Routing additional IPs through tunnel?

[jBarrel]

Hello everyone,

First of all, let me say that I’ve tried searching (I’ve searched extensively on the forum and the internet for weeks, but I haven’t been able to find a working solution).

Here’s my issue:
I have a host running Proxmox (OVH) with 3 IPs – the main IP dedicated to Proxmox management, one IP assigned to a VM, and another IP that I use on an internal LAN (vmbr1) for NATed VMs that I use for my services. I also have a container running Nginx Proxy Manager as a reverse proxy for the services that need to communicate with the outside world.

Now, I need additional IPs, and I’d like to use a VPS (from a different provider) as an “IP donor.”

I want to set up a dedicated bridge (e.g., vmbr2) so that all VMs created with this bridge can use the IPs routed through the tunnel. I’ve tried configuring a GRE tunnel as well as WireGuard, and in both cases, Proxmox and the VPS communicate perfectly using the internal network. However, the VMs don’t have internet access, and I can’t figure out what I’m doing wrong.

Has anyone ever faced a similar need? Is there any tutorial or guide I can follow?

Thanks in advance!

 

[shanreich]

Is there no way of getting an additional IP on Proxmox directly? For your scenario I think you'd need to do source-based routing on PVE and configure the VPS as a gateway for the IP range of vmbr2.

 

[jBarrel]

Is there no way of getting an additional IP on Proxmox directly? For your scenario I think you'd need to do source-based routing on PVE and configure the VPS as a gateway for the IP range of vmbr2.

At the moment for my provider, the ip market price is very high, (around €4 per ip) with an external VPS i can get additional ips for €0.50/0.70 each.
For 1/2 ip this doesn't make the difference, but if we are talking of 10/15 ips, there is a great saving


Once i used this service : https://noez.de/en/gre
They route additional ips over gre tunnel, it works great, the only problem is that is a public service and the ips are ddosed, the service is not so stable (because used by a lot of people). So i want to replicate the same design by my own

 

[shanreich]

I didn't test this, and only though shortly about it but I think something like this could work:

Configure a dedicated IP range for vmbr2 and give the host an IP in the subnet (subnet 192.0.2.0/24 / host 192.0.2.1 for instance).
Use the host IP as gateway for the VMs in vmbr2
Have another dedicated /31 (or larger) for the tunnel. (let's say in this example 198.51.100.0/31)
route the vmbr2 subnet via your VPS:

ip rule add from 192.0.2.0/24 table <table_name>
ip route add default via 198.51.100.1 dev <tunnel_device> table <table_name>

Then you need to setup routing for the reverse path on the VPS as well as any DNAT, MASQUERADING, .... rules.

Not sure if there is a better solution to achieve this (i.e. Wireguard has some special configuration knobs for this kind of setup, i never needed to setup something like this. Maybe someone else can chime in with a better solution).

 

[jBarrel]

Not sure if there is a better solution to achieve this (i.e. Wireguard has some special configuration knobs for this kind of setup, i never needed to setup something like this. Maybe someone else can chime in with a better solution).

I tried using WireGuard and was able to get the tunnel working, allowing traffic to exit from the VPS. The problem arises when the response returns to the VPS; it needs to be directed back into the tunnel, and from the tunnel on the main interface, it should be rerouted to vmbr2 and then on the vm. This created some confusion, and I decided to abandon the effort.