So, I’m experimenting with running a Mailu instance on my home server but proxying all of the relevant traffic through a WireGuard tunnel to my VPS. I’m currently using NGINX Proxy Manager streams to redirect the traffic and it all seems to be working.

The only problem is that, all connections appear to come from the VPS. It’s really screwing with the spam filter. I’m trying to figure out if there’s a way to retain the source IP while still tunneling the traffic.

The only idea I have, and I don’t know if it’s a bad one, is to us iptables to NAT the ports inbound on the VPS and on my home router (opnsense) route all outbound traffic from that IP back through the VPS instead of the default gateway. This way I shouldn’t need to rewrite the destination port on the VPS side.

It sound a bit hacky tho, and I’m open to better suggestions.

Thanks

Edit: I think I need to clarify my post as there’s some confusion in the comments. I would like the VPS to masquerade/nat for my mailu system accessible over a WG tunnel so that inbound traffic to the SMTP reports it’s actual public IP instead of the IP of the VPS host that’s currently proxying.

After giving that some thought I think the only way this could work would be if I treated the VPS as the upstream gateway for all traffic. My current setup is below:

[VPS] <-- wg --> [opnsense] <–eth–>[mailu]

I can source route all traffic from mailu to the VPS, via wg, but I don’t know how to properly configure iptables to do the masquerading as I’d only want to masquerade that one IP. I’m not concerned about mailu not having internet access when wg is down, and frankly, I think I’d prefer it didn’t.

Edit 2: I got the basic masquerading working. Can ping public IPs and traceroute verifies it’s taking the correct path.

iptables -A FORWARD -i wg0 -s <mailu-ip> -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s <mailu-ip> -j MASQUERADE

I think I got the port forwarding working.

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to-destination <mailu-ip>
iptables -A FORWARD -p tcp -d <mailu-ip> --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  • tcpdump on the VPS eth0 shows traffic in.
  • tcpdump on the VPS wg0 shows the natted traffic.
  • tcpdump on mailu shows both inbound and outbound traffic.
  • tcpdump on opnsense shows 2 way traffic on the vlan interface mailu is on.
  • tcpdump on opnsense only shows inbound, but not outbound traffic on the wg interface.

I think the problem is now in opnsense but I’m trying to suss out why. If I initiate traffic on mailu (i.e. a ping or a web request) I see it traversing the opnsense wg interface, but I do not see any of the return SMTP traffic.

Edit 3:

I found the missing packets. They’re going out the WAN interface on the router, I do not know why. Traffic I initiate from the mailu box gets routed through the WG tunnel as expected but replies to traffic sourced from the internet and routed over the WG tunnel, are going out the WAN.

The opnsense rule is pretty basic. Source: <mailu>, Dest: any, gateway: wg.

Edit 4:

I ran out of patience trying to figure out what was going on in opnsense and configured a direct tunnel between the mailu vm and the VPS. That immediately solved my problems although it’s not the solution I was striving for.

It was pointed out to me in the comments that my source routing rule likely wasn’t configured properly. I’ll need to revisit that later. If I was misconfiguring it I’d like to know that.

  • Atemu@lemmy.ml
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    4
    ·
    11 months ago

    No. That’s quite literally the point of a proxy. If you don’t want to be proxied, don’t use a proxy.

    I know this is the selfhosted community but if you’re new to this, you really shouldn’t be hosting email as it’s one of the hardest services to get “right”.
    (Ideally no other public service either, they’re a huge liability. Start hosting stuff for local network use.)

    • mholiv@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      2
      ·
      11 months ago

      No need to be toxic here. You don’t need put people down. We’re all learning here together. Hey. We all are all learning more about how reverse proxies and forwarded headers work together right now, including you.

      We should aim to be an open welcoming community.

        • mholiv@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          11 months ago

          I understand. But do you see what you wrote could be seen as toxic? Intent is nice, but what and how you write really determines the tone of a community.

    • 𝓢𝓮𝓮𝓙𝓪𝔂𝓔𝓶𝓶@lemmy.procrastinati.orgOP
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      2
      ·
      11 months ago

      I know this is the selfhosted community but if you’re new to this, you really shouldn’t be hosting email as it’s one of the hardest services to get “right”.

      I’ve been self-hosting since I was on dial up but thanks for the assumption. I’m quite familiar with the nuances of hosting mail successfully and all my boxes are ticked. The monkey wrench was just that I didn’t account for the source addressing and it screwing up my spam filter as I’ve never tried this specific scenario before.

      No. That’s quite literally the point of a proxy. If you don’t want to be proxied, don’t use a proxy.

      That was the thrust of my post. I just started with NPM because it was already there. I’ve been experimenting and researching since I posted this and I think my solution is to masquerade (NAT) the mailu host behind the VPS and explicitly forwarding the necessary ports. Unfortunately, iptables is one of my weak spots and the nuances of making iptables work in this situation is eluding me. That’s really where I could use some guidance.

      • SheeEttin
        link
        fedilink
        English
        arrow-up
        1
        ·
        11 months ago

        I’ve been self-hosting since I was on dial up but thanks for the assumption.

        That doesn’t necessarily mean you understand networking. From your description, it sounds like you want a router, not a VPN or proxy. Yes, iptables can do routing rules, but I’m not sure why you’d want to. Whether you’re routing over a VPN, or just doing plain routing, neither is going to preserve the source IP. And that’s desirable, because if you initiate a connection and tell people to respond to another address, you’ll never even be able to complete a TCP handshake.

      • Atemu@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        11 months ago

        I completely misread your post. Your issue isn’t outbound connections appearing as if they came from your VPS, it’s inbound connections to your local mailserver being proxied.