OPNsense Forum
English Forums => General Discussion => Topic started by: i716 on May 18, 2021, 02:55:46 am
-
A few days ago I have replaced my aging Cisco ASA 5505 with a Server running Opnsense. I am very happy with this product as it is (mostly) doing what it is supposed to do and it comes with a nice, clean UI.
I have managed to setup OpenVPN with self-issued certs and pointed Cloudflare's DynDNS service to the WAN IP.
There are no issues regarding the updating of my external IP and I can access the VPN without any issues.
So here comes the question:
Since I only have one external IP (dynamic, but it usually doesn't change for months, unless the router is restarted), I would like to point all subdomains to that IP.
Normally I would just use a reverse proxy and set a rule in the firewall to forward the required ports to that machine, which then would forward the URL to the required webserver.
But I also use the Opnsense router as an OpenVPN Server which is listening on port 1194(?).
Now, I can set the subdomain vpn.domain.com to point at the external IP and VPN is connecting fine.
My requirements:
1) The VPN should only be accessible from this subdomain. (E.g. not if the user would change the *.ovpn file to something like web.domain.com)
2) If someone is accessing the subdomain web.domain.com, it should automatically open the website BEHIND the firewall. - On the other side, if someone types vpn.domain.com in their browser, it should not redirect to the webserver.
What would be best practice to achieve this? I know that Opnsense comes with packages like squid (or even nginx plugin(?)) but I'm not sure if it is a good idea to let the FW/Router work as the reverse proxy. The server running Opnsense definitely has enough power (multicore Xeon) for it but I'm a little bit concerned security wise.
Thanks in advance
Eric