This quick tutorial is going to show you how to set up VPN relay between two servers so that when VPN users connect to server A, they will get the public IP address of server B.
Table of Contents
Why Set Up VPN Relay?
Suppose there are two servers: server A and server B.
Naturally, you want to install VPN on server A. But what if you want the Internet to see your traffic coming from server B’s IP address? That where VPN relay comes in.
I won’t go step by step. Just tell you the general steps and key points.
Step 1: Set Up WireGuard VPN between the Client computer and server A
Step 2: Set Up WireGuard VPN Between Server A and Server B
You can use the tutorial linked in step 1. The only exception is that you should create a new WireGuard config file on server A. There will be two WireGuard config files on server A. One is for connection from client computers. The other is for connection to server B (vpn-relay.conf).
sudo nano /etc/wireguard/vpn-relay.conf
Add the following lines. You need to change the private key and public key as appropriate. Also, change 12.34.56.78 with server B’s public IP address.
[Interface]
Address = 10.10.10.200/32
PrivateKey = 7UKv5aEX2pVRA4Ncig81fSflaSSFRcoJOm75T9Ia4yM=
#Policy routing. Be sure to exclude port 22.
Table = 1234
PostUp = ip rule add dport 25-20480 table 1234;
PreDown = ip rule delete dport 25-20480 table 1234;
[Peer]
#Server B
PublicKey = ahUcxMSfNRYI0Kf9VFtVDB9TWoxX5cxi4thqHmz1NRI=
AllowedIPs = 0.0.0.0/0
Endpoint = 12.34.56.78:51820
PersistentKeepalive = 25
In the above configuration, we used policy routing, so most traffic from server A will be passed to server B, except SSH traffic. You need to exclude the SSH port, so you will still be able to log into server A via SSH.
To start this WireGuard interface, run
sudo systemctl restart [email protected]
Once this step is completed, run the following command on server A to check the public IP address.
curl -4 https://icanhazip.com
If WireGuard is configured correctly, you should see the public IP address of server B from the command output.
Step 3: Configure Firewall to Link Them Together
Now we need to configure the firewall on server A to forward traffic from VPN clients to server B.
Open the UFW config file.
sudo nano /etc/ufw/before.rules
You probably already have the following lines at the end of this file.
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.10.10.0/24 -o enp3s0 -j MASQUERADE
# End each table with the 'COMMIT' line or these rules won't be processed
COMMIT
Change it to:
# NAT table rules *nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 10.10.10.0/24 -d 0.0.0.0/0 -o vpn-relay -j MASQUERADE # End each table with the 'COMMIT' line or these rules won't be processed COMMIT
Save and close the file. Then restart UFW.
sudo systemctl restart ufw
Now VPN traffic from the client will be redirected to server B. VPN clients will get server B’s public IP address.
That’s it!