Dark's Code Dump

Possibly useful

Tunnel a secondary public IP from one server to a VM on another server

My problem was that I have a OVH SoYouStart server with 16 IPs that I want to use on other servers, in this case as the public IP of a VM on another server.

Been through a lot of guides to do this that require complicated (IMO) NAT configurations, but was not convinced NAT is necessary when an IP on the source server can be completely dedicated to the destination server. Also seen some guides use GRE or IPIP but would rather use something secure.

Turns out it is indeed possible to do this without any NAT using just pure Wireguard!

This guide is based on using wg-quick on Debian - the configs shown would go somewhere like /etc/wireguard/wg0.conf.

On the source server with extra physical IP that you want to tunnel/share:

[Interface]
Address    = 10.115.0.1/24
PrivateKey = blah
ListenPort = 12345

[Peer]
PublicKey  = blah
PresharedKey = blah
AllowedIPs = THE_IP_TO_SHARE

Address can be anything, I don't think it really matters. THE_IP_TO_SHARE should contain the unused physical IP that you want to tunnel/share. The IP should be routed to the server (your provider's problem), but not bound to any interfaces. Set up keys/port yourself.

And on the destination server: 

[Interface]
PrivateKey = blah
Address = THE_IP_TO_SHARE/32

[Peer]
PublicKey = blah
PresharedKey = blah
AllowedIPs = 0.0.0.0/0
Endpoint = PUBLIC_IP_OF_SOURCE_SERVER:12345

In my case the destination was a VM behind default libvirt NAT. (The presence of NAT/libvirt is completely immaterial.) If you care about not revealing the host IP, you could probably run wireguard in a network namespace on the host and do some clever bridging.

THE_IP_TO_SHARE should be the same as AllowedIPs on the source server. PUBLIC_IP_OF_SOURCE_SERVER should be a normal public IP of the source server.

Unlike other guides, the configuration ends here, there is no iptables cancer to set up. You probably need to enable IP forwarding on the source server and ensure any firewall on the source server allows the forwarding.

A small footnote: It may be obvious to networking gurus, but keep in mind this will not work if the source server has only 1 IPv4 address, as it will no longer be able to communicate with the v4 internet when that address is removed from the WAN interface. I am yet to come up with a good NAT-free solution to that, but I imagine it is possible somehow, perhaps with network namespaces

29th November 2021

Leave a Reply