Reverse proxy for multiple web servers on DDWRT Lan with VPN

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
atomicamp
DD-WRT User


Joined: 16 Apr 2018
Posts: 107
Location: Milwaukee, WI

PostPosted: Sat Feb 04, 2023 18:29    Post subject: Reverse proxy for multiple web servers on DDWRT Lan with VPN Reply with quote
I have a rather complicated setup, and I am about to make it even more complicated, so please bare with me.

I am successfully tunneling a Raspberry Pi Lemp web/email server through a cloud Wireguard server in order to obtain an IP address that allows me to set PTR records (from my cloud instance). My current configuration, is Internet>Vultr_Cloud_Instance_VPN_server>DDWRT_Router>Raspberry_PI_web_server/vpn_client

My Pi web server successfully tunnels all web and email traffic through Wireguard (as a wireguard client), onto the VPN Cloud Server, and successfully obtains the IP address of the cloud instance. The Ubuntu cloud instance is properly configured to forward nginx and postfix ports back to the attached wireguard client (the Pi Web Server). This setup works flawlessly, and my Pi Web Server uses the public IP address of the Ubuntu cloud instance.

Now I want to attach another web server to my openwrt router while using only one public IP Address from my VPN Cloud Server (as well as only one private vpn ip address), so that my configuration looks like this:

DDWRT Router
Local IP: 192.168.1.1
Public IP as Wireguard Client: 123.456.789.10
Private Wireguard IP (as wg client): 10.10.10.2

Pi Web Server 1
Local IP: 192.168.1.2
Public IP: 123.456.789.10
SERVED URL's: www.example1.com

Pi Web Server 2
Local IP: 192.168.1.3
Public IP: 123.456.789.10
SERVED URL's: www.example2.com

Ubuntu Cloud Instance
Wireguard IP: 10.10.10.1
Public IP: 123.456.789.10


Essentially what I want to do, is for my Wireguard Cloud Server instance's public IP address to be shared across multiple Pi web/email servers on the lan, by using a reverse proxy of some sort (I think this would be the way to do it?).

STEP 1 (in theory):
Theoretically, I believe I can accomplish the FIRST STEP, by making my DDWRT Router connect to my Wireguard VPN Cloud instance (the VPN Server), as a VPN client. Great! However, I only want my Web Servers on the DDWRT router LAN to send and receive all traffic through the tunnel. Then I want any other devices on the router to use my default home IP address. So for STEP 1, I need help and advice on how to create a split tunnel on DDWRT Wireguard so that "Pi Web Server 1" and "Pi Web Server 2" both have the IP address of the VPN Tunnel and the public IP address of the VPN Cloud Server. The rest of the connected devices would use my home IP address. How would I configure this exactly? Any help or recommended configuration settings for split traffic would be great.

STEP 2 (in theory):
I believe I need to use a reverse proxy of some sort on the OpenWRT Router that redirects requests to www.example1.com, to 192.168.1.2 (web server #1) on the LAN. Then I need to also set up that proxy to redirect requests to www.example2.com to 192.168.1.3 (web server #2) on the LAN. However I am not very familiar with reverse proxys aside from nginx. And at that, I still wouldn't know how to configure an Nginx virtual host to redirect traffic to a LAN Ip address. If you recommend Nginx to accomplish this, could you also provide some directions and example configuration files that would redirect requests to it's corresponding servers on my lan, (when also factoring in the split VPN tunnel)?

If Nginx on my router isn't the answer, I have read mentions of HAProxy and squid (I don't even know what that is). Could you please advise me if using HA Proxy or squid (or even something else), would be recommended, and if so, how would you go about setting this up to obtain the desired results? Could you please provide example config files and what not?

Any other thoughts or suggestions are much appreciated. A detailed answer with example configuration settings and config files would be hugely appreciated as well.

Thanks for the help!

_________________
DanRanRocks - Tech Tutorials by Dan Ran

https://github.com/danrancan
dan@danran.rockst
My Blog https://danran.rocks
Join me on key base! and Add me on Keybase

Current Linksys WRT3200acm Firmware "DD-WRT v3.0-r51140 std (12/31/22)
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sat Feb 04, 2023 20:28    Post subject: Reply with quote
About step 1:

Your setup where a server has traffic routed to a client is what is known as a site-to-site setup.
Basically you do not NAT the client, open up the firewall of the client and set the clients subnet in the allowed IP of the server (so that the server knows the route to the client).
It is described in detail in the WireGuard Advanced Setup guide.
That way you only need a port forward on the server.

When you only want to route certain sources/destinations via the tunnel that is called Policy Based Routing.
Described in the WireGuard Client setup guide.
Basically choose "Route Selected sources via VPN" and in Sources for PBR add:
192.168.1.2, 192.168.1.3
This will only route those two clients via the VPN.

WireGuard docs are a sticky in this forum: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397

About step 2, I actually have compiled in nginx in my build (but not used it yet) but that will not make it to public build but you can add it to the router via Entware, you can also install Squid via Entware and probably also HA proxy:
https://wiki.dd-wrt.com/wiki/index.php/Installing_Entware

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum