Last active
October 18, 2025 04:58
-
-
Save arrogantrabbit/217a9845eaf9642537eb80d2f700a434 to your computer and use it in GitHub Desktop.
Revisions
-
arrogantrabbit revised this gist
Oct 18, 2025 . 1 changed file with 36 additions and 34 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -110,48 +110,50 @@ As an example we will use an Oracle Cloud instance. Free tier still provides 10T ### Packet forwarding Now the very last thing, the meat of this tutorial. In the [Interface] section on the server in the /etc/wireguard/wg0.conf add the following PreUp and PostDown rules (PostDown rules are copies of PreUp rules, but with -A or -I options replaced with -D, to delete the rule): ``` # Allow WireGuard's own traffic to reach the server. PreUp = iptables -I INPUT -p udp --dport 51820 -j ACCEPT PostDown = iptables -D INPUT -p udp --dport 51820 -j ACCEPT # Allow incoming Storj connections on the public interface BEFORE they are forwarded. PreUp = iptables -I INPUT -p tcp --dport 51820 -j ACCEPT PostDown = iptables -D INPUT -p tcp --dport 51820 -j ACCEPT PreUp = iptables -I INPUT -p udp --dport 51820 -j ACCEPT PostDown = iptables -D INPUT -p udp --dport 51820 -j ACCEPT # Port forward incoming Storj traffic to the VPN client. PreUp = iptables -t nat -I PREROUTING -i ens3 -p tcp --dport 51820 -j DNAT --to-destination 10.0.60.2:28967 PostDown = iptables -t nat -D PREROUTING -i ens3 -p tcp --dport 51820 -j DNAT --to-destination 10.0.60.2:28967 PreUp = iptables -t nat -I PREROUTING -i ens3 -p udp --dport 51820 -j DNAT --to-destination 10.0.60.2:28967 PostDown = iptables -t nat -D PREROUTING -i ens3 -p udp --dport 51820 -j DNAT --to-destination 10.0.60.2:28967 # Allow the now-forwarded traffic to pass from the public interface to the VPN interface. PreUp = iptables -I FORWARD -i ens3 -o %i -m state --state RELATED,ESTABLISHED -j ACCEPT PreUp = iptables -I FORWARD -i ens3 -o %i -p tcp -d 10.0.60.2 --dport 28967 -j ACCEPT PreUp = iptables -I FORWARD -i ens3 -o %i -p udp -d 10.0.60.2 --dport 28967 -j ACCEPT PostDown = iptables -D FORWARD -i ens3 -o %i -m state --state RELATED,ESTABLISHED -j ACCEPT PostDown = iptables -D FORWARD -i ens3 -o %i -p tcp -d 10.0.60.2 --dport 28967 -j ACCEPT PostDown = iptables -D FORWARD -i ens3 -o %i -p udp -d 10.0.60.2 --dport 28967 -j ACCEPT # Allow outbound traffic from the VPN client out to the internet PreUp = iptables -I FORWARD -i %i -o ens3 -j ACCEPT PostDown = iptables -D FORWARD -i %i -o ens3 -j ACCEPT # Perform NAT for traffic from the VPN client going to the internet PreUp = iptables -t nat -I POSTROUTING -s 10.0.60.2/32 -o ens3 -j MASQUERADE PostDown = iptables -t nat -D POSTROUTING -s 10.0.60.2/32 -o ens3 -j MASQUERADE ``` These achieve few things: - Allow traffic to Wireguard port, so that your server can connect to establish the tunnel. - Allow new tcp and udp connections to Storj port (We are inserting the rule in the very top of the chain; it’s enough to make sure it’s before rule 6, which on oracle instances is reject; so use -I, not -A). - Port forward incoming Storj traffic to the VPN client. - Allow the now-forwarded traffic to pass from the public interface to the VPN interface - Allow outbound traffic from the VPN client out to the internet. - Perform NAT for traffic from the VPN client going to the internet On the server, restart the wireguard service: -
Dec 25, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -17,7 +17,7 @@ As an example we will use an Oracle Cloud instance. Free tier still provides 10T |----------|---------|-------------|-------------------|------------------------|---------------|--------|------------| | No | 0.0.0.0/0 | TCP | All | 28967| |TCP Traffic for port 28967 | Storj TCP| | No | 0.0.0.0/0 | UDP | All | 28967| |UDP Traffic for port 28967 | Storj UDP| | No | 0.0.0.0/0 | UDP | All | 51820| |UDP Traffic for port 51820 | Wireguard| That's all that needs to be done in Oracle console. -
