Just another blog from some random developer on the internet.

Accessing Server Behind Double NAT

Home Home

Usually internet providers do not provide dedicated IP addresses to residential users, since generally for domestic use are not usually a major requirement, however there may be occasion in which we decide to mount a home server, either to share files, as a central hub for our IoT gadgets or even a simple multimedia content server such as Plex.

The problem comes when we decide to access our server that is in our house, from another location or different network, since for this we would need a dedicated IP address. In many cases the solution may be to contact our internet provider and request one, but in many cases these are usually reserved only for corporate or business plans that are usually very expensive for a domestic user.

Since internet providers for home users usually use shared IP addresses, a single IP address can be shared among many users through a NAT configured by the provider, making it impossible for us to access our server from outside our private network.

One of the most feasible solutions to this problem, if it is not possible to get a dedicated IP address, is to access the server through a VPN from another server that has an Internet connection through a dedicated IP.

In my personal case, I bought an old Early 2008 Xserve, which I installed in my private network to use it mainly as a Git server, but the problems began when I tried to access the server outside my network, even opening and forwarding the ports of my server to my router, I was not able to access the server from outside and this was caused because my router was inside a large NAT configured by my provider.

Basically I found that my private network was behind a double NAT, the NAT of my router and the NAT of my internet provider. As shown in the following diagram:


Installing XL2TPD with IPsec on CentOS 6

So I finally decided the second option, to use a VPN to access my server. I bought a small VPS of 1GB of RAM and 2 dedicated IP addresses (x.x.x.x and y.y.y.y) with CentOS 6 pre-installed in which I proceeded to install xl2tpd with IPsec.

It is recommended that before installing any software on the VPS, we update our system, this can be done easily by executing the following command on the terminal:

$ sudo yum -y update

After this we can proceed to install XL2TPD with IPsec on the server, the easiest and fastest way to install it is by using the "setup-ipsec-vpn" installation script from @hwdsl2, which is available on GitHub.

You can do all the installation process in just one step:

$ wget -O && sudo sh && chkconfig ipsec on

Enabling IP Forwarding´╗┐

After the installation, I tested the VPN server on my computer, and the navigation works pretty well. So in order to get access to my server from the Internet, I configured the VPN on the server, You can find here a detailed explanation how to configure your new VPN in your OS:

Now when your server is connected to the VPN, we need to check what is the Local IP assigned by the VPN to our server, For explanation purposes I will use the IP z.z.z.z as the VPN private IP, The installation script by default adds a DROP policy to the iptables firewall, so first we need to remove them.

First we must activate the IP forwarding, to activate it you must modify the following parameters (or add them to the end, if they don't exist in the file.) on the /etc/sysctl.conf file as shown below:


And then we need to execute the following command:

echo "1" > /proc/sys/net/ipv4/ip_forward && sysctl net.ipv4.ip_forward=1

Configuring the Firewall (iptables)

First of all, we must first make a backup of all the rules configured in "iptables" before making any modification.

$ mkdir /etc/iptables/
$ iptables-save > /etc/iptables/rules-bak.v4

Now we make a copy of the file, in which we will add the necessary configuration necessary to forward the IP.

$ cp /etc/iptables/rules-bak.v4 /etc/iptables/rules.v4

Now open the new file with a text editor such as vi or nano and look for the following rules in the file and then remove them:

-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A INPUT -j REJECT --reject-with icmp-host-prohibited

Now save the file and apply the new rules by executing the following commands, and then restart the server:

$ iptables -F
$ iptables-restore < /etc/iptables/rules.v4
$ service iptables save
$ service iptables reload
$ service iptables restart

Forwarding the IP Address

Now that our VPN server is configured, we must redirect all the traffic from the VPN private IP address (z.z.z.z) to our server's VPN public IP address (y.y.y.y.y). This step is easy, we only need add some additional rules to iptables, this rules will forward all the ports to the local IP.

$ iptables -t nat -A PREROUTING -d y.y.y.y/32 -i eth0 -j DNAT --to-destination z.z.z.z
$ iptables -t nat -A PREROUTING -d y.y.y.y/32 -j DNAT --to-destination z.z.z.z
$ iptables -t nat -A POSTROUTING -s z.z.z.z/32 -o eth0 -j SNAT --to-source y.y.y.y
$ iptables -t nat -A POSTROUTING -s z.z.z.z/32 -j SNAT --to-source y.y.y.y
$ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$ iptables -A FORWARD -s y.y.y.y/32 -j ACCEPT
$ iptables -A FORWARD -d z.z.z.z/32 -j ACCEPT
$ service iptables save
$ service iptables reload

And that's it! Now you can access your amazing server from y.y.y.y ­čśÄ

Author: Abdy Franco

Posted in Linux, Networking on Oct 11, 2018

Share On:
Facebook Twitter Pinterest E-mail

Leave a Comment: