStart=/usr/bin/openvpn /root/nothing.ovpn
    ExecStop=kill -9 $(pidof openvpn)
    Restart=always
    
    [Install]
    WantedBy=multi-user.target
    
    [ 10.8.0.5/24 ] [ /dev/pts/22 ] [~]
    → systemctl daemon-reload ; systemctl enable --now vpn ; ping 10.8.0.1
    
    
    
    
    
    
    #on the VPN server we forward the ports to the local VM via iptables: (change ens3 to the correct network interface + the correct ip)
    
    root@mail-gw:~# cat iptables_forwardrules.sh
    #!/bin/bash
    iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 25 -j DNAT --to-destination 10.8.0.2:25
    iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 80 -j DNAT --to-destination 10.8.0.2:80
    iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 443 -j DNAT --to-destination 10.8.0.2:443
    iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 143 -j DNAT --to-destination 10.8.0.2:143
    iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 465 -j DNAT --to-destination 10.8.0.2:465
    iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 587 -j DNAT --to-destination 10.8.0.2:587
    iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 993 -j DNAT --to-destination 10.8.0.2:993
    
    root@mail:~# chmod +x iptables_forwardrules.sh
    root@mail:~# ./iptables_forwardrules.sh
    
    #from the VM we allow the packets to be forwarded to us:
    
    root@mail-nihilism:~# cat iptables_forwardrules.sh
    #!/bin/bash
    iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 25 -j ACCEPT
    iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 143 -j ACCEPT
    iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 465 -j ACCEPT
    iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 587 -j ACCEPT
    iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 993 -j ACCEPT
    iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 443 -j ACCEPT
    iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 80 -j ACCEPT
    
    root@mail-nihilism:~# chmod +x iptables_forwardrules.sh
    root@mail-nihilism:~# ./iptables_forwardrules.sh
    	
    

you also need to allow the ip forwarding (change ens3 to the correct network interface):
    
    
    root@mail-gw:~# sysctl net.ipv4.conf.ens3.forwarding=1
    net.ipv4.conf.ens3.forwarding = 1
    root@mail-gw:~# sysctl net.ipv6.conf.ens3.forwarding=1
    net.ipv6.conf.ens3.forwarding = 1
    root@mail-gw:~# echo " net.ipv6.conf.ens3.forwarding=1" >>/etc/sysctl.conf
    root@mail-gw:~# echo " net.ipv4.conf.ens3.forwarding=1" >>/etc/sysctl.conf
    root@mail-gw:~# sysctl -p
    net.ipv6.conf.ens3.forwarding = 1
    net.ipv4.conf.ens3.forwarding = 1
    
    #for arch users, install libvirt:
    sudo pacman -S libvirt
    vim /etc/sysctl.d/30-ipforward.conf
    cat /etc/sysctl.d/30-ipforward.conf
    net.ipv4.ip_forward=1
    net.ipv6.conf.default.forwarding=1
    net.ipv6.conf.all.forwarding=1
    
    [ nihilism ] [ /dev/pts/1 ] [~]
    → sysctl net.ipv4.ip_forward=1
    net.ipv4.ip_forward = 1
    	
    

If that doesnt work, do it via nginx:
    
    
    #on the server:
    
    apt install nginx libnginx-mod-stream -y
    systemctl stop nginx
    
    [ nowhere.moe ] [ /dev/pts/7 ] [~]
    → vim /etc/nginx/nginx.conf
    
    [ nowhere.moe ] [ /dev/pts/7 ] [~]
    → cat /etc/nginx/nginx.conf
    user www-data;
    worker_processes auto;
    pid /run/nginx.pid;
    error_log /var/log/nginx/error.log;
    include /etc/nginx/modules-enabled/*.conf;
    
    events {
    	[...]
    }
    
    http {
    	[...]
    }
    
    stream {
            server {
                    listen 3389; # tcp port forwarding
                    proxy_pass 10.8.0.3:3389;
            }
            server {
                    listen 25565; # tcp port forwarding
                    proxy_pass 10.8.0.2:25565;
            }
        server {
                    listen 25565 udp; # udp port forwarding
                    proxy_pass 10.8.0.2:25565;
                    proxy_responses 0;
            }
    }
    
    [ nowhere.moe ] [ /dev/pts/7 ] [~]
    → nginx -t
    nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
    nginx: configuration file /etc/nginx/nginx.conf test is successful
    
    [ nowhere.moe ] [ /dev/pts/7 ] [~]
    → systemctl start nginx
    	
    # then just test if the ports are opened:
    
    [ nowhere.moe ] [ /dev/pts/7 ] [~]
    → nmap 10.8.0.2 -p 25565
    Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-21 17:15 CEST
    Nmap scan report for 10.8.0.2
    Host is up (0.022s latency).
    
    PORT      STATE SERVICE
    25565/tcp open  minecraft
    
    Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds
    
    [ 10.0.2.2/24 ] [ /dev/pts/26 ] [~/Nextcloud/blog]
    → nmap nowhere.moe -p 25565
    Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-21 17:15 CEST
    Nmap scan report for nowhere.moe (116.202.216.190)
    Host is up (0.023s latency).
    
    PORT      STATE SERVICE
    25565/tcp open  minecraft
    
    Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds