TCP reverse proxy

[latchee]

Hi there,

I am looking at doing TCP reverse proxy, if that is possible.

To explain I have server A and server B behind opsense. Both are using the same internal port, for example 8085.
I have cnames for each server that points to the WAN IP of opnsense:
- serverA.domain.com
- serverB,domain.com

Port forwarding cannot use TLS.

Is it possible to create a conditional NAT port forwarding entry? I.e. if client connects via serverA.domain.com:8085 forward to server A.
If client connects via serverB.domain.com:8085, forward to server B.

Thank you in advance for your help and advice :)

edit: corrected typo

[newsense]

Check out OPNproxy, HAProxy or Caddy -- all available in OPNsense.

Use a VM and find out which one would be the best fit for your use case.

[latchee]

Hi thank you for your answer.

I do not have OPNproxy as I use the free version of OPNsense (for personal use, homelab).
I have Caddy installed. But this does only HTTP(S) reverse proxy.

I also have nginx reverse proxy installed. Not sure if I could use this? Would there be any tutorial? Or anybody who has done this in the past?

Cheers,

[Monviech (Cedrik)]

https://docs.opnsense.org/manual/how-tos/nginx_streams.html

[newsense]

I've highligted it for you :)

root@OPNsense:~ # pkg search proxy
dnscrypt-proxy2-2.1.5_6        Flexible DNS proxy with support for encrypted protocols
haproxy28-2.8.9                Reliable, high performance TCP/HTTP load balancer
igmpproxy-0.4_2,1              Multicast forwarding IGMP proxy
os-OPNProxy-1.0.5_1            OPNsense proxy additions
os-OPNProxy-devel-1.0.5_1      OPNsense proxy additions
os-dnscrypt-proxy-1.15         Flexible DNS proxy supporting DNSCrypt and DoH
os-dnscrypt-proxy-devel-1.15   Flexible DNS proxy supporting DNSCrypt and DoH
os-ftp-proxy-1.0_3             Control ftp-proxy processes
os-ftp-proxy-devel-1.0_3       Control ftp-proxy processes
os-haproxy-4.3_1               Reliable, high performance TCP/HTTP load balancer
os-haproxy-devel-4.3_1         Reliable, high performance TCP/HTTP load balancer
os-igmp-proxy-1.5_2            IGMP-Proxy Service
os-igmp-proxy-devel-1.5_2      IGMP-Proxy Service
os-radsecproxy-1.0_2           RADIUS proxy provides both RADIUS UDP and TCP/TLS (RadSec) transport
os-radsecproxy-devel-1.0_2     RADIUS proxy provides both RADIUS UDP and TCP/TLS (RadSec) transport
os-web-proxy-sso-2.2_3         Kerberos authentication module
os-web-proxy-sso-devel-2.2_3   Kerberos authentication module
os-zabbix5-proxy-1.10_1        Zabbix monitoring proxy
os-zabbix5-proxy-devel-1.10_1  Zabbix monitoring proxy
os-zabbix6-proxy-1.10_1        Zabbix monitoring proxy
os-zabbix6-proxy-devel-1.10_1  Zabbix monitoring proxy
os-zabbix64-proxy-1.10_1       Zabbix monitoring proxy
os-zabbix64-proxy-devel-1.10_1 Zabbix monitoring proxy
py311-haproxy-cli-0.6.1        Tool to interact with HAProxy
radsecproxy-1.9.2_1            Generic RADIUS proxy
sslproxy-0.9.5,1               Transparent and scalable SSL/TLS interception
zabbix5-proxy-5.0.42           Enterprise-class open source distributed monitoring (proxy) LTS
zabbix6-proxy-6.0.30           Enterprise-class open source distributed monitoring (proxy)
zabbix64-proxy-6.4.15          Enterprise-class open source distributed monitoring (proxy)
root@OPNsense:~ #
root@OPNsense:~ # opnsense-version
OPNsense 24.1.9_1
root@OPNsense:~ #

[janiswolf]

Hi

I'm also looking for a solution to this problem.

Synology Drive uses TCP Port 6690 (which cannot be changed). And with two NAS's I cannot access both systems.

Did you manage to find a solution that work for you?

[ludarkstar99]

Hi janiswolf.
you can publish different external ports with NAT.

external_address:1066 --> internal_nas1:6690
external_address:1090 --> internal_nas2:6690

[janiswolf]

Hi janiswolf.
you can publish different external ports with NAT.

external_address:1066 --> internal_nas1:6690
external_address:1090 --> internal_nas2:6690

that would work, but synology does not allow me to change the port (client and server side) :-(

[Monviech (Cedrik)]

You can use Caddy as layer 4 proxy to do all kinds of shenanigans:

https://docs.opnsense.org/manual/how-tos/caddy.html#tls-sni-multiplexing-on-https-port

[meyergru]

Port 6690 is a pure TCP port for a Synology-specific cloud service, not HTTP(S).

So you are out of luck for using anything that acts name-based like HAproxy, Caddy and so on. While you could use a TCP reverse proxy, that can only be used to change the source port. If the clients cannot make use of another port, you are at an end here, because the only thing that differentiates two devices then is their IP address.

The only way to expose both devices over an internet connection with only one public IP is a VPN, e.g. wireguard.
In that case, you can access both devices by their respective IPs, using the same port.

[janiswolf]

Port 6690 is a pure TCP port for a Synology-specific cloud service, not HTTP(S).

So you are out of luck for using anything that acts name-based like HAproxy, Caddy and so on. While you could use a TCP reverse proxy, that can only be used to change the source port. If the clients cannot make use of another port, you are at an end here, because the only thing that differentiates two devices then is their IP address.

The only way to expose both devices over an internet connection with only one public IP is a VPN, e.g. wireguard.
In that case, you can access both devices by their respective IPs, using the same port.

Thanks, that confirms what I already thought. 😅
I hope Synology let's me change the port somehow. Thanks for the advice! VPN might be the solution.