Using a vps as a router?
Hello, since I have a shitton of NAT server and a couple of cheap dedicated servers I'd like to protect from DDoS, I was thinking about using a vps as a router.
The idea is to get a small kvm vps with "unmetered" bandwidth, and install some sort of firewall/router os in it. The NAT and dedi servers would then connect to that server, and effectively create their own VPN. I guess I'd be able to use port routing to publish the services I need, while masking the IPs of the real servers and also providing my neat little private network.
Ideally every server would have a virtual nic with an internal ip address of the vpn, along the real one providing Internet access.
However, I'm not sure if this is a good idea and if I should even do it. I was able to find WireGuard, but I don't know how to set it up and before wasting time on doing something that will never work, I figured I'd ask somewhere where people actually do stuff like this every day.
What do you think? Is it a good idea or just a waste of time? How would I go doing something like that?
Comments
The end is n1gh.
Really depends on the amount of requests per second that your VPS' vCPU can handle.
A VPS acting as proxy still needs to handle the responses from your dedicated servers and back to the client request. Thus vCPU in the VPS might prove insufficient, even for the simple proxy forwarding processing.
That's why people use a beefy server as load-balancer/proxy/firewall front end.
I'm not talking about a reverse proxy here, but about something working with raw tcp/udp.
Probably just about as latent as your spergy self.
For nginx >=v1.9.0:
http://nginx.org/en/docs/stream/ngx_stream_core_module.html
Or simpler, use Cloudflare.
IMHO If you are trying to add protection or IPs to nearby servers/vpses, you can do that with iptables and wireshark, as well as many other methods. Mesh networks with TINC is my personal favorite. I believe the issue will always be that routing through your private network is not going to be as fast as a route that does not go through your private network. So as long as you don't mind it being slower there is all sorts of interesting things that you can do.
I would agree that @Jona4s is correct. If you run any real traffic, your front ends are going to work
EDIT: You may also wish to consider how comfortable you feel about setting up your network security. So if someone manages to get access to one of the servers on your network they can't gain access to all/other servers on your private network.
Yes, i know, but that's not what i need. HTTP is just one of the services i want to have.
HTTP only.
I can live with that. I wanted to experiment stuff since right now i'm just using ssh forwarding and it doesn't look too reliable for long-running connections,
Uh?
I guess that would mean setting up a firewall on the main router natting some servers.
What if i installed OPNSense on a vps?
It think it doesn't matter all that much what you install but how you set it up. Can't install security.
I think some people setup with their LEB empires into a VPN network. Usually one or two access points, but otherwise, the VPSes talk to each other exclusively over VPN tunnels.
I have not done this myself, but tinc is sometimes mentioned in this context.
BuyVM has an excellent write-up on this: https://wiki.buyvm.net/doku.php/gre_tunnel
You can learn it, though.
Looks nice. I will buy a couple of vpses to check stuff.
Holy shit that's helpful
Sure. What i wanted to say is just that you don't necessarily need any kind of specialized OS. Having a good concept is way more important.
Anyways i don't see much of a problem with what you want to do as long as you can life with the added latency (which might be quite noticeable if your public facing gateway and your backend are far away from each other) and you are OK with the possibility of creating a bottleneck (if your public gateway has a 1gbit uplink that will limit all your servers to 1gbit of combined external traffic) but that's is probably pretty obvious.
Yeah, in the past I used this to protect gaming servers using OVH VPS. Worked really well.
Not Just. It's your personnel choice what you feel is acceptable security measures.
But as an example beyond the firewall, I would not set up persistent ssh connections between servers, or use the same key for different servers on the network. Just saying IMHO things that are bad without a mesh network can become multiples of bad with a mesh network.
I use about 12%-20% of a core at 3mb/s - 5mb/s consistent throughput. At a more or less consistent 25mb/s throughput I expect you may run afoul of some providers CPU fair use policy. (25mb/s in + 25mb/s out = 50mb/s) Just saying it is something to be aware of. Your mileage may vary.
Although there are other options, the reason I use TINC is because I can use it on all VPS types openVZ(with tun/tap), KVM, or XEN without issue, the security is pretty good out of the box, it will do some of the routing for you, as well as find the best route for traffic through your mesh network, it will automatically reconnect after outages, and works the best through my home router which runs through other private networks before reaching a public IP. Just my 4 cents... Good luck with your project
Bookmarked, very nice, mate.
What about WireGuard?
I've been toying around with tinc which sells itself as a mesh vpn solution. I use it in switch mode to test stuff.
Start implementing advertising into your yiff community that allows you to pay for nice things like DDOS protection (your post emphasizes cheap and its known how people are leeches on communities) rather than going from provider to provider using their cheap plans as front facing protection from people trying to trash your community because I'm very familiar about the DDOS that kind of degeneracy attracts.
It seems dishonest to (ab)use such a provider knowing that your presence on their network is going to attract some network degradation. Customers flee that company, possibly get a reputation about poor network quality and you walk away from that company too.
GRE is always going to be faster than WireGuard.
i have no experience with wireguard but that seems like some kind of marketing blurb. See how they list encryption for all alternatives but not for their own benchmark? Besides there is no mention of what kind of resources are used to archive those stats (see @FrankZ's post). Also considering your public facing gateway and your backend are unlikely to be on the same network +/-1ms of latency is completely irrelevant.
Performance wise wireguard is a bit faster from my tests compared with openvpn and on par with ipsec. Ping times were the same (but in my use case the latency between the 2 hosts is 150+ ms).
Interesting. Do you happen to know which kind of encryption is used and how it performs relating to CPU usage at high bandwidth?
From their site:
you need to have in mind that unlike openvpn and ipsec, the code for wireguard did not go through the same amount of review so don't send leaked NSA documents over it
Thanks. Not that i have the actual knowledge/experience to judge the qualities of ChaCha20 Bernstein is a pretty cool guy.
Holy shit i totally didn't check the scale of that graph and my mind went "woah, that's much better" without even thinking about the fact that the servers will be quite apart.
Gcm on aes-ni enabled processors runs circles around cha-cha. Just like any other hardware accelerated solutions. I see the use case of cha-cha on phones or embedded stuff but if you need speed you need hardware offload.
Sorry for self necro
At the end i decided to just use wireguard and was able to get a pretty nice link that also automatically starts up at boot and has very good performance.
Was able to get ~800mbit bidirectional between my vps and hetzner dedi, with haproxy working a treat. I'm really satisfied of the result.