have a url that I use for myself that points to my home ip address used for RDP, plex and other similar remote services for myself. Quite purposely I have never hosted a web page in this way as this being a lab project I am not trying to encourage those skilled at hacking to look my way. I do have the normal protections I mean opnsense is a firewall after all...
Recently I decided I wanted to host a website on my own equipment but the above concerns are still valid.
My solution was to setup a cloud VM instance of OPNsense through a provider of such services. I got new URL and set the DNS provider to cloudflare, and have the new instance of OPNsense to update cloudflare, and for security I changed the port used to login to OPNsense. Using that URL with the correct port appended on the end works as expected to allow me to login to OPNsense.
I followed a guide to setup a site to site vpn from this cloud hosted instance of OPNsense, to the instance I am running here at home and the status page on both ends reads as 'UP' with a few bites transferred (as I have yet to make it function as expected not many bites).
I have apache running on a VM here at home that I use to allow me to get to (proxmox, OPNsense, Adblock home, Home assistant, apache guacamole, ubiquity controller) with url's instead of IP's a friend and //former// coworker helped me set that up, my skill is enough to read and change into what I need, but not enough to code up from scratch. I have looked at OPNsense's built in nginix and wasn't up to the challenge of learning it at this time considering I already have a working instance of apache.
I cloned the above apache VM and removed all the sites I did not want this new url to have access to (apache guacamole would be a bad idea for a open to the world url), having a separate vm with it's own distinct ip address also seemed like it would make things easier.
On my cloud hosted opnsense instance I setup port forwarding for port 80 and 443 to my new apache VM.... and it did not work. At one point early on the cloud hosted opnsense instance could ping that VM(though the port forwarding or something else prevented it from working). I have sense tried many things including but not limited to assigning the site-to-site vpn as a interface (and disabling and re-enabling different variations of options) curre4ntly ping from inside the opnsense web interface on the cloud server to my internal (at my home thorugh the vpn)apache apache instance does not work though it did early on.
I know the apache config does work however as when I set adblock (my in home dns server) to point to it for the appropriate url it works when I am already on my home network, so apache works. The VPN between the 2 OPNsense instances work, and the URL to the cloud hosted OPNsense instance works.
I need help configuring settings, firewall, routing, port forwarding, interface, and whatever other rules/settings, such that when a end user types my new url, the cloud instance of OPNsense will forward all web traffic (port 80, port 443) through the vpn tunnel to the ip address of the VM I have running Apache, and to make sure the return information from apache can make it back out the same way.
Been at this about 2+ weeks trying to blunder my way through, now I am asking.
Hello.
I would proceed step by step and you need to make some decisions for your setup:
- configure your VPN so you can see the traffic from the opnsense box to the endpoint works via the VPN. (Seems this is working.)
Quoteand to make sure the return information from apache can make it back out the same way
now it becomes somehow of difficult ... and you have mainly 2 options to achieve this:
- your VM routes all traffic via the VPN, so the response will take the right way. Then your aws opnsense will have to NAT the outgoing traffic like it has to do for LAN traffic.
- your AWS opnsense NATs the traffic that goes to the VM to its own VPN IP (or another one that will be routed from the VM to the aws opn), so the VM will send the response to the aws opn back (here it will be translated back to the original public IP)
In fact you can think of the aws opn box as a normal gateway router and the VPN (and the remote networks) are in fact the LAN segment behind. The VPN just makes the routing on the remote network where your apache lives a little bit more complicated ...
You certainly have the right idea for what I am trying to do. If I am reading your reply correctly then method #2
Quoteyour AWS opnsense NATs the traffic that goes to the VM to its own VPN IP (or another one that will be routed from the VM to the aws opn), so the VM will send the response to the aws opn back (here it will be translated back to the original public IP)
is what I have been trying to execute upon and so far failing. Thus I am here asking for a sample config of things to change so I can see and adapt it to my situation....
After conversation with a friend in the field I am presently attempting to put a manual entry under the routing configuration of the could OPN instance telling it that anything destined for 192.168.1.0/24 goes out the vpn interface (which I just re-enabled again).... still working on this so we shall see what becomes of it...
Another (and maybe a easier) way would be to use a transparent proxy on the AWS opn box ...
webproxy, haproxy, reverse proxy ...
So you have many options (many ways to drive you nutts) ... just choose the right one for you.
Maybe the proxy way is easier then the NAT way, as you will need to combine NAT with portforwarding ... I must admit never doing this with opnsense, just with linux+iptables I had similar setups, or with cisco asa (and this gave me the bullet for a few days ::) ...)