How to Become an One-Man NAT VPS Provider?
Assume you have a dedicated server with /64 IPv6, and your goal is to create some IPv6 NAT VMs. How do you do it? Below is a tutorial about how to install QEMU/KVM and create VMs on Debian via the command line.
0. Advance Notice
- Special thanks to @Not_Oles !
- This tutorial has been verified to work with Debian 11 on Hetzner's dedicated server.
- All commands are executed as root.
In this tutorial the host's network configuration is:
Network Interface: eno1
IPv4 Address: 192.0.2.2/26
IPv4 Gateway: 192.0.2.1
IPv6 Address: 2001:db8:ace:babe::1/64
IPv6 Gateway: fe80::1
We want to create a private network
192.168.0.0/24
for VMs; we want to use192.168.0.1
as the IPv4 gateway and2001:db8:ace:babe::1
as the IPv6 gateway for VMs.- We want to create a VM whose IPv4 address is
192.168.0.2
and IPv6 address is2001:db8:ace:babe:cafe::1/80
.
1. Enable IP Forwarding
Open /etc/sysctl.conf
. Find net.ipv4.ip_forward
; uncomment this line and set the value to 1
. Do the same for net.ipv6.conf.all.forwarding
.
Save the file; then run sysctl -p
to apply changes.
2. Install Required Packages
apt install qemu-system qemu-utils libvirt-clients libvirt-daemon-system virtinst bridge-utils
3. Modify the Network Configuration
3.1 Make a copy of the original /etc/network/interfaces
cp -p /etc/network/interfaces /etc/network/interfaces.backup
3.2 Open /etc/network/interfaces
and edit
Comment out eno1's IPv6 configuration, then add the following line:
iface eno1 inet6 manual
Continue to add the following lines to create an interface br0
for KVM networking:
auto br0
iface br0 inet static
address 192.168.0.1/24
bridge_ports none
bridge_stp off
bridge_fd 0
post-up iptables -t nat -A POSTROUTING -s '192.168.0.0/24' -o eno1 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.0.0/24' -o eno1 -j MASQUERADE
iface br0 inet6 static
address 2001:db8:ace:babe::1/64
up ip -6 route add default via fe80::1 dev eno1
bridge ports none
means br0 is not attached to any physical interface. bridge_stp off
disables Spanning Tree Protocol; usually we don't need it in simple cases. bridge_fd 0
sets the forwarding delay time to 0; 0 is good in simple cases. The iptables
line allows LAN nodes with private IP addresses to communicate with external public networks. The ip -6 route
line specifies the IPv6 gateway.
Save the file; then run systemctl restart networking.service
to apply changes.
Example: my ORIGINAL /etc/network/interfaces
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
iface lo inet6 loopback
auto eno1
iface eno1 inet static
address 192.0.2.2
netmask 255.255.255.192
gateway 192.0.2.1
# route 192.0.2.0/26 via 192.0.2.1
up route add -net 192.0.2.0 netmask 255.255.255.192 gw 192.0.2.1 dev eno1
iface eno1 inet6 static
address 2001:db8:ace:babe::1
netmask 64
gateway fe80::1
Example: my NEW /etc/network/interfaces
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
iface lo inet6 loopback
auto eno1
iface eno1 inet static
address 192.0.2.2
netmask 255.255.255.192
gateway 192.0.2.1
# route 192.0.2.0/26 via 192.0.2.1
up route add -net 192.0.2.0 netmask 255.255.255.192 gw 192.0.2.1 dev eno1
iface eno1 inet6 manual
auto br0
iface br0 inet static
address 192.168.0.1/24
bridge_ports none
bridge_stp off
bridge_fd 0
post-up iptables -t nat -A POSTROUTING -s '192.168.0.0/24' -o eno1 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.0.0/24' -o eno1 -j MASQUERADE
iface br0 inet6 static
address 2001:db8:ace:babe::1/64
up ip -6 route add default via fe80::1 dev eno1
4. Create the VM
virt-install --name YOUR_VM_NAME --ram MEMORY_SIZE_IN_MB --vcpus=NUMBER_OF_CORES --disk /PATH/TO/VIRTUAL/DISK/IMAGE.qcow2,device=disk,bus=virtio,size=DISK_SIZE_IN_GB,format=qcow2 --graphics vnc,listen=0.0.0.0,port=VNC_PORT,password=VNC_PASSWORD --network bridge=br0 --noautoconsole --cdrom /PATH/TO/ISOFILE.iso --boot cdrom,hd
Example
We want to create a VM whose name is TEST with 1GB memory, 1 core, and 10GB disk. TEST will be stored at /var/kvm/TEST.qcow2. The VNC port is 5901 and the VNC password is Hello1. We will use /var/iso/Debian.iso to install Debian on TEST.
virt-install --name TEST --ram 1024 --vcpus=1 --disk /var/kvm/TEST.qcow2,device=disk,bus=virtio,size=10,format=qcow2 --graphics vnc,listen=0.0.0.0,port=5901,password=Hello1 --network bridge=br0 --noautoconsole --cdrom /var/iso/Debian.iso --boot cdrom,hd
5. Configure Guest Networking
Because we haven't configured the DHCP service on the host, we have to manually set the VM network settings. If you are using a netinst image to install the OS, then you need to set the IP address to 192.168.0.2/24 and the gateway to 192.168.0.1 during the installation.
