Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | Previous revision | ||
ipip_tunnel [2015/07/23 13:24] |
ipip_tunnel [2022/02/27 04:58] (current) onekopaka change the tunnel endpoints to unfiltered IP |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | This how-to tutorial was created by BuyVM. We offer affordable and reliable **[[https:// | ||
+ | {{buyvm_logo.png? | ||
+ | ====== Tutorial: IPIP tunneling from your BuyVM DDoS Filtered VPS IP ====== | ||
+ | |||
+ | ==== What is a IPIP tunnel? ==== | ||
+ | |||
+ | Much like a proxy, a IPIP tunnel allows you to pass traffic from your BuyVM VPS including DDoS filtering to another remote destination. | ||
+ | |||
+ | IPIP tunnels allow **all traffic** through, not just HTTP. With a IPIP tunnel you can serve, and deliver any type of content from any type of server (audio, FTP, SSH, SCP, video, etc.). | ||
+ | |||
+ | ==== What can your use a IPIP tunnel for? ==== | ||
+ | |||
+ | IPIP tunneling is very handy when you want to use our DDoS filtering services to protect services that are too large to host with us (I.e. game servers, Java applications, | ||
+ | |||
+ | **IPIP tunneling is also the only tunneling method that OVH supports in their included kernels.** | ||
+ | |||
+ | Don't have root access for your destination server or are running a huge Windows deployment? Check out our alternative method to [[redirect_traffic|redirect traffic]] to your remote server. | ||
+ | |||
+ | ==== IPIP Tunnel How-to Tutorial Begins Here ===== | ||
+ | |||
+ | Our how-to tutorial to setup a IPIP tunnel between BuyVM DDoS filtered VPS IP and your remote server starts here. | ||
+ | |||
+ | Following the simple instructions below you should be able to create a IPIP tunnel in under 20 minutes. | ||
+ | |||
+ | ===== Supported Operating Systems ==== | ||
+ | |||
+ | It is possible to use Windows to create, and forward your IPIP tunnel. | ||
+ | |||
+ | In this document we'll only be covering a Linux IPIP tunnel configuration. | ||
+ | |||
+ | This guide will work 100% on a BuyVM KVM Slice. | ||
+ | ===== Prerequisites ===== | ||
+ | |||
+ | * iptables installed on your BuyVM VPS (included already in most cases) | ||
+ | * iproute2 (included with pretty much every recent Linux distribution) | ||
+ | * A kernel with IPIP support (Linux includes this by default - '' | ||
+ | * A list of ports you need forwarded to your destination | ||
+ | * A BuyVM KVM Slice (starting as low as [[https:// | ||
+ | * A [[http:// | ||
+ | |||
+ | |||
+ | ===== Tunnel Setup ===== | ||
+ | |||
+ | First we need to set our tunnel up. | ||
+ | |||
+ | On your BuyVM VPS please execute the following commands: | ||
+ | |||
+ | < | ||
+ | echo ' | ||
+ | sysctl -p | ||
+ | iptunnel add ipip1 mode ipip local YOUR_UNFILTERED_IP remote DESTINATION_SERVER_IP ttl 255 | ||
+ | ip addr add 192.168.168.1/ | ||
+ | ip link set ipip1 up | ||
+ | </ | ||
+ | |||
+ | On the remote server you wish to protect run the following: | ||
+ | |||
+ | < | ||
+ | iptunnel add ipip1 mode ipip local DESTINATION_SERVER_IP remote YOUR_UNFILTERED_IP ttl 255 | ||
+ | ip addr add 192.168.168.2/ | ||
+ | ip link set ipip1 up | ||
+ | </ | ||
+ | |||
+ | Please note the first line of each changes to mark what IP to use locally and which remotely. The 2nd line documents each end point. In a /30, 2 IP's are usable: .1 and .2. | ||
+ | ===== Test your New IPIP Tunnel with Ping ===== | ||
+ | |||
+ | On your BuyVM VPS, you should now be able to ping '' | ||
+ | |||
+ | For the sake of completeness, | ||
+ | |||
+ | ===== Setup Source Route Tables ===== | ||
+ | |||
+ | Source route entries are required to make sure data that came in via the IPIP tunnel is sent back out the IPIP tunnel. | ||
+ | |||
+ | Please execute the following commands on the **destination** server. | ||
+ | |||
+ | < | ||
+ | echo '100 BUYVM' >> / | ||
+ | ip rule add from 192.168.168.0/ | ||
+ | ip route add default via 192.168.168.1 table BUYVM | ||
+ | </ | ||
+ | |||
+ | **Please note that the echo command only needs to be ran once. The entry will be saved into / | ||
+ | |||
+ | ===== Initial NAT Entries to Move Data over IPIP Tunnel ===== | ||
+ | |||
+ | NAT is used to pass data over our IPIP and out the other end. | ||
+ | |||
+ | While it would be possible to use a KVM based VPS with a purchased /29 allocation, this guide doesn' | ||
+ | |||
+ | On your BuyVM VPS run the following command: | ||
+ | < | ||
+ | iptables -t nat -A POSTROUTING -s 192.168.168.0/ | ||
+ | </ | ||
+ | |||
+ | ===== Test Outbound Connections ===== | ||
+ | |||
+ | On your destination server you can run either of the following commands to see if the tunnel is passing traffic properly: | ||
+ | < | ||
+ | curl http:// | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | wget http:// | ||
+ | </ | ||
+ | |||
+ | The IP dumped should be your BuyVM filtered IP. | ||
+ | |||
+ | ===== Forwarding Ports Over your IPIP Tunnel ===== | ||
+ | |||
+ | To make things easy, we'll forward **all** ports from our filtered IP to the backend server. You can change this rule to only forward certain ports if you like. | ||
+ | |||
+ | Please adjust, and run the following commands on your BuyVM VPS: | ||
+ | < | ||
+ | iptables -t nat -A PREROUTING -d YOUR_FILTERED_IP -j DNAT --to-destination 192.168.168.2 | ||
+ | iptables -A FORWARD -d 192.168.168.2 -m state --state NEW, | ||
+ | </ | ||
+ | |||
+ | The first rule sets up the actual port forwarding and the second rule makes sure that connections get NAT'd, and matched back properly. | ||
+ | |||
+ | At this point you should be able to connect to '' | ||
+ | |||
+ | ===== Restarting your IPIP Tunnel After Rebooting ===== | ||
+ | |||
+ | You can edit ''/ | ||
+ | |||
+ | Your distribution of choice (like Debian) may have hooks in ''/ |