{"id":88,"date":"2015-10-16T15:56:45","date_gmt":"2015-10-16T14:56:45","guid":{"rendered":"http:\/\/mscholten.eu\/?p=88"},"modified":"2015-10-17T20:12:22","modified_gmt":"2015-10-17T19:12:22","slug":"how-to-use-a-routed-network-for-a-vps","status":"publish","type":"post","link":"https:\/\/mscholten.eu\/?p=88","title":{"rendered":"How to use a routed network for a VPS"},"content":{"rendered":"

This article is about how to configure a VPS host and VPS guests to use a routed network without spoiling IP addresses. Also a section is included to use BGP to announce the IP you have to the routers you use. A configuration like this is also used for the server where this site is located (in the Coloclue network<\/a>). I do not include how to install a VPS host, only the network part is covered.<\/p>\n

Note 1: All examples are based on Debian, but should also work on other Linux distributions.
\nNote 2: The examples are based on IPv4, but should also apply to IPv6 with small changes.<\/p>\n

\n

 <\/p>\n

Configuring the VPS host<\/strong><\/p>\n

Install packages if you want to use vlans:<\/p>\n

apt-get install vlan<\/pre>\n
Now create a new interface in \/etc\/network\/interfaces, this interface is used for all virtual machines to connect to. The used IP will be the gateway for your virtual machines.<\/p>\n
auto vlanbr\r\n\r\niface vlanbr inet static\r\n\r\naddress 10.0.0.1\r\nnetmask 255.255.255.0\r\nbridge_ports none\r\nbridge_stp off\r\nbridge_fd 0\r\nbridge_maxwait 0<\/pre>\n
Prepare your VPS host for forwarding and NAT for outgoing connections:<\/p>\n
echo \"net.ipv4.ip_forward=1\" >> \/etc\/sysctl.conf\r\n\r\necho 1 > \/proc\/sys\/net\/ipv4\/ip_forward\r\n\r\niptables -A INPUT -d 255.255.255.255\/32 -i vlanbr -j ACCEPT\r\niptables -A INPUT -s 10.0.0.0\/24 -i vlanbr -j ACCEPT\r\niptables -A INPUT -s 10.0.0.0\/24 -i eth0 -j ACCEPT\r\niptables -A FORWARD -s 10.0.0.0\/24 -i vlanbr -o eth0 -j ACCEPT\r\niptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT\r\niptables -A FORWARD -d 10.0.0.0\/24 -o eth0 -j LOG\r\niptables -A OUTPUT -o lo -j ACCEPT\r\niptables -A OUTPUT -d 255.255.255.255\/32 -o vlanbr -j ACCEPT\r\niptables -A OUTPUT -d 10.0.0.0\/24 -o vlanbr -j ACCEPT\r\niptables -A OUTPUT -d 255.255.255.255\/32 -o eth0 -j ACCEPT\r\n\r\niptables -t nat -A POSTROUTING -s 10.0.0.0\/24 -o eth0 -j MASQUERADE<\/pre>\n
Per IP that should point to your VPS you will do something like:<\/p>\n
\/sbin\/route add -net 172.16.10.10 netmask 255.255.255.255 gw 10.0.0.10<\/pre>\n
In this example 172.16.10.10 should be replaced with your public ip you want to route to your VPS. 10.0.0.10 is the internal IP for your VPS.<\/p>\n
Per VPS you also want a line like this if you want outgoing connections from that VPS to use the public IP:<\/p>\n
iptables -t nat -I POSTROUTING -s 10.0.0.10\/32 -o eth0 -j SNAT --to-source 172.16.10.10<\/pre>\n
In this example the IP addresses have the same meaning as the previous example. eth0 is the interface used for all outgoing connections.<\/p>\n
This is everything that is needed for routing IP addresses to your VPS guests from the VPS host. Now we will first at BGP on the VPS host and after that we will configure the important sections on the VPS guest.<\/p>\n
BGP on the VPS host<\/strong><\/p>\n
Install required package (bird6 is used for IPv6, not covered besides the installation):<\/p>\n
apt-get install bird bird6<\/pre>\n
Configure bird. You can base it on the example below, comment lines start with # and are used to explain the line just above it.<\/p>\n
