Best strategy for remote access.

[Shoog]

Hi all,
I have managed to get my OPNSENSE router up and running. So far I have a flat LAN network and I have managed to route all my LAN traffic over the WAN via a PIA VPN tunnel. All is working and when I do a check on my IP address its shows my fixed PIA IP address rather than my ISP assigned variable IP address. Strangly enough it still shows my PIA address when I am nominally not using the tunnel just the plain ISP WAN.

I had hoped I would just be able to open a port on the router and access from outside using this - but PIA only offer a randomly assigned single port which is not generated by the standard PIA automation script. So simple port forwarding seems out of the question and my attempts to do this confirm that its not possible through the PIA tunnel. So I was thinking to setup a seperate OpenVPN server on the router and access through this. However since I don't seem to be able to get the plain variable ISP WAN address via DDNS I am at a bit of a dead end as i need this to create the OpenVPN tunnel.

Unfortunately my grasp of the fundamentals is slight and mixing the PIA tunnel along wityh a OpenVPN server on my router is complicating the setup. Anyone care to point me in the direction of some good technical guides which will broaden  my understanding, or suggest that I am on the right or wrong track with this strategy.

Stephen

[bartjsmit]

I use Tailscale for seamless remote access from anywhere on pretty much any device.

On OPNsense go System: Firmware: Plugins and install the os-tailscale plugin.

https://sheridancomputers.co.uk/blog/view/videos/tailscale-sheridan-computers-enhances-opnsense-with-native-tailscale-plugin

[bimbar]

Or zerotier.

[Shoog]

Hi,
I have considered both zerotier and tailscale but want to try to get this working in the more conventional way if I can.
I managed to establish a port forward across my router by using the WAN_address alias to form a port forwarding NAT rule. I was able to access the current IP address from the OPNSENSE router and this allowed me to test and confirm that the port forwarding was working through my mobile phone network. Of course thats only a small step since eventually the ISP IP will change.
I worked on getting DuckDNS running but even though I setup the client on OPNSENSE with WAN as the target - it still only gets the PIA tunnel IP address. I will carry on researching if there is a way to enforce the WAN gateway for DuckDNS.

Stephen

[Shoog]

Update on what got things working.
I setup the DUCKDNS domain and client on my OPNSENSE router, I entered all the details required for he client but it wasn't talking to the Duckdns server. I did a bit of digging and discovered the magic combination of settings which bypassed my PIA tunnel were, set interface to WAN on the client and set tracking by interface(IVP4). This still didn't work initially but after checking the setting I discovered that I needed to set the backend in general settings to ddclient rather than default. This instantly got things working.
Last thing will be to setup a NGINX reverse proxy and job is done.

Steep learning curve but ultimately very nice featureset in OPNSENSE.

[Shoog]

I have Nginx loaded and working with LetsEncrypt running with the ACME addon.
I have Nginx accepting requests on my duckdns.org domain and by appending a "/service" to the domain Nginx splits the traffic off to my three different local servers;

/filebrowser
/OMV
/homeassistant

I know this is working sofar because I get the bootstrap loading page for filebrowser, and error messages generated from the other two servers. The filebrowser is what I am focusing on so far and it never gets past the boostrap loader and onto the login page. It seems from the error logs that Nginx is asking for files from the Filerbrowser server webpage which are never delivered. Its not simply forwarding on the traffic as I would have expected. The OPNsense Nginx addon adds a whole load of parameters which without detailed knowledge of Nginx are simply confusing my understanding of basic Nginx functionality. Additionally I am able to use curl to access the raw html file on the servers via the domain + "/filebrowser" which further confirms that I am getting through to the servers.

All the tutorial for the OPNsense Nginx addon only seem to use a simple one to one proxy using "/" as the URL pattern and its seems that there is very little detailed information on the use of this addon since most people seem to opt for CADDY or HAproxy. I am tantilizingly close but my knowledge is simply to slight to crack the last hurdle.

UPDATE: Life is to short for this crap so I have abandoned all effort to get Nginx working and am going to try with CADDY.

[Shoog]

So I managed to get a Caddy reverse proxy to my Filebrowser server up and running in less than 10mins and am testing it now by downloading a large file.
Not finished yet since I still want to serve at least one other service from the same domain.