Dec 19, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,6 @@ ## DNAT with iptables over wireguard hosted on a VPS to host services behind a firewall/GNAT. This is a short description of how to host services, using [STORJ node](https://www.storj.io/node) as an example, on a host behind GNAT, or otherwise restrictive firewall, by forwarding packets through WireGuard endpoint on a relatively fast nearby VPS. This is not specific to Storj, and can be adopted to hosting other services. As an example we will use an Oracle Cloud instance. Free tier still provides 10TB of monthly traffic that is sufficient for most node operators. Just make sure to create an account in a closest datacenter to minimize extra latency. -
Dec 14, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -86,7 +86,7 @@ As an example we will use an Oracle Cloud instance. Free tier still provides 10T [Peer] PublicKey = <client public key> AllowedIPs = 10.0.60.2/32 ``` 2. On the client: `/usr/local/etc/wireguard/wg0.conf` -
Dec 14, 2022 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,3 +1,5 @@ ## DNAT with iptables over wireguard hosted on a VPS to host services behind a firewall/GNAT. This is a short description of how to host [storj node](https://www.storj.io/node) when the server is behind GNAT, or for other reasons cannot get routable address, by forwarding packets through WireGuard through a relatively fast nearby VPS. This is not specific for Storj, and can be adopted by hosting any other services. As an example we will use an Oracle Cloud instance. Free tier still provides 10TB of monthly traffic that is sufficient for most node operators. Just make sure to create an account in a closest datacenter to minimize extra latency. -
Dec 14, 2022 . No changes.There are no files selected for viewing
-
Dec 14, 2022 . 1 changed file with 3 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -146,9 +146,9 @@ PostDown = iptables -t nat -D PREROUTING -p udp --dport 28967 -j DNAT --to-desti These acomplish few things: 1. Allow traffic to Wireguard port, so that your server can connect to establish the tunnel . 2. Allow new tcp and udp connections to Storj port (note inserting the rule before rule 6, on oracle instances rule 6 is reject). 2. Allow Storj packet forwarding to wireguard interface. 3. Turn on masquarading, to facilitate the correct routing of response packets. -
Dec 14, 2022 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -17,10 +17,10 @@ As an example we will use an Oracle Cloud instance. Free tier still provides 10T | No | 0.0.0.0/0 | UDP | All | 28967| |UDP Traffic for port 28967 | Storj UDP| | No | 0.0.0.0/0 | TCP | All | 51820| |UDP Traffic for port 51820 | Wireguard| That's all that needs to be done in Oracle console. 5. Optionaly, configure the public IP as an A record on your DNS provider, to use DNS name and not an ugly IP address in the subsequent configuration and in your storj node. ### Installing and configuring wireguard tunnel -
Dec 14, 2022 . 1 changed file with 24 additions and 23 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -9,15 +9,15 @@ As an example we will use an Oracle Cloud instance. Free tier still provides 10T 3. Configure public IP address (this is the default), and upload SSH key to access the instance. 4. Then edit the `Ingress Rules` in the Default Security List in the VCN associated with the instance and rules to allow: - Traffic from anywhere `0.0.0.0/0`, any port, to destination port `28967`, one for udp, one for tcp. This is for storj. - UDP to port `51820`, for WireGuard. It does not need to be this specific port, any will do, just adjust the rest accordingly. The source network can also be narrowed down to your ISP's address range, if desired. | Statless | Source | IP Protocol | Source Port Range | Destination Port Range | Type and Code | Allows | Description| |----------|---------|-------------|-------------------|------------------------|---------------|--------|------------| | No | 0.0.0.0/0 | TCP | All | 28967| |TCP Traffic for port 28967 | Storj TCP| | No | 0.0.0.0/0 | UDP | All | 28967| |UDP Traffic for port 28967 | Storj UDP| | No | 0.0.0.0/0 | TCP | All | 51820| |UDP Traffic for port 51820 | Wireguard| That's all that needs to be done in Oracle console. The 5. Optionaly configure the public IP as an A record on your DNS provider, to use DNS name and not an ugly IP address in the subsequent configuration and in your storj node. @@ -40,30 +40,30 @@ As an example we will use an Oracle Cloud instance. Free tier still provides 10T (umask 077 && printf "[Interface]\nPrivateKey= " | sudo tee /etc/wireguard/wg0.conf > /dev/null) wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickey ``` 2. Add peer information (public key and address) after configuing it below 3. Enable ipv4 forwarding: in `/etc/sysctl.conf` uncomment ```ini # Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1 ``` and for the change to take effect load it: ```bash sudo sysctl -p ``` Note: it is possible to configure this key in a number of other configuration files, see `man sysctl`, but in this case either provide path to file to `-p` argument or simply use `sudo sysctl --system`, that will parse all configuration files. 3. Enable and start the wireguard service: ```bash sudo systemctl enable wg-quick@wg0 sudo systemctl start wg-quick@wg0 ``` On the client, assuming it's a TrueNAS, and storj runs in the jail, we would need few things: 1. In the jail properties tick the `allow_tun` flag. (e.g. `iocage set allow_tun=1 jailname`) 2. On the host under System -> Tunables add `LOADER` variable `if_wg_load` with the value `YES`, to load wireguard kernel module. 4. Initialize the wireguard config file and create keys just like above, noting that in FreeBSD the default configuration file location is `/usr/local/etc/wireguard/wg0.conf` 3. In the jail, in the `/etc/rc.conf` add ```ini wireguard_enable="YES" wireguard_interfaces="wg0" @@ -73,7 +73,7 @@ As an example we will use an Oracle Cloud instance. Free tier still provides 10T 1. On the server: `/etc/wireguard/wg0.conf` ```ini [Interface] PrivateKey = <server private key> ListenPort = 51820 Address = 10.0.60.1 @@ -83,17 +83,18 @@ As an example we will use an Oracle Cloud instance. Free tier still provides 10T PostDown = iptables -D INPUT -p udp --dport 51820 -j ACCEPT [Peer] PublicKey = <client public key> AllowedIPs = 10.0.60.2 ``` 2. On the client: `/usr/local/etc/wireguard/wg0.conf` ```ini [Interface] PrivateKey = <client private key> Address = 10.0.60.2 [Peer] PublicKey = <server public key> AllowedIPs = 10.0.60.1/32 Endpoint = sub.example.com:51820 PersistentKeepalive = 25 @@ -103,11 +104,11 @@ As an example we will use an Oracle Cloud instance. Free tier still provides 10T service wireguard start ``` At this point the client shall be able to ping the server, and the server shall be able to ping the clinet, at `10.0.60.1` and `10.0.60.2` addresses, respectively. ### Packet forwarding Now the very last thing, the meat of this tutorial. In the `[Interface]` section on the server in the `/etc/wireguard/wg0.conf` add the following `PreUp` and `PostDown` rules (PostDown rules are copies of PreUp rules, but with `-A` or `-I` options replaced with `-D`, to delete the rule): ```ini # Allow forwarding to and from wireguard interface @@ -121,7 +122,7 @@ PreUp = iptables -t nat -I POSTROUTING -o %i -j MASQUERADE PostDown = iptables -t nat -D POSTROUTING -o %i -j MASQUERADE # Note: in the next session we are inserting the rules below at position 6, before the default REJECT rule present on Oracle VMS. Your VPS may have similar default rules; adjust accordingly. # Allow Wireguard ports through the firewall PreUp = iptables -I INPUT 6 -p udp --dport 51820 -j ACCEPT @@ -133,10 +134,10 @@ PreUp = iptables -I INPUT 6 -p udp --dport 28967 -j ACCEPT PostDown = iptables -D INPUT -p tcp -m state --state NEW --dport 28967 -j ACCEPT PostDown = iptables -D INPUT -p udp --dport 28967 -j ACCEPT # Any other ports for additinal applications can be added similarly. # ... # DNAT Storj ports to the client on the other side of the tunnel PreUp = iptables -t nat -I PREROUTING -p tcp --dport 28967 -j DNAT --to-destination 10.0.60.2:28967 PreUp = iptables -t nat -I PREROUTING -p udp --dport 28967 -j DNAT --to-destination 10.0.60.2:28967 PostDown = iptables -t nat -D PREROUTING -p tcp --dport 28967 -j DNAT --to-destination 10.0.60.2:28967 -
