Webserver behind VPN client

By OmegaHack
in Smart Home, Network & Security

 Share

Recommended Posts

Rising Star

OmegaHack

Posted
Posted

I just want someone to work through this with me to make sure I'm not going to be wasting my time implementing it.

I currently run a Linux server running ddclient for a DDNS service (afraid.org) among other services, and does not currently have a VPN client.

I am planning on installing a VPN client which would cause ddclient to stop reporting the correct IP to the DDNS. So I was going to run a virtual machine on eth1 (non-VPN) running ddclient and have the full server running on eth0 (VPN). That way ddclient is reporting the correct wan IP for my connection, then port forwarding to the local IP should allow the domain to see the web services/ssh/etc remotely while keeping other network traffic protected by the VPN... or at least that's what I am imagining.

Can anyone tell me if I over-thought this or if this will actually work?

Thanks!

Link to comment
https://www.neowin.net/forum/topic/1124036-webserver-behind-vpn-client/
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

port forwarding to what IP, the VMs IP?

If I hit you from say 24.13.a.b to your publicIP.nonvpn to be forwarded to your webserver. When your webserver answers back if default route to internet is through vpn -- it will go back through the vpn to answer me on 24.13.a.b

I don't think my box would like the connection coming from a different IP, etc.

Now if webservices/ssh going to run on the vm your fine - and you don't even need a second nic for that. Just bridge the VM to your 1 physical nic on the server so it gets an IP in your private network.

Rising Star

OmegaHack

Posted
  • Author
Posted

Port forwarding to the VPN protected IP.

The reason I'm doing this is there are some applications that need to be run behind the VPN but I need to be able to access them remotely. Is there another way of doing that?

This is a full fledged enterprise rackmount server, so it has the two nics built in already. I was going to trunk them for redundancy but if I have to run them independent to get this working that's okay.

I see what you're saying about the different IP responding. Didn't really think of it that way... There has to be a way to do this though.

Grand Master

+PeterUK MVC

Posted
  • MVC
Posted

The bit I'm confused with is a VPN client on the same server as (afraid.org)? Do you not mean install a VPN server on the same server as (afraid.org)?

Do you want (afraid.org) on the WWW for everyone or only accessed by VPN? If only by VPN then DDNS will only help you get to the VPN WAN IP not (afraid.org) and so VPN DNS server will have to point you to (afraid.org) by VPN LAN IP.

Grand Master

+PeterUK MVC

Posted
  • MVC
Posted

afraid.org is the DDNS provider. I want specific ports available to web access instead of being behind the VPN client. However the other traffic those applications create need to be behind the VPN.

So you do want (afraid.org) on the WWW for everyone and connect to this server by VPN for other things? In which case you need a VPN server (not client) setup on (afraid.org) and this will not affect DDNS in pointing to (afraid.org) by WAN IP.

Grand Master

Nas

Posted
Posted

@PeterUK, I think he just wants to know if he can segment his 2 NICs so that some traffic (vpn) is bound/routed via NIC #1 and all other traffic (non-vpn) is bound/routed via NIC #2.

@OmegaHack, it sounds like you're talking about proxying 2-way VPN traffic thru NIC #1 while allowing non-VPN traffic thru NIC #2 undisturbed. If that's the case, then it shouldn't be a problem -- provided that all client/server services are explicitly bound to the appropriate ethX device.

(For reference, this bifurcation is very typical for managed environments since the secondary Ethernet device can either serve a different VLAN or even upstream provider [think back-up/spare network bandwidth].)

Edit: bold-faced "proxying" since the OP wants more to proxy than to necessarily port-forward

Rising Star

OmegaHack

Posted
  • Author
Posted

@PeterUK I don't think you understand. freedns.afraid.org is the service I have my dynamic DNS through, ddclient is the application that gives my WAN IP to freedns.afraid.org so that a domain that I have points to my WAN IP. I am trying to set up a VPN client on here to protect the data that is sent/received by the applications running on the server. I need to be able to access certain ports on that server for those applications though. If I run ddclient on the primary server it will report the wrong (anonymous) IP address to freedns.afraid.org hence the VM to run ddclient on it's own ethernet device (I suppose I could just use a virtual switch though). So now the correct IP is being reported to the DDNS provider but will port forwarding on the router to the primary server allow me to access those specific ports/applications remotely. That is the question.

@NAS I am trying to leave the traffic on the VM undisturbed but also need to access certain ports on the primary system remotely.

