Webserver behind VPN client

By OmegaHack
in Smart Home, Network & Security

 Share

Recommended Posts

Rising Star

OmegaHack

Posted
Posted

I just want someone to work through this with me to make sure I'm not going to be wasting my time implementing it.

I currently run a Linux server running ddclient for a DDNS service (afraid.org) among other services, and does not currently have a VPN client.

I am planning on installing a VPN client which would cause ddclient to stop reporting the correct IP to the DDNS. So I was going to run a virtual machine on eth1 (non-VPN) running ddclient and have the full server running on eth0 (VPN). That way ddclient is reporting the correct wan IP for my connection, then port forwarding to the local IP should allow the domain to see the web services/ssh/etc remotely while keeping other network traffic protected by the VPN... or at least that's what I am imagining.

Can anyone tell me if I over-thought this or if this will actually work?

Thanks!

Link to comment
https://www.neowin.net/forum/topic/1124036-webserver-behind-vpn-client/
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

port forwarding to what IP, the VMs IP?

If I hit you from say 24.13.a.b to your publicIP.nonvpn to be forwarded to your webserver. When your webserver answers back if default route to internet is through vpn -- it will go back through the vpn to answer me on 24.13.a.b

I don't think my box would like the connection coming from a different IP, etc.

Now if webservices/ssh going to run on the vm your fine - and you don't even need a second nic for that. Just bridge the VM to your 1 physical nic on the server so it gets an IP in your private network.

Rising Star

OmegaHack

Posted
  • Author
Posted

Port forwarding to the VPN protected IP.

The reason I'm doing this is there are some applications that need to be run behind the VPN but I need to be able to access them remotely. Is there another way of doing that?

This is a full fledged enterprise rackmount server, so it has the two nics built in already. I was going to trunk them for redundancy but if I have to run them independent to get this working that's okay.

I see what you're saying about the different IP responding. Didn't really think of it that way... There has to be a way to do this though.

Grand Master

+PeterUK MVC

Posted
  • MVC
Posted

The bit I'm confused with is a VPN client on the same server as (afraid.org)? Do you not mean install a VPN server on the same server as (afraid.org)?

Do you want (afraid.org) on the WWW for everyone or only accessed by VPN? If only by VPN then DDNS will only help you get to the VPN WAN IP not (afraid.org) and so VPN DNS server will have to point you to (afraid.org) by VPN LAN IP.

Grand Master

+PeterUK MVC

Posted
  • MVC
Posted

afraid.org is the DDNS provider. I want specific ports available to web access instead of being behind the VPN client. However the other traffic those applications create need to be behind the VPN.

So you do want (afraid.org) on the WWW for everyone and connect to this server by VPN for other things? In which case you need a VPN server (not client) setup on (afraid.org) and this will not affect DDNS in pointing to (afraid.org) by WAN IP.

Grand Master

Nas

Posted
Posted

@PeterUK, I think he just wants to know if he can segment his 2 NICs so that some traffic (vpn) is bound/routed via NIC #1 and all other traffic (non-vpn) is bound/routed via NIC #2.

@OmegaHack, it sounds like you're talking about proxying 2-way VPN traffic thru NIC #1 while allowing non-VPN traffic thru NIC #2 undisturbed. If that's the case, then it shouldn't be a problem -- provided that all client/server services are explicitly bound to the appropriate ethX device.

(For reference, this bifurcation is very typical for managed environments since the secondary Ethernet device can either serve a different VLAN or even upstream provider [think back-up/spare network bandwidth].)

Edit: bold-faced "proxying" since the OP wants more to proxy than to necessarily port-forward

Rising Star

OmegaHack

Posted
  • Author
Posted

@PeterUK I don't think you understand. freedns.afraid.org is the service I have my dynamic DNS through, ddclient is the application that gives my WAN IP to freedns.afraid.org so that a domain that I have points to my WAN IP. I am trying to set up a VPN client on here to protect the data that is sent/received by the applications running on the server. I need to be able to access certain ports on that server for those applications though. If I run ddclient on the primary server it will report the wrong (anonymous) IP address to freedns.afraid.org hence the VM to run ddclient on it's own ethernet device (I suppose I could just use a virtual switch though). So now the correct IP is being reported to the DDNS provider but will port forwarding on the router to the primary server allow me to access those specific ports/applications remotely. That is the question.

@NAS I am trying to leave the traffic on the VM undisturbed but also need to access certain ports on the primary system remotely.

