Build your own gateway for your private network

Virtual networks themselves are merely a transport mechanism for your network packets; they become a powerful infrastructure component only when you populate them with content and functionality. When you create virtual networks, they have no communication with the outside world. To enable internet access for servers that only have private IP addresses, you need to insert some kind of gateway into your virtual network.

We’ll build a gateway using a standard Debian server, but you can of course use a Windows server or a ready‑made solution such as pfSense or another commercial product.

NAT — Network Address Translation

The technology that gives your servers access to the Internet is called NAT. The idea is to let your servers use your gateway’s Internet connection to reach the outside world. The configuration is fairly straightforward and not especially complicated.

We assume you have a freshly installed Debian server (version 10 or above) with at least two network interfaces—one connected to the Internet and the other to your local network.

Set the private network adapter on the gateway to a static IP address in /etc/network/interfaces.d/50-cloud-init like this:

auto ens2
iface ens2 inet static
        address 10.1.1.1/24

Then, enable IPv4 forwarding on the gateway machine:

sudo sh -c 'echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf'
sudo sysctl -p

For the gateway to perform NAT you also need to add some firewall rules. Edit the /etc/nftables.conf so that it looks like the code below. In this example, ens1 is connected to the internet, and ens2 is connected to the private network.

#!/usr/sbin/nft -f

flush ruleset

table ip nat {
    chain POSTROUTING {
        type nat hook postrouting priority 100;
        oifname "ens1" masquerade
    }
}

table ip filter {
    chain FORWARD {
        type filter hook forward priority 0; policy drop;
        iifname "ens1" oifname "ens2" ct state related,established accept
        iifname "ens2" oifname "ens1" accept
    }
}

Enable and start the firewall:

Trying out a client

Before setting up DHCP, you can try out the gateway and see if it's working. On one of the machines in your private network, set up the private network adapter with a private address, and comment out the network adapter connected to the internet. For example, set up /etc/network/interfaces.d/50-cloud-init like this on a client machine:

Then, reboot the client machine to make sure it loses its public IP address. Once the machine is rebooted, log back in using either the console or through the gateway machine over the private network. Now it's time to try the connectivity. Start by making sure that 10.1.1.1 is the default router.

The output should look like this:

Now, try to ping 8.8.8.8.

If the ping succeeded, the gateway is working and the client is using it.

DHCP – Dynamic Host Configuration Protocol

To set up DHCP in the private network, we'll use isc-dhcp-server. On the gateway machine, install and set up isc-dhcp-server:

The first thing you should do is configure which IP family and which network interface the DHCP server should listen to. This is configured in /etc/default/isc-dhcp-server. Make sure this file only has the following line (this turns off DHCP for IPv6 and limits DHCP on IPv4 to only ens2):

Then, edit the main configuration file for isc-dhcp-server by editing /etc/dhcp/dhcpd.conf. The entire file should look like the configuration below. Change the name servers depending on which data center your machine is in. For Falkenberg, it's 79.99.4.100 and 79.99.4.101. For Stockholm, it's 195.20.206.80 and 195.20.206.81.

After saving the file, restart isc-dhcp-server using:

Reconfigure a client machine to use the DHCP server

Change the configuration file /etc/network/interfaces.d/50-cloud-init on the client machine so that it looks like this:

This disables the static configuration and instead enables DHCP.

Follow the DHCP server's log (on the gateway machine) using the command below while you restart the client machine. The logs will show you which IP address the client received.

When the client reboots, you should see something similar to this:

In this case, the client machine called client1 received the IP address 10.1.1.10.

That's it. Everything is now set up and working!

You should also secure your gateway machine using firewall rules. More information can be found in Set up a firewall on Debian 11 or newer using nftables.