Example: Debain guest /etc/network/interfaces
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
allow-hotplug ens3
iface ens3 inet static
address 192.168.0.2/24
gateway 192.168.0.1
iface ens3 inet6 static
address 2001:db8:ace:babe:cafe::1/80
dns-nameservers 2606:4700:4700::1001
gateway 2001:db8:ace:babe::1
Comments
A big assumption is that the prefix should be routed toward the host machine.
This may not be the case at every dedicated server provider.
SNAT is more efficient when public IPv4 is static.
Nothing prevents your abusive customer to steal other's IP.
Moreover, port forwarding is missing.
No hostname left!
Smart people doing what smart people does... Great tutorial @tang_cn
Websites have ads, I have ad-blocker.
The idea is to create a bridge, so people should adjust it based on their network settings.
Thanks for reminding me SNAT, I should change it. Because the performance difference between MASQUERADE and SNAT is too small, I usually use MASQUERADE. People who are interested in SNAT can try it.
This is a very basic tutorial, and I want to make it as simple as possible, that's why I didn't include DHCP. If someone really tries to sell NAT VPS, there are many more things to consider aside of DHCP (e.g., disable certain CPU flags, expose CPU info directly to the guest, PCI passthrough, etc)
Your title says this is for NAT providers, hence these need to be included.
No hostname left!
Cause I just want to add humor to the title.
A comprehensive tutorial for providers should also include how to setup control panels, how to file tax, how to resolve a DMCA Complaint, etc. Apparently this isn't my goal
Oh, note my title is ending with a question mark, so I'm asking a question in the title; my title is not "Tutorial for NAT VPS providers."
@tang_cn - I definitely understood that the title was tongue in cheek humor after opening the thread, although given the vast variety of members here at LES it is unlikely that everyone will take it that way. I appreciate the time you took to write this tutorial for those of us that want to set up NAT VMs as a hobby or as a learning experience.
(If you want to change the title in the future please DM me.)
@yoursunny - You have much more knowledge and experience setting up and working with NAT VMs than most of us here at LES. I am sure that you can add much positive information to this tutorial and I hope you will do so.
Hopefully we can get more tutorials written by members here at LES if other members can add information to the OP with out making the member starting the thread feel like they are being criticized for writing something they thought would be helpful. Very few people know everything about a subject, but collectively LES members seem to know a lot about many things. Hopefully we can start a new trend of working together to write some great tutorials and reference guides that help many old and new members alike.
Previously tutorials were done under the "LES Talk" category and I have moved this thread there for now. I will talk with @Mason and see if he wants to make a separate "Tutorials" category or would prefer that they continue to be put in "LES Talk", as this is above my pay grade.
Peace on earth will come to stay, when we all live as LESbians every day.
For staff assistance or support issues please use the helpdesk ticket system at https://support.lowendspirit.com/index.php?a=add
If possible, may I request a separate category for "Tutorials" so that it wont get mixed up in other technical discussions and such?
Thanks! Hope it gets approved!!!
Websites have ads, I have ad-blocker.
Thanks to @tang_cn for this great tutorial!
I've just enjoyed investing the past hour or two looking through the tutorial and also looking at various files and directories on the server. For me, this is the first time I glanced at libvirt. So far, I mostly have tried to focus on qemu, because it seemed to make sense to start with qemu rather than with an additional mechanism which runs on top of qemu. I'm certainly not trying to say anything against libvirt or against anybody who uses libvirt. But it has seemed possible to begin with very simple configurations and calling qemu directly.
Special thanks to @yoursunny for his unfailingly insightful, generous, kind, and gentle comments. Although port forwarding didn't seem to make it into the tutorial, port forwarding was not omitted by @tang_cn. Port forwarding was handled by a separate script called, surprisingly,
port_forward.sh
. Since it's not yet clear to me why port forwarding was handled separately, I will let @tang_cn comment further, if he wishes.In case anybody might be interested, this, according to
ps aux
, was the command that libvirt sent to qemu to start a VPS:I am extremely pleased that @tang_cn used a MetalVPS server to test his command line libvirt VM! I am delighted to see @tang_cn's tutorial and similar wonderful content appearing so often here at LES! Special thanks to @FrankZ for his lively insights into humor, motivation, and the benefits of kind co-operation.
I hope everyone gets the servers they want!