hosting image

Tutorial: Voxility IPIP tunneling from your TCPGUARD Network DDoS Filtered VPS IP

Mohad Educational, tech April 12, 2021

What is a Voxility IPIP tunnel?

Much like a proxy, a Voxility IPIP tunnel allows you to pass traffic from your TCPGuard Network VPS including DDoS filtering to another remote destination.

Voxility IPIP tunnels allow all traffic through, not just HTTP. With a Voxility IPIP tunnel you can serve, and deliver any type of content from any type of server (audio, FTP, SSH, SCP, video, etc.).

What can your use a Voxility IPIP tunnel for?

Voxility IPIP tunneling is very handy when you want to use our DDoS filtering services to protect services that are too large to host with us (I.e. game servers, Java applications, large database driven applications, etc.).

Voxility IPIP tunneling is also the only tunneling method that OVH supports in their included kernels.

Don’t have root access for your destination server or are running a huge Windows deployment? Check out our alternative method to redirect traffic to your remote server.

Voxility IPIP Tunnel How-to Tutorial Begins Here

Our how-to tutorial to setup a Voxility IPIP tunnel between TcpGuard Network DDoS filtered VPS IP and your remote server starts here.

Following the simple instructions below you should be able to create a Voxility IPIP tunnel in under 20 minutes.

SUPPORTED OPERATING SYSTEMS

It is possible to use Windows to create, and forward your Voxility IPIP tunnel. If you need to protect a Windows server please consider purchasing a KVM plan.

In this document we’ll only be covering a Linux Voxility IPIP tunnel configuration.

TUNNEL SETUP

First we need to set our tunnel up.

On your TcpGuard Network VPS please execute the following commands:

 

On the remote server you wish to protect run the following:

echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf sysctl -p iptunnel add ipip1 mode ipip local YOUR_FILTERED_IP remote DESTINATION_SERVER_IP ttl 255
 ip addr add 192.168.168.1/30 dev ipip1 
 ip link set ipip1 up

 

Please note the first line of each changes to mark what IP to use locally and which remotely. The 2nd line documents each end point. In a /30, 2 IP’s are usable: .1 and .2.

TEST YOUR NEW VOXILITY IPIP TUNNEL WITH PING

On your TcpGuard Network VPS, you should now be able to ping 192.168.168.2.

For the sake of completeness, test pinging 192.168.168.1from your destination server.

SETUP SOURCE ROUTE TABLES

Source route entries are required to make sure data that came in via the Voxility IPIP tunnel is sent back out the Voxility IPIP tunnel.

Please execute the following commands on the destination server.

echo '100 TCPG' >> /etc/iproute2/rt_tables 
ip rule add from 192.168.168.0/30 table TCPG
 ip route add default via 192.168.168.1 table TCPG

 

Please note that the echo command only needs to be ran once. The entry will be saved into /etc/iproute2/rt_tables until you remove it manually.

INITIAL NAT ENTRIES TO MOVE DATA OVER VOXILITY IPIP TUNNEL

NAT is used to pass data over our Voxility IPIP and out the other end.

While it would be possible to use a KVM based VPS with a purchased /29 allocation, this guide doesn’t cover that.

On your TcpGuard Network VPS run the following command:

iptables -t nat -A POSTROUTING -s 192.168.168.0/30 -j SNAT --to-source YOUR_FILTERED_IP

TEST OUTBOUND CONNECTIONS

On your destination server you can run either of the following commands to see if the tunnel is passing traffic properly:

curl http://www.cpanel.net/showip.cgi --interface 192.168.168.2
wget http://www.cpanel.net/showip.cgi --bind-address=192.168.168.2 -q -O -

 

The IP dumped should be your TcpGuard Network filtered IP.

FORWARDING PORTS OVER YOUR VOXILITY IPIP TUNNEL

To make things easy, we’ll forward all ports from our filtered IP to the backend server. You can change this rule to only forward certain ports if you like.

Please adjust, and run the following commands on your TcpGuard Network VPS:

iptables -t nat -A PREROUTING -d YOUR_FILTERED_IP -j DNAT --to-destination 192.168.168.2 
iptables -A FORWARD -d 192.168.168.2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

 

The first rule sets up the actual port forwarding and the second rule makes sure that connections get NAT’d, and matched back properly.

At this point you should be able to connect toYOUR_FILTERED_IPand the destination port with your application and get passed through the Voxility IPIP tunnel without issue.

RESTARTING YOUR VOXILITY IPIP TUNNEL AFTER REBOOTING

You can edit/etc/rc.localwith your favourite editor of choice (or WINSCP even) and place all the commands we just ran before theexit 0at the bottom.

Your distribution of choice (like Debian) may have hooks in/etc/network/interfacesto bring your  Voxility IPIP tunnels up at boot time but that’s outside the scope of this guide.

Tags:
  • Share :

Leave a Reply

Your email address will not be published. Required fields are marked *

X
Tutorial: Voxility IPIP tunneling from your TCPGUARD Network DDoS Filtered VPS IP

Far far away, behind the word moun tains, far from the countries Vokalia and Consonantia, there live the blind texts. Separated they live in Bookmarksgrove right at the coast of

  • 759 Pinewood Avenue

    Marquette, Michigan

  • [email protected]

    Online Support

  • 906-624-2565

    Mon-Fri 8am-5pm
Purchase Now