VLAN DMZ for website server (ubuntu server) or any other way of doing it?

[Patrick M. Hausen]

With Cloudflare, there are no ports to be opened, since the whole Cloudflare connection is going inside out - Cloudflare provides a client to connect to their servers and then use this tunnel to direct traffic to your internal network and services.

First time I hear of this. That is not how any of my customers use Cloudflare. And quite some of them do. Yet they always point the CDN to some public IP address where the service in question is finally hosted.

[meyergru]

You can use a cloudflared tunnel and connect to that. It is nice when you only have CG-NAT, because then, you cannot point Cloudflare to anything, sometimes not even to an IPv6 address. Plus, you do not need a router/firewall that can open ports at all. It is also robust against any port-scanning (because none is open).

Cloudflare takes care of basic protection and TLS certificates - and also, you do not need any dynamic DNS in order to find your real IP (also because of the reverse direction of the connection initiation).

Looks like this in Cloudflare:

You cannot view this attachment.

They have a new variant (Warp), but I have not tried that.

[flamur]

Ok sorry to spam this forum. I AM HAPPY AS A CHILD ON CHRISTMAS!

I setup cloudflared on my truenas. Put it behind my firewall. And after some headaches I can now reach it with a domainname from a computer elsewhere. Perhaps not the most secure setup for the future, just want to get it started to reach it to keep configure nginx etc.

But cloudflare tunnel is really nice. And I dont need any ports. Not sure how it works that the firewall allow this traffic since it should block everything - but I hope this is supposed to work like this.

If I understand the guides correctly I can set up all my traffic through cloudflare for nextcloud, nginx and plex using this method. No ports needed and my IP is "hidden" for the outside world which seems really neat.

To think they give this for free is so nice, and your help guiding in this is soo soo appreciated you cant believe it! :) Sorry there is no like button or something.

The quest contious to make this work for my websiteserver... still have not got my head around that next step. Since its another interface and server, which does not have this neat cloudflared app installed 🤔🤷�♂️ Is it just for me to use nginx as I did before perhaps and add some firewall rule to allow traffic between the interfaces/subnets? 🤔

[Patrick M. Hausen]

What exactly are you exposing to the world via a domain name? Don't do this with the TrueNAS UI or the file sharing services. These are not hardened and will get hacked sooner than you might think.

You can safely expose a hardened Internet safe application in a VM via cloudflare like this. Or an app on TrueNAS that is supposed to be run that way, like e.g. Nextcloud.

Don't ever open your TrueNAS itself to the world. Please.

[meyergru]

I already warned to expose unhardened web UIs in post #5, I think.

As for the setup: It is almost surely not what I suggested. You talked about an application behind an nginx reverse proxy that runs on a VM under TrueNAS on a DMZ network and I meant to have the cloudflare tunnel running on that same DMZ VM. Now it seems you are running the cloudflared on TrueNAS itself, which has access to your LAN (or so I presume).

As Patrick says, anyone who can use the Cloudflare endpoint can try to hack the connected application(s) behind the tunnel.
This is just as insecure as opening a port on the firewall itself. The only benefit is that Cloudflare first takes attack attempts before they hit you. However, it does little more than any other reverse proxy would do. When you open up a web app, you open it up to essentially anything.

If these apps are running in your LAN and not in an isolated DMZ, it can be problematic. You will have to take special care to not expose unhardened apps. Nextcloud should be fine, however, if there ever was a vulnerability, I would still like to have it in my DMZ if possible.

That being said, you do not need anything like this in order to expose Plex - it has its own means (i.e. tunnel) to enable remote access.

[flamur]

What exactly are you exposing to the world via a domain name? Don't do this with the TrueNAS UI or the file sharing services. These are not hardened and will get hacked sooner than you might think.

You can safely expose a hardened Internet safe application in a VM via cloudflare like this. Or an app on TrueNAS that is supposed to be run that way, like e.g. Nextcloud.

Don't ever open your TrueNAS itself to the world. Please.

Oh no. It was the GUI of the truenas.

Back to the drawing board 😞

I dont get how to make this work and be safe.

Can I use the tunnel for nginx proxy manager and nextcloud app in my truenas scale server? 🤔

I still cant understand how I will get the website server to get internet access and traffic directed to it behind my firewall with opnsense. What am I missing in this?

[Patrick M. Hausen]

Can I use the tunnel for nginx proxy manager and nextcloud app in my truenas scale server?

Of course. That is the idea.

[flamur]

I already warned to expose unhardened web UIs in post #5, I think.

As for the setup: It is almost surely not what I suggested. You talked about an application behind an nginx reverse proxy that runs on a VM under TrueNAS on a DMZ network and I meant to have the cloudflare tunnel running on that same DMZ VM. Now it seems you are running the cloudflared on TrueNAS itself, which has access to your LAN (or so I presume).

As Patrick says, anyone who can use the Cloudflare endpoint can try to hack the connected application(s) behind the tunnel.
This is just as insecure as opening a port on the firewall itself. The only benefit is that Cloudflare first takes attack attempts before they hit you. However, it does little more than any other reverse proxy would do. When you open up a web app, you open it up to essentially anything.

If these apps are running in your LAN and not in an isolated DMZ, it can be problematic. You will have to take special care to not expose unhardened apps. Nextcloud should be fine, however, if there ever was a vulnerability, I would still like to have it in my DMZ if possible.

