Surprise! We've been running on hardware provided by BuyVM for a few months and wanted to show them a little appreciation.
Running a paste site comes with unique challenges, ones that aren't always obvious and hard to control. As such, BuyVM offered us a home where we could worry less about the hosting side of things and focus on maintaining a clean and useful service! Go check them out and show them some love!
Description: Backend side
Submitted by cubebuilder on April 24, 2021

backend side (Bash)

#!/bin/bash

#
# Variables
#
# Adjust these to match your BuyVM VPS & Backend IP's!
#

BUYVM_UNPROTECTED_IP="BUYVM_UNPROTECTED_IP"
BUYVM_PROTECTED_IP="BUYVM_DDOS_IP"

BACKEND_IP="YOUR_BACKEND_IP"

#
# DO NOT CHANGE ANYTHING PAST THIS POINT
#

GATEWAY_IP=$(ip route show default 0.0.0.0/0 | awk '{print $3}')
INTERFACE=$(ip -br addr show | grep $BACKEND_IP | awk '{print $1}')

# bring up our GRE to our BuyVM VPS

ip tunnel add gre1 mode gre local $BACKEND_IP remote $BUYVM_UNPROTECTED_IP ttl 255
ip link set gre1 up

# make sure our routing table exists

if ! grep -Fxq "100 BUYVM" /etc/iproute2/rt_tables
then
     echo "100 BUYVM" >> /etc/iproute2/rt_tables
fi

# add our IP addresses
# NOTE: the 192.168.168.2 IP is only used for transporting packets to/from BuyVM, nothing more

ip addr add 192.168.168.2/30 dev gre1
ip addr add $BUYVM_PROTECTED_IP/32 dev gre1

ip rule add from $BUYVM_PROTECTED_IP lookup BUYVM
ip route add default via 192.168.168.1 table BUYVM

# this is needed since we have multiple IP's on the GRE interface

iptables -o gre1 -t nat -I POSTROUTING -j SNAT --to-source $BUYVM_PROTECTED_IP

# handle our resolvers
# NOTE: this is sloppy and makes Poettering spin in his grave

echo 'nameserver 4.2.2.1' > /etc/resolv.conf
echo 'nameserver 4.2.2.2' >> /etc/resolv.conf

# finally cut over our routing
# NOTE: this will cut all access to your BACKEND IP!

ip route add $BUYVM_UNPROTECTED_IP via $GATEWAY_IP dev $INTERFACE onlink
ip route replace default via 192.168.168.1