log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug };\r\nrouter id 172.16.25.25;\r\n# Replace 172.16.25.25 with your public IPv4 address for the VPS host. If only a private IP is available check that it is uniq in your environment.\r\n\r\nfunction is_owned_by_me()\r\nprefix set owned_by_me_space;\r\n{\r\nowned_by_me_space = [ 172.16.10.10\/30{30,32}, 172.16.20.20\/31{31,32} ];\r\n# Replace 172.16.10.10\/30 and 172.16.20.20\/31 with the prefixes that should be routed to you. Also mention the largest and biggest announcements that are allowed within { and }. The first example allows a \/30, \/31 and \/32 to be announced for this range. In the last example only \/31 and \/32 are allowed.\r\nif net ~ owned_by_me_space then return true;\r\nreturn false;\r\n}\r\n\r\nfilter ebgp_import {\r\nif ( is_owned_by_me () ) then accept;\r\nreject;\r\n}\r\n\r\ntemplate bgp ebgp {\r\nlocal as 65151;\r\n# Define a local as, if you don't have an AS from a RIR use something that is uniq in your network. If needed ask what you need to use at your network supplier\/network admin.\r\nimport all;\r\nexport filter ebgp_import;\r\nsource address 172.16.25.25;\r\n# Replace 172.16.25.25 with your public IPv4 address for the VPS host. If only a private IP is available check that it is uniq in your environment. This should be the address used for communication between the host and the routers.\r\nnext hop self;\r\n}\r\n\r\nprotocol bgp dcg1 from ebgp {\r\nneighbor 172.16.25.254 as 8283;\r\n# Replace 172.16.25.254 with the IP of the first router that is your uplink\r\n}\r\nprotocol bgp dcg2 from ebgp {\r\nneighbor 172.16.25.253 as 8283;\r\n# Replace 172.16.25.253 with the IP of the second router that is your uplink\r\n}\r\n\r\nprotocol kernel {\r\nlearn; # Learn all alien routes from the kernel\r\npersist; # Don't remove routes on bird shutdown\r\nscan time 20; # Scan kernel routing table every 20 seconds\r\nimport all; # Default is import all\r\nexport all; # Default is export none, changed to all\r\n}\r\n# This pseudo-protocol watches all interface up\/down events.\r\nprotocol device {\r\nscan time 10; # Scan interfaces every 10 seconds\r\n}\r\nprotocol direct {\r\ninterface \"eth0\";\r\n}<\/pre>\n
After this restart bird (\/etc\/init.d\/bird restart).<\/p>\n
The host is now configured. Now go to the VPS guests.<\/p>\n
The VPS guests network configuration<\/strong><\/p>\n
For the installation configure everything to use the internal IP (10.0.0.10 in the example). After that add the following to \/etc\/network\/interfaces and bring up the new interface.<\/p>\n
auto lo:0\r\niface lo:0 inet static\r\naddress 172.16.10.10\r\nnetmask 255.255.255.255<\/pre>\n
Per public\/external IP add an interface with the IP.<\/p>\n
Now run the following commands and it should work:<\/p>\n
echo \"net.ipv4.ip_forward=1\" >> \/etc\/sysctl.conf\r\n\r\necho 1 > \/proc\/sys\/net\/ipv4\/ip_forward<\/pre>\n
Now everything should be configured.<\/p>\n","protected":false},"excerpt":{"rendered":"
This article is about how to configure a VPS host and VPS guests to use a routed network without spoiling IP addresses. Also a section is included to use BGP to announce the IP you have to the routers you … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-88","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/mscholten.eu\/index.php?rest_route=\/wp\/v2\/posts\/88","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mscholten.eu\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mscholten.eu\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mscholten.eu\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mscholten.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=88"}],"version-history":[{"count":10,"href":"https:\/\/mscholten.eu\/index.php?rest_route=\/wp\/v2\/posts\/88\/revisions"}],"predecessor-version":[{"id":98,"href":"https:\/\/mscholten.eu\/index.php?rest_route=\/wp\/v2\/posts\/88\/revisions\/98"}],"wp:attachment":[{"href":"https:\/\/mscholten.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=88"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mscholten.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=88"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mscholten.eu\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=88"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}