Transparent Bonding Proxy: Difference between revisions
(brain dump) |
No edit summary |
||
| (10 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
[[Category:General]] | |||
== Transparent Bonding Proxy == | |||
Transparent Bonding Proxy (TBP) as a '''work in progress''' extension that allows Bonding Proxy to establlish connections using the client's original IP. Without TBP, connections utilizing Bonding Proxy will always use the server's default IP address, even if subnets are properly routed to a client. | Transparent Bonding Proxy (TBP) as a '''work in progress''' extension that allows Bonding Proxy to establlish connections using the client's original IP. Without TBP, connections utilizing Bonding Proxy will always use the server's default IP address, even if subnets are properly routed to a client. | ||
| Line 4: | Line 6: | ||
=== Prerequisites === | === Prerequisites === | ||
TBP only works with server routes and masquerading disabled on the client. | TBP only works with server routes and masquerading disabled on the client. | ||
[[File:Tbp-prerequisites-1.png|thumb|Where to find the masquerading option in a Teltonika router]] | |||
[[File:Tbp-prerequisites-2.png|thumb|Masquerading turned off]] | |||
SANE server uses IP_TRANSPARENT to bind to non-local IP addresses, which required CAP_ADMIN capabilities. For proper operation, we must identify traffic that matches our Bonding Proxy connections: | |||
# iptables -t mangle -N DIVERT | # iptables -t mangle -N DIVERT | ||
# iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT | # iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT | ||
| Line 16: | Line 20: | ||
0.0.0.0/0 allows any IP to be used. While this also works, it has security implications - add your routed subnets instead to minimize risks. | 0.0.0.0/0 allows any IP to be used. While this also works, it has security implications - add your routed subnets instead to minimize risks. | ||
Currently, TBP will be activated for any proxy connection initiated by a client with a routed IP. If | Currently, TBP will be activated for any proxy connection initiated by a client with a routed IP. | ||
If "Outgoing NAT IP" is configured in the tunnel's environment settings, this IP will be used for masquerading instead. Please make sure it is empty if you want to use TBP. | |||
[[File:Tbp-outgoing-nat-ip.png|thumb|The server's Outgoing NAT IP field needs to be empty for TBP to work]] | |||
[[File:Tbp-server-routes.png|thumb|These are the server routers, here you enter your public IPs]] | |||
{{Colored_box|Text=Please note that the smallest public IP network you can route is a /31 (2 usable IP addresses)!}} | |||
=== Known issues === | === Known issues === | ||
* When a daemon is listening on 0.0.0.0 (any IP), this will take precedence over incoming connections targetting a target in your subnet. | * When a daemon on the server is listening on 0.0.0.0 (any IP), this will take precedence over incoming connections targetting a target in your subnet. saneserver's current default configuration is doing exactly that. | ||
Latest revision as of 12:00, 23 June 2023
Transparent Bonding Proxy
Transparent Bonding Proxy (TBP) as a work in progress extension that allows Bonding Proxy to establlish connections using the client's original IP. Without TBP, connections utilizing Bonding Proxy will always use the server's default IP address, even if subnets are properly routed to a client.
Transparent Bonding Proxy is currently under development and has been added in snapshot versions starting 20230426.
Prerequisites
TBP only works with server routes and masquerading disabled on the client.
SANE server uses IP_TRANSPARENT to bind to non-local IP addresses, which required CAP_ADMIN capabilities. For proper operation, we must identify traffic that matches our Bonding Proxy connections:
# iptables -t mangle -N DIVERT # iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT # iptables -t mangle -A DIVERT -j MARK --set-mark 1 # iptables -t mangle -A DIVERT -j ACCEPT
Then, create a routing table that defines your routed subnet(s) as local
# ip rule add fwmark 1 lookup 100 # ip route add local 0.0.0.0/0 dev lo table 100
0.0.0.0/0 allows any IP to be used. While this also works, it has security implications - add your routed subnets instead to minimize risks.
Currently, TBP will be activated for any proxy connection initiated by a client with a routed IP.
If "Outgoing NAT IP" is configured in the tunnel's environment settings, this IP will be used for masquerading instead. Please make sure it is empty if you want to use TBP.
| ⚠️ | Please note that the smallest public IP network you can route is a /31 (2 usable IP addresses)! |
|---|
Known issues
- When a daemon on the server is listening on 0.0.0.0 (any IP), this will take precedence over incoming connections targetting a target in your subnet. saneserver's current default configuration is doing exactly that.