Dec 14, 2022 . 1 changed file with 63 additions and 43 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,61 +1,73 @@ This is a short description of how to host [storj node](https://www.storj.io/node) when the server is behind GNAT, or for other reasons cannot get routable address, by forwarding packets through WireGuard through a relatively fast nearby VPS. This is not specific for Storj, and can be adopted by hosting any other services. As an example we will use an Oracle Cloud instance. Free tier still provides 10TB of monthly traffic that is sufficient for most node operators. Just make sure to create an account in a closest datacenter to minimize extra latency. ### Notes on configuring the cloud instance 1. Create the oracle compute instance (ideally, Ampere, because they are awesome, but if that is not availabe, any other will do too). 2. Pick any OS you prefer, here we'll describe Ubuntu, as a most popular one. 3. Configure public IP address (this is the default), and upload SSH key to access the instance. 4. Then edit the `Ingress Rules` in the Default Security List in the VCN associated with the instance and rules to allow: - Traffic from anywhere `0.0.0.0/0`, any port, to destination port `28967`, one for udp, one for tcp. This is for storj. - UDP at port `51820`, for WireGuard. It does not need to be this specific port, any will do, just adjust the rest accordingly. The source network can also be narrowed down to your ISP's address range, if desired. | Statless | Source | IP Protocol | Source Port Range | Destination Port Range | Type and Code | ALlows | Description| |----------|---------|-------------|-------------------|------------------------|---------------|--------|------------| | No | 0.0.0.0/0 | TCP | All | 28967| TCP Traffic for port 28967 | TCP port for Storj| | No | 0.0.0.0/0 | UDP | All | 28967| UDP Traffic for port 28967 | UDP port for Storj| | No | 0.0.0.0/0 | TCP | All | 51820| UDP Traffic for port 51820 | UDP port for Wireguard| That's all that needs to be done in Oracle console. The 5. Optionaly configure the public IP as an A record on your DNS provider, to use DNS name and not an ugly IP address in the subsequent configuration and in your storj node. ### Installing and configuring wireguard tunnel 1. ssh to your new instance, update software, and install wireguard: ```bash sudo apt update && sudo apt upgrade sudo reboot sudo apt install wireguard -y ``` 2. Configure wireguard tunnel between your node and VPS. There are tons of tutorials, here are the steps for reference: On the VPS: 1. Initialize the config file ```bash (umask 077 && printf "[Interface]\nPrivateKey= " | sudo tee /etc/wireguard/wg0.conf > /dev/null) wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickey ``` 2. Add peer info from below 3. Enable ipv4 forwarding: in `/etc/sysctl.conf` uncomment ```ini # Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1 ``` and for the change to take effect: ```bash sudo sysctl -p sudo sysctl --system ``` 3. Enable and start the service ```bash sudo systemctl enable wg-quick@wg0 sudo systemctl start wg-quick@wg0 ``` On the client, assuming it's a TrueNAS and storj runs in the jail, we would need few things: 1. In the jail properties tick the `allow_tun` flag. (e.g. `iocage set allow_tun=1 jailname`) 2. On the host under System -> Tunables add `LOADER` variable `if_wg_load` with the value `YES`, to load wireguard kernel module. 