Daily Archives: February 24, 2022

Posts

VPS VM and VPN

Leave a comment

Port forwarding using VPN

I am using Ionos because someone recommend me to make VM (Virtual Machine) on that service using VPS (Virtual Private Server). While it looks simple, there should be followed many steps very carefully.  First, we need to chose the subscription. If you need it for port forwarding for Helium mining, then $2 US monthly is sufficient.

Open your account on next page and chose “VPS S”; 512 MB of RAM, 1 CPU, 10 GB of disk space (pay attention to chose Data center closest to you):

https://www.ionos.com/servers/vps#packages

Chose Ubuntu 20.04 or whatever is newest and shown below. You may at any time upgrade to VPS S+ with more RAM and disk space if needed.

Please chose Data center near you. I did manage to chose wrong one (USA, which is far) and everything is bit slower. For example, I am in Croatia and I should to chose Germany.

 

 

Since I do not want to host any data ‘hungry’ Virtual Machine, I did not chose any backup. It is up to you. I need it for port forwarding only. After “Continue” proceed to payment section. I chose PayPal because of extra layer of protection.

Then go to https://my.ionos.com/ and click to “Servers and Cloud”

If I remember correctly, having just one VM (Virtual Machine) brings you directly to the Server settings, but I have two VMs, so it offers me to chose which one:

New one is left (VPS S). The old one is just upgraded (VPS S+) for another reason.

Before continuing with the rest, we need to set Ionos VM firewall. I always forgetting that part and then wonder why my VPN does not work. 😀

On left menu, select Network, then Firewall Policies, then click on Linux (all three marked red).

We need to add few more rules:

ICMP is for Ping test. Port 51820 is for the VPN tunnel, and port 44158 for Helium miners. When you connect your Wireguard client, negotiation and traffic goes over the port 51820 on the Ionos VM and their routers. When your miner need port 44158, this VM firewall actually permitting on their routers inbound traffic, then send it over the VPN tunnel to your Mango router where is your miner connected. So, instead port forward on your router connected to your ISP, it is port forwarded on your Ionos VM and their routers at their end, and  our  Mango router provide port forwarding at our end to its LAN port (and WiFi if enabled).

Now, chose  “Servers”, click on your new VPS and scroll down.

Please note that I redacted my IP for security reasons. On this page we need two things: that IP and the password. By using Notepad or other software, copy paste that IP and for our SSH we need to form the command line on command prompt (in Windows it is CMD).
ssh root@111.222.333.444, where you should replace that four numbers with your IP. It will ask you for password. From your note in Notepad, copy password, and since in CMD you can’t paste it by Ctrl+V, simply right mouse click and it will be there, but invisible. Just press enter after that.

Then you will get this:

 

First thing we need to do is few quick steps:

apt update

apt upgrade

apt install iptables

First two commands are for update and upgrade server for security updates. Third one we need for our port forwarding.

Next thing is check for our interface. Some servers has ‘eth0’, other ‘ens192’ for first interface. Then we type command:

ifconfig

It may complain that package is not installed, just install it (re-type offered command or copy paste command and press enter).

apt install net-tools

Then repeat ifconfig to get this:

Marked red is ‘ens192’. So, now we know what interface should be for our port forwarding purposes.

Now we are ready to install Wireguard on the Virtual Machine:

wget https://git.io/wireguard -O wireguard-install.sh && bash wireguard-install.sh

It will ask you for the ‘listening port’, type 51820 and press enter. Next is the name of the ‘VPN tunnel’, you may chose simple name with no space. In my case I chose Vera, so that will form Vera.conf in your root directory. Type commald

ls

That will show the content of the directory. Two files, of which first is important. By using text editor ‘nano’ open this configuration file

nano Name.conf

Instead “Name” use name that you chose.

On Windows computer, you may use Ctrl+C to copy content, but first select it by using mouse left click and drag over whole text. So first select, then Ctrl+C.:

The content we just copied paste onto your Notepad and save as Name.conf (replace Name with your chosen one). Please select all files, else it will be saved as Name.conf.txt. If you missed that point, then open File explorer and rename this file to proper Name.conf. We need this file during setting Wireguard client. It can be found HERE.

After installing WIreguard client, we need to add our first ‘VPN tunnel’.

Now you may see why simple name is preferred. If everything is okay, and after setting, you may test your first VPN by clicking on ‘Activate’. To see your new IP address (port forward not yet done), go to https://www.whatismyip.com/ and observe new IP address of your VPN.

Part 1 is done. For port forwarding, we need to do more things. Note that only one VPN tunnel is possible to your computer. After setting your Mango router, you can activate VPN tunnel from there, but not both: on your Windows (or whatever) machine and on the router.