Grand Master

+PeterUK MVC

Posted
  • MVC
Posted

If its the other way round as in (afraid.org) wants to connect to another VPN end point then you only need to disable for the VPN client do not use the remote gateway which will give you a LAN access to the other end without it affecting DDNS because you disabled the the VPN use the remote gateway option.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • qBittorrent 5.2.2

      By Copernic · Posted

      qBittorrent 5.2.2 by Razvan Serea The qBittorrent project aims to provide a Free Software alternative to µtorrent. qBittorrent is an advanced and multi-platform BitTorrent client with a nice user interface as well as a Web UI for remote control and an integrated search engine. qBittorrent aims to meet the needs of most users while using as little CPU and memory as possible. qBittorrent is a truly Open Source project, and as such, anyone can and should contribute to it. qBittorrent features: Polished µTorrent-like User Interface Well-integrated and extensible Search Engine Simultaneous search in most famous BitTorrent search sites Per-category-specific search requests (e.g. Books, Music, Movies) All Bittorrent extensions DHT, Peer Exchange, Full encryption, Magnet/BitComet URIs, ... Remote control through a Web user interface Nearly identical to the regular UI, all in Ajax Advanced control over trackers, peers and torrents Torrents queueing and prioritizing Torrent content selection and prioritizing UPnP / NAT-PMP port forwarding support Available in ~25 languages (Unicode support) Torrent creation tool Advanced RSS support with download filters (inc. regex) Bandwidth scheduler IP Filtering (eMule and PeerGuardian compatible) IPv6 compliant Available on most platforms: Linux, Mac OS X, Windows, OS/2, FreeBSD qBittorrent 5.2.2 changelog: FEATURE: Use D-Bus to show file in file managers (Chocobo1) #24340 BUGFIX: Fix friendlyUnitCompact precision calculation (vafada) #24323 BUGFIX: Remove all top-level folders (glassez) #24333 BUGFIX: Use proper API for checking exit status (Chocobo1) #24349 BUGFIX: Delete stale lockfile when hostname mismatch (TurboTheTurtle, glassez) #24363 BUGFIX: Fix wrong removal procedure of watched folder paths (Chocobo1) #24413 BUGFIX: Don't reannounce before interface changes are applied (glassez) #24447 BUGFIX: Use Latin script for Bosnian locale name (Andy Ye) #24342 WEBUI: Fix performance of global checkbox toggling (tehcneko) #24316 WEBUI: Fix Safari transfer list header misalignment (Piccirello) #24377 WEBUI: Fix error when submitting magnet before metadata loads (Piccirello) #24378 WEBUI: Use correct row id when updating Rss Downloader feed selection (Chocobo1) #24402 WEBUI: Use SameSite=Lax for session cookie to fix cross-site login (Piccirello) #24422 WEBUI: Bring back properties panel expand/collapse button (vafada) #24430 WEBAPI: Only use X-Forwarded-Host header when reverse proxy support is enabled (Chocobo1) #24457 RSSS: Fix "RSS Smart Episode Filter" RegEx (nathanon-akk, glassez) #24398 RSS: Fix previously matched episode format (glassez) #24452 WINDOWS: Fix Python fallback search path (TurboTheTurtle) #24325 WINDOWS: NSIS: Allow to install x64 binary on ARM64 (Chocobo1) #24358 Download: qBittorrent 5.2.2 | 41.1 MB (Open Source) Download: qBittorrent 64-bit installer (qt6) | 43.3 MB Links: qBittorrent Home page | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Microsoft faces shareholder lawsuit over masking AI costs and slowing Azure growth

      By +Tantawi · Posted

      Microslop.
    • what other retro software do yall use

      By binaryzero · Posted

      Weechat. https://weechat.org/
    • Major Xbox layoffs may claim South of Midnight developer Compulsion entirely

      By nekrosoft13 · Posted

      they should stop making bad games that no one asked for
    • Samsung is shutting down yet another app used by millions

      By +Edouard · Posted

      Nice rant! Expletive after expletive after expletive. Poor petal, I've touched a nerve. Would you like a tissue to wipe those tears away. Btw, nice one calling Neowin trash. Why would you stick around when you disrespect this site and the people behind it? Just go away if you feel that way.

  • Recent Achievements

    • Veteran
      branfont went up a rank
      Veteran
    • Reacting Well
      Almohandis earned a badge
      Reacting Well
    • First Post
      Cosminus earned a badge
      First Post
    • One Year In
      ThatGuyOnline earned a badge
      One Year In
    • Week One Done
      Jeroen Wilms earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      482
    2. 2
      +Edouard
      183
    3. 3
      PsYcHoKiLLa
      123
    4. 4
      Steven P.
      87
    5. 5
      neufuse
      73
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!