It’s not always easy or possible to setup port forwarding so you can access your home PC or any other device through public IP your internet service assigns you. Problem is also if your ISP rotate IPs so you always need to keep track of it. One option is to try to convince ISP to give you static IP but traffic routing on ISP side can be also behind NAT, which might be complicated to configure and guys from ISP tend to tell you forwarding is not possible.
So what can you do about that? Sometimes nothing. 🙂
But if you incidentally have something like small virtual server (which you can rent for 4 bucks a month), you can use it to access your home network. I have 5+ machines in mine, 3 strong desktop PCs which I turned into servers (around $150 value on server market) that I could easily upgrade with more RAM or storage, 2 Raspberries, few Arduinos (cheap DIY home automation).
Yes, right, where can I find server for $4/month you might think. It’s not that hard, for example, Kimsufi offers very cheap dedicated servers. Maybe you need to wait a bit to get the right price. They usually add new machines on daily basis. You can also rent virtual dedicated servers from Google or Amazon, which is quite cheep if you only use it for traffic forwarding. On the other side maybe you already work on the web and have your own servers which is then just added bonus of your home servers on demand.
Basic setup are two machines, one with public IP and your home PC. Most of the times I forward requests to machines in home network like signals between Arduino and that PC or do some background processing which only needs to be triggered.
The idea is to create lite VPN network and to use Haproxy for port forwarding. For VPN purposes we are going to use Tinc, nice little but powerful piece of open source. In my case server with public IP is CentOS 6.3 and private behind the NAT server is Ubuntu server 16.04.
To install Tinc daemon on CentOS use:
yum install tinc
And on ubuntu server use:
apt install tinc
Of course, if you’re not logged in as a root you need to prefix commands with sudo. It worked on my systems with no problem and as you know CentOS 6.3 is quite ancient version. To check if it is installed properly type:
It’s useful to read what options you have available with Tinc daemon and that’s exactly what help parameter provides.
Now, lets give your server with static IP name “cloud” and private one “home”. Also we are going to create network interface for both servers inside tinc startup script, which we can name tinc-up. We also need tinc-down script which will tinc use to shutdown interface when it’s not running.
So first open default tinc config file on each server:
and add following:
Name = cloud AddressFamily = ipv4 Interface = btc0
in “cloud” config and
Name = home AddressFamily = ipv4 Interface = btc0
in “home” config. Now open/create tinc-up file:
and add following:
ifconfig $INTERFACE 10.255.0.1 netmask 255.255.255.0
for “cloud”, and
ifconfig $INTERFACE 10.255.0.2 netmask 255.255.255.0
for “home”. You also need to open/create tinc-down file on both servers:
with following content:
ifconfig $INTERFACE down
You might need to add executable permission on those files:
chmod ugo+x tinc-*
The only thing left is to create private and public keys for your servers and to exchange public keys between servers in your VPN, which in this case consists of only two servers. But adding more servers would be easy as repeating above steps. To generate keys do this:
mkdir /etc/tinc/hosts tincd -c . -K
Finally, edit file in hosts directory to look like this:
Address = [IP address of cloud server] Subnet = 10.255.0.1/32 -----BEGIN RSA PUBLIC KEY----- [public key for the cloud server] -----END RSA PUBLIC KEY-----
Do the same for both servers, except for the Address directive part which only need to be added on “cloud” server.
Now you only need to copy content of the /etc/tinc/hosts directory between servers:
scp email@example.com:/etc/tinc/hosts/cloud /etc/tinc/hosts scp /etc/tinc/hosts/home firstname.lastname@example.org:/etc/tinc/hosts
and start tinc daemon on both ends:
If everything is fine you have a kind of VPN up and ready. It’s now quite easy to forward ports from your “cloud” server to any “home” server using Haproxy and some similar software. I’m going to revisit Haproxy setup in some other tutorial. Good luck!