New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
DDoS protection wireguard
woltersstef
Member
Good afternoon,
I am faced with the following problem. I now have some servers running through hetzner with a wiregaurd tunnel now running 700/800mb clean traffic and OVH sometimes sees the traffic as an attack and starts filtering the wiregaurd traffic I have already adjusted the OVH firewall and also created a ticket they have already increased the limit of UDP/TCP. We have also tried a GRE only problem is that with Pterodactyl this is not possible because then you can use a random alocation with each server without being assigned to a docker container. People who have experience with this or have another solution?
Comments
Figure out the threshold when OVH gets triggered, stay below that threshold.
If possible, split the traffic on multiple wireguard links, on different ports or IP's.
IPv6 apparently has harder limits as IPv4, so keep using that instead.
.
Yes I had indeed read that IPv6 is nothing at all. Is it possible to create different wiregaurd tunnels with different ips on the same server?
@woltersstef hey Mede-Nederlander,
OVH has really aggresive filtering also on WG-based ports. GRE or IPIP is even worse. If it is just for DDoS protection i would actually move away from OVH and try @Francisco 's BUYVM with GRE.
If i'm not mistaken you can change the displayed IP in Pterodactyl, and just let the gameserver/container listen on the internal IP of the gre tunnel. Then forward your traffic with IPtables rules to your internal network.
Please also see this explanation from Francisco's wiki:
https://wiki.buyvm.net/doku.php/gre_tunnel
Yes we had already looked into that but we are not getting anywhere since docker does not connect to the GRE IP properly. OVH is the only option for us because there you have 10Gbit and the pre-firewall itself is good.
Did you try to put your IP under game mode?
Yes, I believe that OVH is either checking by Port or IP, maybe both.
In fact wireguard uses little to nothing, you can setup as many as you need.
There's a revised guide that works well with Pterodactyl.
Basically it moves the DDOS IP from the VPS down to the dedicated server itself, removing the NAT requirements.
But, it also makes it so ALL connectivity from the backend server goes through the GRE, not just docker stuff.
It works, it's just weird. I'm sure there's a far more clever way of doing it, but I put the guide together in an hour or two.
Francisco