Route one or multiple Public IPs via VTI over IPSec site-to-site tunnel

Question

I successfully created VTI over IPSec Site-to-Site tunnel between my home router (UBNT Edgerouter) and dedicated server (Ubuntu 16.04) at OVH. I can route internal private networks of each sides via VTI device and access it on the other site (I can access site B private range devices from NATed devices (for ex. from computer behind router) at Site A, and that's great), but I have a problem with routing a public network over it.

Site A: Home Router:

Public Main IP: 89.x.x.81

Private IPs (NATed home devices): 10.100.10.1/24

VTI: 10.255.12.1/30

~# ip r
default via 89.x.x.1 dev eth0  proto zebra 
10.100.10.0/24 dev eth1  proto kernel  scope link  src 10.100.10.1 
10.255.12.0/30 dev vti0  proto kernel  scope link  src 10.255.12.1 
89.x.x.0/22 dev eth0  proto kernel  scope link  src 89.x.x.81 
172.16.0.0/12 dev vti0  proto zebra 

~# ip tunnel
vti0: ip/ip remote 51.x.x.136 local 89.x.x.81 ttl inherit nopmtudisc ikey 0 okey 1234
ip_vti0: ip/ip remote any local any ttl inherit nopmtudisc key 0

Site B: Server at OVH:

Public IP: 51.x.x.136

Public IPs block assigned/routed to server: 51.x.x.128/28 (only .136 configured on server)

Private IPs (OVH vRack): 172.16.0.1/12

VTI : 10.255.12.2/30

~# ip r
10.100.10.0/24 dev vti0  scope link 
10.255.12.0/30 dev vti0  proto kernel  scope link  src 10.255.12.2 
51.x.x.142 dev eth0  scope link 
172.16.0.0/12 via 172.16.0.1 dev eth0  scope link 
172.16.0.0/12 dev eth0  proto kernel  scope link  src 172.16.0.1

~# ip tunnel
ip_vti0: ip/ip  remote any  local any  ttl inherit  nopmtudisc key 0
vti0: ip/ip  remote 89.x.x.81  local 51.x.x.136  ttl inherit  nopmtudisc key 1234

Goal:

Configure one or multiple Public IP(s) from OVH server block (51.x.x.128/28) via VTI device on home router (then I will make 1:1 NAT there for assigning the IP to server behind router) or directly on device behind home router if possible.

It is possible on VTI or should I consider a change from VTI to GRE and then follow this: https://serverfault.com/a/557949 ?

Answer 1

Ok, I solved it by myself few days ago.

Site A:

added the route for a public IP (which I want to route to home) via vti0 device

~# ip r
...
51.x.x.134 dev vti0  scope link 

Site B (a choice between one of two options):

1. Route Public IP to Home Router

   Add wanted Public IP to eth0(or vti0) device and create route table with mark and default gateway via vti0, then mark sourced output traffic by iptables.

   or

2. Route Public IP to device behind Home Router

   Create a DNAT: Public IP->NATed Device and then create route table for default gateway via vti0 for selected NATed device (all traffic from device to Internet is routed via VPN)

So, I got what I needed. The next step is to set the right output IP address from the server on the site A (now the traffic exits from the main A-sited server IP address).

If my solution is not the best practice, please let me know.

Are there any other ways to accomplish my assumption? Perhaps private BGP peering will be a solution??