NAT Gateway and VPC
Linode
Linode Staff
I'd like to have a NAT Gateway within my VPC to steer the traffic from other Linode without having to assign them public IP.
I have automated all of it, setup is very simple:
1 x VPC
1 x Subnet 10.0.0.0/24
1 x Linode as NAT Gateway, eth0 is internet, eth1 in VPC without 1:1 NAT, static IP 10.0.0.2
1 x Linode as simple host in the same subnet, 1 network interface on VPC, 1:1 NAT disabled, IP 10.0.0.10, with network helper disabled
On the gateway, I simply used:
https://ubuntu.com/server/docs/firewalls (iptables Masquerading section)
On the host box:
root@hostinvpc:~# ip route s
default via 10.0.0.2 dev eth0 proto static
10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.10
root@hostinvpc:~# ip route get 8.8.8.8
8.8.8.8 via 10.0.0.2 dev eth0 src 10.0.0.10 uid 0
cache
root@hostinvpc:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7154ms
Both Linode can full talk with each other (icmp, ssh). However, when I ping 8.8.8.8 on the 10.0.0.10 host while running a TCPdump on 10.0.0.2 I see no incoming packet at all.
Is there anything special in the VPC that would prevent the NAT Gateway host to receive the packet from the other host?
Thanks!
1 Reply
kazouma
Linode Staff
In upcoming versions of VPC, we intend to incorporate NAT Gateway as a feature; However, we don't have a specific timeline yet. For now, your configuration appears robust, but the missing component is encapsulation. This can be accomplished through a VPN solution that supports bidirectional traffic (Inbound and Outbound).
Unlike VLANs, VPC strictly enforces the source IP addresses that Linode can transmit. Therefore, without encapsulating traffic in a tunnel, forwarding traffic from one Linode to another within a VPC is not straightforward. Consequently, establishing a NAT gateway where you simply change your route or default gateway is not possible without encapsulation.
Using WireGuard, our VPC team has drafted a set of instructions for creating a manual NAT Gateway setup.
Why WireGuard?
WireGuard authenticates peers using a public-private key pair. This enables the pre-generation of as many key pairs as needed and populate them in the NAT gateway Linode. New client Linodes can then be created using these pre-generated keys to tunnel traffic to the NAT gateway Linode without requiring any modifications. This is a scalable solution till the NAT Gateway feature is implemented.
Note:
While WireGuard is often considered faster than other similar VPN solutions, its performance can still vary depending on your specific use case. If you're looking for the most optimal setup, you're welcome to explore the report below, which compares the performance of various VPNs in a 1 Gbit/s environment.
-- Koffi