4. Initialize the wireguard config file and create keys just like above, noting that in FreeBSD the configuration file location will be `/usr/local/etc/wireguard/wg0.conf` 3. In the jail in the `/etc/rc.conf` add ```ini wireguard_enable="YES" wireguard_interfaces="wg0" ``` Generally, the config files shall look like so: 1. On the server: `/etc/wireguard/wg0.conf` @@ -93,12 +105,12 @@ As an example I will use an Oracle Cloud instance. Free tier still provides 10TB At this point the client shall be able to ping the server and the server shall be able to ping the clinet at 10.0.60.1 and 10.0.60.2 addresses respectively. ### Packet forwarding Now the very last thing. In the `[Interface]` section on the server in the `/etc/wireguard/wg0.conf` add the following rules ```ini # Allow forwarding to and from wireguard interface PreUp = iptables -I FORWARD -i %i -j ACCEPT PreUp = iptables -I FORWARD -o %i -j ACCEPT PostDown = iptables -D FORWARD -i %i -j ACCEPT @@ -109,14 +121,20 @@ PreUp = iptables -t nat -I POSTROUTING -o %i -j MASQUERADE PostDown = iptables -t nat -D POSTROUTING -o %i -j MASQUERADE # Note: we are inserting the ACCEPT rules below at position 6, before the default REJECT rule present on Oracle VMS. Your VPS may have similar default rules; adjust accordingly. # Allow Wireguard ports through the firewall PreUp = iptables -I INPUT 6 -p udp --dport 51820 -j ACCEPT PostDown = iptables -D INPUT -p udp --dport 51820 -j ACCEPT # Allow STORJ ports through the firewall PreUp = iptables -I INPUT 6 -p tcp -m state --state NEW --dport 28967 -j ACCEPT PreUp = iptables -I INPUT 6 -p udp --dport 28967 -j ACCEPT PostDown = iptables -D INPUT -p tcp -m state --state NEW --dport 28967 -j ACCEPT PostDown = iptables -D INPUT -p udp --dport 28967 -j ACCEPT # Any other ports for additinal applications can be added accordignly. # ... # DNAT it PreUp = iptables -t nat -I PREROUTING -p tcp --dport 28967 -j DNAT --to-destination 10.0.60.2:28967 @@ -127,16 +145,18 @@ PostDown = iptables -t nat -D PREROUTING -p udp --dport 28967 -j DNAT --to-desti These acomplish few things: 1. Allow traffic to Wireguard port, so that your server can connec to establish the tunnel 2. Allow new tcp and udp connections to Storj port (note inserting the rule before rule 6, on oracle instances rule 6 is reject) 2. Allow Storj packet forwarding to wireguard interface 3. Turn on masquarading, to facilitate the correct routing of response packets. On the server, restart the wireguard service: ```bash sudo systemctl restart wg-quick@wg0 ``` On the client, restart the wireguard service: ```bash service wireguard restart ``` -
Dec 14, 2022 . 1 changed file with 6 additions and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -30,7 +30,7 @@ As an example I will use an Oracle Cloud instance. Free tier still provides 10TB ``` 2. Add peer info from below 3. Enable ipv4 forwarding: in `/etc/sysctl.conf` uncomment ```ini # Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1 ``` @@ -52,14 +52,14 @@ As an example I will use an Oracle Cloud instance. Free tier still provides 10TB 2. On the host under System -> Tunables add `LOADER` variable `if_wg_load` with the value `YES`, to load wireguard kernel module. 4. Initialize the wireguard config file and create keys just like above, noting that in FreeBSD the configuration file location will be `/usr/local/etc/wireguard/wg0.conf` 3. In the jail in the `/etc/rc.conf` add ```ini wireguard_enable="YES" wireguard_interfaces="wg0" ``` Generally, the config files shall look like so: 1. On the server: `/etc/wireguard/wg0.conf` ```ini [Interface] PrivateKey = <private key of a server> @@ -76,7 +76,7 @@ As an example I will use an Oracle Cloud instance. Free tier still provides 10TB ``` 2. On the client: `/usr/local/etc/wireguard/wg0.conf` ```ini [Interface] PrivateKey = <private key of the client> Address = 10.0.60.2 @@ -97,7 +97,7 @@ As an example I will use an Oracle Cloud instance. Free tier still provides 10TB Now the very last thing. In the `[Interface]` section on the server in the `/etc/wireguard/wg0.conf` add the following rules ```ini # Allow forwarding PreUp = iptables -I FORWARD -i %i -j ACCEPT PreUp = iptables -I FORWARD -o %i -j ACCEPT @@ -143,7 +143,7 @@ service wireguard restart In the `config.yaml` of the storage node modify the external address to point to your vps: ```yaml # the public address of the node, useful for nodes behind NAT contact.external-address: sub.example.com:28967 ``` -
Dec 14, 2022 . 1 changed file with 4 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -99,8 +99,10 @@ Now the very last thing. In the `[Interface]` section on the server in the `/etc ```bash # Allow forwarding PreUp = iptables -I FORWARD -i %i -j ACCEPT PreUp = iptables -I FORWARD -o %i -j ACCEPT PostDown = iptables -D FORWARD -i %i -j ACCEPT PostDown = iptables -D FORWARD -o %i -j ACCEPT # Turn on masquarading PreUp = iptables -t nat -I POSTROUTING -o %i -j MASQUERADE -
Dec 13, 2022 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -132,11 +132,11 @@ These acomplish few things: Now restart the wireguard server: ```bash sudo systemctl restart wg-quick@wg0 ``` Restart wireguard client: ```bash service wireguard restart ``` In the `config.yaml` of the storage node modify the external address to point to your vps: -
Dec 13, 2022 . 1 changed file with 4 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -65,7 +65,10 @@ As an example I will use an Oracle Cloud instance. Free tier still provides 10TB ListenPort = 51820 Address = 10.0.60.1 # Allow WireGuard through the firwall PreUp = iptables -I INPUT 6 -p udp --dport 51820 -j ACCEPT PostDown = iptables -D INPUT -p udp --dport 51820 -j ACCEPT [Peer] PublicKey = <public key of a client> -
Dec 12, 2022 . 1 changed file with 8 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -61,7 +61,7 @@ As an example I will use an Oracle Cloud instance. Free tier still provides 10TB 1. On the server: `/etc/wireguard/wg0.conf` ``` [Interface] PrivateKey = <private key of a server> ListenPort = 51820 Address = 10.0.60.1 @@ -104,12 +104,14 @@ PreUp = iptables -t nat -I POSTROUTING -o %i -j MASQUERADE PostDown = iptables -t nat -D POSTROUTING -o %i -j MASQUERADE # Allow STORJ and Wireguard ports through the firewall # Note we are inserting the ACCEPT rule at position 6, before the REJECT rule PreUp = iptables -I INPUT 6 -p tcp -m state --state NEW --dport 28967 -j ACCEPT PreUp = iptables -I INPUT 6 -p udp --dport 28967 -j ACCEPT PreUp = iptables -I INPUT 6 -p udp --dport 51820 -j ACCEPT PostDown = iptables -D INPUT -p tcp -m state --state NEW --dport 28967 -j ACCEPT PostDown = iptables -D INPUT -p udp --dport 28967 -j ACCEPT PostDown = iptables -D INPUT -p udp --dport 51820 -j ACCEPT # DNAT it PreUp = iptables -t nat -I PREROUTING -p tcp --dport 28967 -j DNAT --to-destination 10.0.60.2:28967 @@ -120,9 +122,10 @@ PostDown = iptables -t nat -D PREROUTING -p udp --dport 28967 -j DNAT --to-desti These acomplish few things: 1. Allow new tcp and udp connections to Storj port (note inserting the rule before rule 6, on oracle instances rule 6 is reject) as wel as wireguard server itself. 2. Allow Storj packet forwarding to wireguard interface 3. Turn on NAT Now restart the wireguard server: ```bash -
Dec 12, 2022 . 1 changed file with 6 additions and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -96,24 +96,24 @@ Now the very last thing. In the `[Interface]` section on the server in the `/etc ```bash # Allow forwarding PreUp = iptables -I FORWARD -i %i -j ACCEPT; iptables -I FORWARD -o %i -j ACCEPT PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT # Turn on masquarading PreUp = iptables -t nat -I POSTROUTING -o %i -j MASQUERADE PostDown = iptables -t nat -D POSTROUTING -o %i -j MASQUERADE # Allow STORJ port through the firewall # Note we are inserting the ACCEPT rule at position 6, before the REJECT rule PreUp = iptables -I INPUT 6 -p tcp -m state --state NEW --dport 28967 -j ACCEPT PreUp = iptables -I INPUT 6 -p udp --dport 28967 -j ACCEPT PostDown = iptables -D INPUT -p tcp -m state --state NEW --dport 28967 -j ACCEPT PostDown = iptables -D INPUT -p udp --dport 28967 -j ACCEPT # DNAT it PreUp = iptables -t nat -I PREROUTING -p tcp --dport 28967 -j DNAT --to-destination 10.0.60.2:28967 PreUp = iptables -t nat -I PREROUTING -p udp --dport 28967 -j DNAT --to-destination 10.0.60.2:28967 PostDown = iptables -t nat -D PREROUTING -p tcp --dport 28967 -j DNAT --to-destination 10.0.60.2:28967 PostDown = iptables -t nat -D PREROUTING -p udp --dport 28967 -j DNAT --to-destination 10.0.60.2:28967 ``` -
