Messages

1

Web Proxy Filtering and Caching / Re: Nginx without Let's Encrypt for multiple webservers

« on: April 14, 2024, 04:42:56 pm »

Gotta learn how to stream then. Thank you for confirming I was more or less headed the right way Monviech.

If you or other forum members could give suggestions, or guidance of any kind, it's going to be a lot of help

2

Web Proxy Filtering and Caching / Re: Nginx without Let's Encrypt for multiple webservers

« on: April 14, 2024, 03:26:21 pm »

Thank you Monviech for your sugggestion.

I had a look at the docu you linked, and I have a few questions:
- I need to forward traffic on a whole array of ports, does caddy support this? Here's the list:

Code: [Select]

Enjoy your accelerated Internet by
                CyberPanel & OpenLiteSpeed                                     
###################################################################
Please make sure you have opened following port for both in/out:
TCP: 8090 for CyberPanel
TCP: 80, TCP: 443 and UDP: 443 for webserver
TCP: 21 and TCP: 40110-40210 for FTP
TCP: 25, TCP: 587, TCP: 465, TCP: 110, TCP: 143 and TCP: 993 for mail service
TCP: 53 and UDP: 53 for DNS service- It looks like caddy relies on external dns resolution. Both my webservers are the authoritative DNS servers for their domains. Glue records are set at the registrar, will these suffice?

3

Web Proxy Filtering and Caching / Nginx without Let's Encrypt for multiple webservers

« on: April 14, 2024, 01:41:22 pm »

Hello, I'm trying to setup Nginx as a transparent reverse proxy on OPNsense (if I understand terminology correctly, I'm a newbie at web stuff...)
What I want to achieve:

• VPN provider with 1 static IP
  
• OpenVPN instance on OPNsense
  
  • Nginx on OPNsense
    
    • Main webserver for "production" @ 192.168.1.10 www.prodsite.tld
    • Test webserver @ 192.168.1.15 www.testsite.tld

Reasoning:
- The webservers are NOT for real word production. Security is welcome but not paramount
- My ISP won't provide a static IP, hence the VPN which is up and running with the new instance config
- The VPN provider also supplies PTR records, enabling the webservers to each provide mail services in addition to websites
- A full test server is nice because I can test stuff without worrying about downtime on the production machine, so I won't migrate testsite.tld to the main webserver
- Each webserver takes care of their own certificates, so adding Let's Encrypt would just increase overhead. I want to passthrough the existing certificates
- Up until now I had 2 OPNsense boxes each with their own VPN and IP, but this is cumbersome and costly to maintain, hence my interest for Nginx, which to me looks like the most capable reverse proxy available in OPNsense
- I might setup other web facing services if this goes well, such as an Owncloud/Nextcloud
- I have looked at various tutorials such as https://forum.opnsense.org/index.php?topic=24778.0, but they all use Let's Encrypt. I'm not versed in this tuff enough to understand what I need to change and how. It looks like I might need to use the Data Stream section (see https://forum.opnsense.org/index.php?topic=10523.0 )?

The question: how am I supposed to set nginx up?

Thank you for your support

4

Virtual private networks / Re: OpenVPN accepts connection from LAN interface?

« on: August 25, 2023, 05:09:11 pm »

I did a small test:
connected to an OPNsense as an OpenVPN road warrior from a Windows PC
Launched RDP to a Windows server residing in the LAN of the OPNsense. Then from the server:

Tried to ping and traceroute myself back with no success.
Tried to connect via RDP to the PC I was using and got a password prompt, which means the RD connection was successful.

I would have a look at the firewall on your remote linux boxes, it's likely what's blocking you.

5

Virtual private networks / Re: OpenVPN accepts connection from LAN interface?