Go back to your CMD console providing that you are still connected by ssh to the VM. type:

cd /etc

ls

to see the list

nano sysctl.conf

to open that configuration file and by using arrow key on your keyboard, go to the bottom, then copy paste next row:

net.ipv4.ip_forward=1

Which will enable port forwarding. Press Ctrl+O to save, when prompted, press enter. Exit by using Ctrl+X.

sysctl -p

to make it permanent. It will show you that net.Ipv4…. message. Just one more step to set port forwarding rules. Go to:

cd wireguard

ls

nano wg0.conf

It will show our Wireguard server setting. We should to move cursor with arrow keys on our keyboard between “Listen port…” and “# BEGIN_PEER..” and move it away by using enter. If you remember that we on Ionos using ‘ens192’ interface, then next script should be paste/copy (“Copy to clipboard, upper right corner” from this page or from your Notepad, and right click on the cursor on the nano text editor) next:

PostUp = iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1240
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens192 -j MASQUERADE
PostUp = iptables -A FORWARD -i ens192 -o wg0 -p tcp --syn --dport 44158 -m conntrack --ctstate NEW -j ACCEPT
PostUp = iptables -A FORWARD -i ens192 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
PostUp = iptables -t nat -A PREROUTING -i ens192 -p tcp --dport 44158 -j DNAT --to-destination 10.7.0.2

PostDown = iptables -D FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1240
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens192 -j MASQUERADE
PostDown = iptables -D FORWARD -i ens192 -o wg0 -p tcp --syn --dport 44158 -m conntrack --ctstate NEW -j ACCEPT
PostDown = iptables -D FORWARD -i ens192 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
PostDown = iptables -t nat -D PREROUTING -i ens192 -p tcp --dport 44158 -j DNAT --to-destination 10.7.0.2

After inserting that rows, it should looks like this:

Pay attention and change if needed destination IP address. In our case, gateway is on 10.7.0.1 and wee need next logical number, that is 10.7.0.2.

REMEMBER! Every time you change something on wg0.conf, you need to reboot your VM.

reboot

Which will close your ssh connection. Establish connection after minute or two, that is very short time. It may refuse if too early.

Now, check whether whole thing does port forwarding:

systemctl status wg-quick@wg0.service

To exit, press ‘Q’. You may also check status with:

wg

To see the status before VPN tunnel is established on our Mango router.

Now, unpack your Mango router (Gl-Inet) and connect WAN port to your current router/WiFi modem, LAN port to your Helium miner, and we will establish connection to the Mango router over it’s own WiFi. On your laptop or PC (with WiFi dongle) select the name of the WiFi (something like “GL MT300N-V2-c”) and type default password “goodlife”. It will prompt you to change this password and repeat. Write down somewhere this password, you will need it later.

To access this router and change settings, go to your favorite browser and type local IP of the router: 192.168.8.1  . Be sure that you are on the same network (for example on the WiFi connection on this router. It is good practice to go to ‘WIRELESS’ and change password there too.

Now, we should to go to ‘CLIENTS’ and copy paste MAC addresses of our Helium miner and or laptop/PC. We need that to set VPN Policies and binding IP addresses for our Helium miner, so that every time it get the same IP no matter how we connect it (over additional switcher, directly…).

 

Now, you should to make decision whether you want only Helium miner to be on the VPN, both; miner and your PC/laptop. If just Helium miner, then you need to add only that MAC address to the VPN Policies. This is because if only Helium miner is on the VPN, you may continue to use your ‘true’ IP from your ISP (Internet Service Provider). I rather chose both, because of testing purposes. So, VPN polices should look like this:

 

So, you should to ‘Enable VPN policy’, disable next two; ‘Use VPN for quest network’ and ‘Use VPN for processes on the router’. Under ‘Please chose policy’ select ‘MAC address’, and under ‘Pease chose rules’ select ‘Only allow the following use VPN’. Now, find your MAC address of your Helium miner and copy paste it on the field and press ‘add’. If you want your PC/laptop, add that too.

Firewall will be set last, because we need Wireguard client tunnel to be established, else we will be unable to set it properly.

Since we already have script for the Wireguard tunnel, we just need to copy/paste all three keys from Wireguard script to our Mango router. First select ‘Wireguard Client’ under ‘VPN’, then add new…

There is ‘+ Setup Wireguard manually’, click on that and select third tab from the left saying ‘Manual input’.

We need to fill all fields, which is now easy since we have already our Wireguard client installed. Run that client, click on ‘Edit’ to get this:

By using select with mouse, Ctrl+C then Ctrl+V onto Mango router fields, fill everything. Since all names are the same, there is almost no room for the confusion where goes what. Only MTU is need to be manually set to 1420. When we are done, click on ‘Apply’.

And now we can run our VPN and set firewall rules. If everything is okay, then we should se something like this:

Go to ‘Firewall’ and type name of the port forward. I am choosing simple “Helium” name. Then ‘TCP/UDP’, then select ‘wireguard’ (if tunnel is not established, this option will not show there. Then type port 44158, then chose ‘lan’, then your internal IP (that is IP of the Helium miner), again port 44158, and leave enabled. Click to ‘add’.

If everything is okay, then we should to go to https://portchecker.co/

to check whether our port 44158 is open. Pay attention to the IP, if you are connected outside VPN tunnel, it will autofill with different address. No problem, from our Notepad copy/paste proper IP (one that our VM on the VPS we got). Then you should see green ‘OPEN’.

If you want, you may go back to our ssh console and type

wg

To check whether it is properly connected. You may see your ‘endpoint’ IP from where is tunnel connected. That is all.

CONGRATULATIONS!

& Happy Mining!