Dec 12, 2022 . 1 changed file with 2 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -50,13 +50,12 @@ As an example I will use an Oracle Cloud instance. Free tier still provides 10TB 1. In the jail properties tick the `allow_tun` flag. (e.g. `iocage set allow_tun=1 jailname`) 2. On the host under System -> Tunables add `LOADER` variable `if_wg_load` with the value `YES`, to load wireguard kernel module. 4. Initialize the wireguard config file and create keys just like above, noting that in FreeBSD the configuration file location will be `/usr/local/etc/wireguard/wg0.conf` 3. In the jail in the `/etc/rc.conf` add ```bash wireguard_enable="YES" wireguard_interfaces="wg0" ``` Generally, the config files shall look like so: 1. On the server: `/etc/wireguard/wg0.conf` @@ -89,7 +88,7 @@ As an example I will use an Oracle Cloud instance. Free tier still provides 10TB service wireguard start ``` At this point the client shall be able to ping the server and the server shall be able to ping the clinet at 10.0.60.1 and 10.0.60.2 addresses respectively. ### Packet forwarding. -
Dec 12, 2022 . 1 changed file with 10 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -7,8 +7,8 @@ As an example I will use an Oracle Cloud instance. Free tier still provides 10TB 1. Create the oracle compute instance (ideally, Ampere, because they are awesome, but if that is not availabe, any other will do too. 2. Pick any OS you prefer, I've picked ubuntu here, simply beacause most people is familiar with it. 3. Configure public IP address (this is the default), and upload SSH key to access the instance. 4. Then edit the default security list associated with the virtual network adapter and add two rules to allow connection from anywhere `0.0.0.0/0` from any port, to destination port `28967`, one for udp, one for tcp. This is for storj. Also add udp port `51820`, for WireGuard. Does not need to be this specific port, any will do, just adjust the rest accordingly. That's all that needs to be done in Oracle console 5. Optionaly configure the public IP as an A record on your DNS provider, to use DNS name and not an ugly IP address in the subsequent configuration and in your storj node. ### Installing and configuring wireguard tunnel @@ -134,4 +134,11 @@ Restart wireguard client: service wireguard start ``` In the `config.yaml` of the storage node modify the external address to point to your vps: ``` # the public address of the node, useful for nodes behind NAT contact.external-address: sub.example.com:28967 ``` [Re]start the node, and check the status page. It shall be now happily connected. -
Dec 12, 2022 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,137 @@ This is a short description of how to host storj node if you are behind GNAT, or for some other reasons cannot get routable address with DNAT to your node, but have a relatively fast VPS nearby. As an example I will use an Oracle Cloud instance. Free tier still provides 10TB of monthly traffic, and is a pretty good deal otherwise. Just make sure that you create an account in a datacenter closest to you to minimize extra latency. ### Notes on configuring the instance 1. Create the oracle compute instance (ideally, Ampere, because they are awesome, but if that is not availabe, any other will do too. 2. Pick any OS you prefer, I've picked ubuntu here, simply beacause most people is familiar with it. 3. Configure public IP address (this is the default), and upload SSH key to access the instance. 