« on: August 24, 2023, 04:39:25 pm »

Can't you get to the linux boxes via the IP they get on their tunnel interface? If OPNsense is your gateway, it should know the route without further config, and the LAN should be able to access everything by default

6

Virtual private networks / OPNsense in the cloud, lab at home

« on: August 24, 2023, 04:32:39 pm »

I'd like to conduct a new experiment and setup OPNsense as a VPS machine.
The only purpose of this VPS would be to provide a VPN connection for my self hosted lab.
I don't know how to set things up since the VPS would only get one public IP and there would basically be no LAN side.

Here's the diagram:

Internet <> VPS OPNsense WAN (public IP) <> VPS OPNsense OpenVPN server interface (on the same public IP?) <> lab OPNsense OpenVPN client interface <> lab web server

I've tried to setup an OPNsense VM with one single NIC, and it was assigned to both LAN and WAN. I suppose this would not be optimal for security. OpenVPN works with this configuration.

I just want the VPS to forward all* requests to my web server, and the web server to access the web through the VPS public IP.

Thank you for your input

* "all" as in "all legitimate" and going through selected ports

7

Virtual private networks / [SOLVED] Using OPNsense to funnel whole subnet through provider VPN

« on: August 20, 2023, 03:16:57 pm »

Hi everyone,
I'm trying to setup something but - for the first time in my OPNsense experience - I got stuck.

What's been going on:
We want to host a web server from a dynamic IP. The ISP won't assign a static one to our location. So we subscribed to a VPN with static IP and port forwarding. Preliminar tests have been good, but we can't use the VPN on board of the web server because of conflicts between applications, limitations in automation, etc.

Here's the summary:
[physical layout] Web server > OPNsense > ISP router > Internet
[logical layout] Web server > OPNsense > VPN provider > Internet

OPNsense did connect immediately to the VPN tunnel (configured in VPN > OpenVPN > Clients and checked in Connection Status).
But no traffic is being forwarded from the LAN side to the internet. OPNsense can ping and traceroute, but not the web server or other machines if connected to the LAN side of OPNsense.

I think I'm missing some firewall rule or part of the configuration.
I did set a NAT rule to forward traffic from OPNsense to the web server and it works: I can connect to the web server from the internet using our VPN IP.*3

So far I've tried the following with no change:
- Interfaces > Assignment: added the openvpn virtual interface as WAN_VPN and set to enabled
- System > Gateways > Single: 2 new gateways are present, one marked active for VPN IPv6 and one for IPv4 not marked active. I assigned the private VPN IP to the IPv4 gw and marked it as far gateway*1
- Firewall > Rules > LAN: Added a rule from any to any with the VPN_GW as gateway*2

So I'm asking for you help since nothing flows from the LAN to the Internet...

Thanks

EDITS
*1 I've given the VPNGW IPv4 a lower priority number and it became the active gw. The outbound block persists. I then restored the default values, because after reboot the VPN  link coudn't come up: traffic was trying to be forwarded through the yet-to-be-established VPN gw.
*2 this rule was removed as it was not necessary
*3 The NAT rules had to be modified after adding a new interface assignment to the OpenVPN connection: Interface OpenVPN, Destination VPN-interface, Redirect target WebServer. Ports had to be opened on the VPN provider control panel.



Solved as described in this thread: https://forum.opnsense.org/index.php?topic=4979.msg19771#msg19771
and specifically by applying this part:
" - Navigate to Firewall > NAT > Outbound
 - Select "Manual outbound NAT generation" (Leave the default generated WAN rules AS IS)
 - Add a new rule

Rule 1.
 - Interface: VPN (The one you created in Step 6)
 - Source: VPNTraffic ( The alias you created in Step 7)
 - Translation / target: Interface Address (as in, just select "Interface address" from the dropdown menu)
 NOTE: Leave ALL other options as default/any"

I set hybrid outbound NAT in order to keep the autogenerated rules, and LAN net as source in Rule1.
*2 this rule was removed as it was not necessary

This guide is a bit old and thus some settings no longer apply (for example, you cannot set DHCPv4 in step 6), but it's still very valuable as it discusses full configuration of OPNsense as a VPN client, and how to route select clients instead of the whole subnet.