That being said, you do not need anything like this in order to expose Plex - it has its own means (i.e. tunnel) to enable remote access.

I thought the cloudflared tunnel app would be the road in to my network. Misunderstood what you meant.

Ny truenas is within its own interface and subnet with firewall rules to only allow dns and internet out. All other internal networks are blocked. So I guess this is a DMZ 🤷�♂️

The same setup has been made for my website server.

But I cant figure out how to direct traffic from WAN to my two servers. Mainly a problem since I use different domains for my apps. nextcloud.mydomain.com, www.mydomain.com (would be my website server).

Thats where I thought I should use nginx proxy manager. This worked good on with my asus router and just portforward some ports. This is another level... however thus far fun to learn. Even if I make some stupid errors as with the exposure of truenas gui 😬 (thanks for correcting that! 🙏🏼)

[meyergru]

No, think about how the traffic is passing. Draw a picture if you need to.

The correct steps are:

1. Create a VM in your TrueNAS server that is connected to a TN VLAN interface only (the DMZ interface).
2. Create that DMZ VLAN in your OpnSense as well and isolate it from your normal LAN. Give it internet access.
3. Install your nginx reverse proxy and your application on this VM.
4. Install the cloudflare client in the same VM and connect that to the Cloudflare console endpoint.

That way, someone who connects to your Cloudflare endpoint is tunneled through to your VM and your VM only. Should your application get hacked, he is still only within the DMZ, without any chance to break into your LAN.

That would be the case if the cloudflare client is installed on any machine (VM or physical) that is in your LAN, like if you install it on TN itself.

And just to be clear: OpnSense has (nearly) no saying in this - apart from that it allows the VM to access the internet (and Cloudflare's cloud alongside) and that it isolates your LAN from your DMZ. What it does not do is regulate the traffic that is passing to Cloudflare's endpoint or what goes through the Cloudflare tunnel. Since that traffic is encrypted, it just passes by virtue of you allowing internet traffic from the DMZ VM in step 2 and this tunnel being used in the other direction.

[flamur]

Can I use the tunnel for nginx proxy manager and nextcloud app in my truenas scale server?

Of course. That is the idea.

aha! Thanks for clarifying 🙂

I will give this some sleep and try to find some guide on nginx behind opnsense before posting more here.

It has to be something on google 😇

Sorry for all the posts. I think this is fun but so many details and I dont want any obvious holes in the security. So slow and steady.

[flamur]

No, think about how the traffic is passing. Draw a picture if you need to.

The correct steps are:

1. Create a VM in your TrueNAS server that is connected to a TN VLAN interface only (the DMZ interface).
2. Create that DMZ VLAN in your OpnSense as well and isolate it from your normal LAN. Give it internet access.
3. Install your nginx reverse proxy and your application on this VM.
4. Install the cloudflare client in the same VM and connect that to the Cloudflare console endpoint.

That way, someone who connects to your Cloudflare endpoint is tunneled through to your VM and your VM only. Should your application get hacked, he is still only within the DMZ, without any chance to break into your LAN.

That would be the case if the cloudflare client is installed on any machine (VM or physical) that is in your LAN, like if you install it on TN itself.

And just to be clear: OpnSense has (nearly) no saing in this - apart from that it allows the VM to access the internet (and Cloudflare's cloud alongside) and that it isolates your LAN from your DMZ.

Oh my. I missed the VM detail, thought it was optional.

Thanks for the clear instructions.

How much computer capacity does that VM need?

[Patrick M. Hausen]

Does your OPNsense have a public IP address? You might want to consider Caddy on OPNsense instead of NginX proxy manager to do SSL termination and reverse proxying to your Nextcloud app. That's how I run almost everything here.

[Patrick M. Hausen]

How much computer capacity does that VM need?

2 GB of memory, 1 CPU core.

[meyergru]

In networking, every detail matters. That is why I try to be this exact. IDK, it depends on what your application needs. The nginx proxy and the cloudflare client do not need much. I would guess 4 GByte of RAM and 2 CPU cores would suffice for a standard Linux VM, you may get away with what Patrick suggests.

[flamur]

Please dont give up on me yet. I made another solution and want to check if its as safe.

I have made VLANs in opnsense for:
VLAN30: Truenas UI
VLAN40: Truenas Nginx
VLAN50: Truenas Cloudflared

I then make the same VLANs in Truenas scale.

On top of that I make bridges for the apps.

For example the only  firewall rule for vlan30 (TN UI) I block everything except my LAN net to my specific TN IP and port 80 (http just for now) on that VLAN (as of now testing, I will lock it down more when I am done).

If I understand this correctly I have this way segmented my network down to each app. So if someone hack nginx they will be on their own subnet/vlan, even bridge in TN. And in TN they are in a container/docker(?).

No traffic between except what is needed. For example Cloudflared VLAN will allow port 80/443 to talk to Nginx VLAN.

Would this be a good practice or have I totally misunderstood the assignment. I have been googeling and talking to gemini about different options and this was propused as the most secure with most layers to segment (and hack if someone where to do that).

PS. I just tested the firewall rule. If I use my laptop on LAN and try to access the TN UI I can only get to it with the http IP. If I try to use HTTPS its blocked. If I also deactivate the rule I cant access the TN at all. So it seems the rule is working as it should. The only issue I read is that opnsense automatically allows traffic back for each rule = not sure if its bad practice or something to worry about?