4. Then edit the default security list associated with the virtual network adapter and add two rules to allow connection from anywhere `0.0.0.0/0` from any port, to destination port `28967`, one for udp, one for tcp. This is for storj. Also add udp port 51820, for WireGuard. That's all that needs to be done in Oracle console 5. Configure the public IP as an A record on your DNS provider, to use DNS name and not an ugly IP address in the subsequent configuration and in your storj node. ### Installing and configuring wireguard tunnel 1. ssh to your new instance, update software, and install wireguard: ```bash sudo apt update && sudo apt upgrade sudo reboot sudo apt install wireguard -y ``` 2. Configure wireguard tunnel between your node and VPS. There are tons of tutorials, here are the steps for reference: On the VPS: 1. Initialize the config file ```bash (umask 077 && printf "[Interface]\nPrivateKey= " | sudo tee /etc/wireguard/wg0.conf > /dev/null) wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickey ``` 2. Add peer info from below 3. Enable ipv4 forwarding: in `/etc/sysctl.conf` uncomment ``` # Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1 ``` and for the change to take effect: ```bash sudo sysctl -p sudo sysctl --system ``` 3. Enable and start the service ```bash sudo systemctl enable wg-quick@wg0 sudo systemctl start wg-quick@wg0 ``` On the client, assuming it's a TrueNAS and storj runs in the jail, we would need few things: 1. In the jail properties tick the `allow_tun` flag. (e.g. `iocage set allow_tun=1 jailname`) 2. On the host under System -> Tunables add `LOADER` variable `if_wg_load` with the value `YES`, to load wireguard kernel module. 4. Initialize the wireguard config file and crate keys just like above, noting that in FreeBSD the configuration file location will be `/usr/local/etc/wireguard/wg0.conf` 3. In the jail in the `/etc/rc.conf` add ```bash wireguard_enable="YES" wireguard_interfaces="wg0" ``` 4. Add server info from the above. Generally, the config files shall look like so: 1. On the server: `/etc/wireguard/wg0.conf` ``` [Interface] PrivateKey = <privaate key of a server> ListenPort = 51820 Address = 10.0.60.1 [Peer] PublicKey = <public key of a client> AllowedIPs = 10.0.60.2 ``` 2. On the client: `/usr/local/etc/wireguard/wg0.conf` ``` [Interface] PrivateKey = <private key of the client> Address = 10.0.60.2 [Peer] PublicKey = <public key of a server> AllowedIPs = 10.0.60.1/32 Endpoint = sub.example.com:51820 PersistentKeepalive = 25 ``` 3. Start the service on the client: ```bash service wireguard start ``` At this point the client shall be able to ping the server and the server shall be able to ping the clinet by 10.0.60.1 and 10.0.60.2 addresses respectively. ### Packet forwarding. Now the very last thing. In the `[Interface]` section on the server in the `/etc/wireguard/wg0.conf` add the following rules ```bash # Allow forwarding PostUp = iptables -I FORWARD -i %i -j ACCEPT; iptables -I FORWARD -o %i -j ACCEPT PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT # Turn on masquarading PostUp = iptables -t nat -I POSTROUTING -o %i -j MASQUERADE PostDown = iptables -t nat -D POSTROUTING -o %i -j MASQUERADE # Allow STORJ port through the firewall # Note we are inserting the ACCEPT rule at position 6, before the REJECT rule PostUp = iptables -I INPUT 6 -p tcp -m state --state NEW --dport 28967 -j ACCEPT PostUp = iptables -I INPUT 6 -p udp --dport 28967 -j ACCEPT PostDown = iptables -D INPUT -p tcp -m state --state NEW --dport 28967 -j ACCEPT PostDown = iptables -D INPUT -p udp --dport 28967 -j ACCEPT # DNAT it PostUp = iptables -t nat -I PREROUTING -p tcp --dport 28967 -j DNAT --to-destination 10.0.60.2:28967 PostUp = iptables -t nat -I PREROUTING -p udp --dport 28967 -j DNAT --to-destination 10.0.60.2:28967 PostDown = iptables -t nat -D PREROUTING -p tcp --dport 28967 -j DNAT --to-destination 10.0.60.2:28967 PostDown = iptables -t nat -D PREROUTING -p udp --dport 28967 -j DNAT --to-destination 10.0.60.2:28967 ``` These acomplish few things: 1. Allow packet forwarding to wireguard interface 2. Turn on NAT 3. Allow new tcp and udp connections to Storj port (note inserting the rule before rule 6, on oracle instances rule 6 is reject) Now restart the wireguard server: ```bash sudo systemctl start wg-quick@wg0 ``` Restart wireguard client: ```bash service wireguard start ``` And check the status page of the storage node. It shall be happily connected.