Grand Master

+PeterUK MVC

Posted
  • MVC
Posted

If its the other way round as in (afraid.org) wants to connect to another VPN end point then you only need to disable for the VPN client do not use the remote gateway which will give you a LAN access to the other end without it affecting DDNS because you disabled the the VPN use the remote gateway option.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • RustDesk 1.4.8

      By Copernic · Posted

      RustDesk 1.4.8 by Razvan Serea RustDesk is a fast, secure, and open-source remote desktop software designed for self-hosting, remote access, and IT support. It provides a privacy-focused alternative to TeamViewer and AnyDesk, offering full control over your data with minimal configuration. The client is fully open source, while users have the option to choose between two server solutions: the Professional Server, a premium offering with advanced features available for purchase, and the Basic Server, a free and open-source alternative for those who prefer a self-hosted setup. RustDesk features Open-source & free remote desktop solution Cross-platform compatibility – Works on Windows, macOS, Linux, iOS, Android, and Web End-to-end encryption (E2EE) based on NaCl for secure connections Peer-to-peer (P2P) connectivity for fast and private remote access Self-hosting support – Own your data with easy deployment on your infrastructure Supports VP8, VP9, AV1 (software) and H264, H265 (hardware) codecs for efficient streaming Unattended access for remote management File transfer & clipboard sharing Multi-monitor support & remote printing Low-latency & high-performance remote access Session recording & chat functionality Professional & Basic server options for flexible deployment Lightweight & minimal resource usage No third-party server dependency for privacy No installation or admin privileges needed on Windows (elevate privileges locally or remotely on demand) Easy installation & minimal configuration required Custom branding & enterprise-level features available RustDesk 1.4.8 changelog: Added Add Windows arm64 support #15139 Feature: Add monitor-switch buttons to remote toolbars #15342 Refact/privacy mode 1 multi monitors #15321 autocomplete online #15313 feat: theme logo #15268 Changes refact: restart remote device, autoconnect #15290 refact(oidc): icon azure to microsoft #15278 Refact/printer driver default unchecked #15191 Revert "fix(iPad): keep touch gestures with external mouse" #15288 Fixes fix Wayland→Wayland clipboard paste fix(arm64-linux): fix CJK font rendering on flutter-elinux #15324 iOS: autocorrect/data detectors corrupt the server Key field (ID/Relay Server settings), making valid keys impossible (or very hard) to enter #15293 fix(ios): mouse mismatch #15339 fix(linux): reap leftover logind session procs on headless teardown #15337 Crash on startup (0xc0000409) / Fast Fail in librustdesk.dll on Windows 11 26H1 #15218 fix(clipboard): Windows DIB images, fill missing alpha #15296 Fix/generate py target injection #15248 Fix clipboard synchronization not fully disabled in View Only mode #15224 fix(keyboard): win, key, Pause #15351 Download: RustDesk 64-bit | MSI | 32-bit ~20.0 MB (Open Source) Links: RustDesk Home Page | Other platforms | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Valve finally confirms Steam Machine prices, starts at $1049 for 512GB option

      By neufuse · Posted

      pass....
    • SKG Hand Massager with Heat OS500 hands on

      By +Thom Vee · Posted

      This makes me think of Dune for some reason.
    • Free Software Foundation Europe pushes EU to force Google to allow AI uninstalls on Android

      By monterxz · Posted

      I'm too old to return to the "good old days" when I was installing custom ROMs and tinkering with my devices - now I just want to turn it on and use it. I've read that banking and payment apps work on Murena /e/OS (I'll have to check the ones I use) and I also really want to support Fairphone 😉
    • Valve finally confirms Steam Machine prices, starts at $1049 for 512GB option

      By notta · Posted

      Time to start going to the local church and play Bingo for a while.

  • Recent Achievements

    • First Post
      mike_rumble earned a badge
      First Post
    • Dedicated
      tuben earned a badge
      Dedicated
    • Week One Done
      mnsgroup earned a badge
      Week One Done
    • Conversation Starter
      sumytbe earned a badge
      Conversation Starter
    • One Year In
      B4dM1k3 earned a badge
      One Year In

  • Popular Contributors

    1. 1
      +primortal
      503
    2. 2
      +Edouard
      203
    3. 3
      PsYcHoKiLLa
      98
    4. 4
      Michael Scrip
      80
    5. 5
      neufuse
      67
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!