atomicamp DD-WRT User
Joined: 16 Apr 2018 Posts: 107 Location: Milwaukee, WI
|
Posted: Sat Feb 04, 2023 18:29 Post subject: Reverse proxy for multiple web servers on DDWRT Lan with VPN |
|
I have a rather complicated setup, and I am about to make it even more complicated, so please bare with me.
I am successfully tunneling a Raspberry Pi Lemp web/email server through a cloud Wireguard server in order to obtain an IP address that allows me to set PTR records (from my cloud instance). My current configuration, is Internet>Vultr_Cloud_Instance_VPN_server>DDWRT_Router>Raspberry_PI_web_server/vpn_client
My Pi web server successfully tunnels all web and email traffic through Wireguard (as a wireguard client), onto the VPN Cloud Server, and successfully obtains the IP address of the cloud instance. The Ubuntu cloud instance is properly configured to forward nginx and postfix ports back to the attached wireguard client (the Pi Web Server). This setup works flawlessly, and my Pi Web Server uses the public IP address of the Ubuntu cloud instance.
Now I want to attach another web server to my openwrt router while using only one public IP Address from my VPN Cloud Server (as well as only one private vpn ip address), so that my configuration looks like this:
DDWRT Router
Local IP: 192.168.1.1
Public IP as Wireguard Client: 123.456.789.10
Private Wireguard IP (as wg client): 10.10.10.2
Pi Web Server 1
Local IP: 192.168.1.2
Public IP: 123.456.789.10
SERVED URL's: www.example1.com
Pi Web Server 2
Local IP: 192.168.1.3
Public IP: 123.456.789.10
SERVED URL's: www.example2.com
Ubuntu Cloud Instance
Wireguard IP: 10.10.10.1
Public IP: 123.456.789.10
Essentially what I want to do, is for my Wireguard Cloud Server instance's public IP address to be shared across multiple Pi web/email servers on the lan, by using a reverse proxy of some sort (I think this would be the way to do it?).
STEP 1 (in theory):
Theoretically, I believe I can accomplish the FIRST STEP, by making my DDWRT Router connect to my Wireguard VPN Cloud instance (the VPN Server), as a VPN client. Great! However, I only want my Web Servers on the DDWRT router LAN to send and receive all traffic through the tunnel. Then I want any other devices on the router to use my default home IP address. So for STEP 1, I need help and advice on how to create a split tunnel on DDWRT Wireguard so that "Pi Web Server 1" and "Pi Web Server 2" both have the IP address of the VPN Tunnel and the public IP address of the VPN Cloud Server. The rest of the connected devices would use my home IP address. How would I configure this exactly? Any help or recommended configuration settings for split traffic would be great.
STEP 2 (in theory):
I believe I need to use a reverse proxy of some sort on the OpenWRT Router that redirects requests to www.example1.com, to 192.168.1.2 (web server #1) on the LAN. Then I need to also set up that proxy to redirect requests to www.example2.com to 192.168.1.3 (web server #2) on the LAN. However I am not very familiar with reverse proxys aside from nginx. And at that, I still wouldn't know how to configure an Nginx virtual host to redirect traffic to a LAN Ip address. If you recommend Nginx to accomplish this, could you also provide some directions and example configuration files that would redirect requests to it's corresponding servers on my lan, (when also factoring in the split VPN tunnel)?
If Nginx on my router isn't the answer, I have read mentions of HAProxy and squid (I don't even know what that is). Could you please advise me if using HA Proxy or squid (or even something else), would be recommended, and if so, how would you go about setting this up to obtain the desired results? Could you please provide example config files and what not?
Any other thoughts or suggestions are much appreciated. A detailed answer with example configuration settings and config files would be hugely appreciated as well.
Thanks for the help! _________________ DanRanRocks - Tech Tutorials by Dan Ran
https://github.com/danrancan
dan@danran.rockst
My Blog https://danran.rocks
Join me on key base! and Add me on Keybase
Current Linksys WRT3200acm Firmware "DD-WRT v3.0-r51140 std (12/31/22) |
|
egc DD-WRT Guru
Joined: 18 Mar 2014 Posts: 12838 Location: Netherlands
|
Posted: Sat Feb 04, 2023 20:28 Post subject: |
|
About step 1:
Your setup where a server has traffic routed to a client is what is known as a site-to-site setup.
Basically you do not NAT the client, open up the firewall of the client and set the clients subnet in the allowed IP of the server (so that the server knows the route to the client).
It is described in detail in the WireGuard Advanced Setup guide.
That way you only need a port forward on the server.
When you only want to route certain sources/destinations via the tunnel that is called Policy Based Routing.
Described in the WireGuard Client setup guide.
Basically choose "Route Selected sources via VPN" and in Sources for PBR add:
192.168.1.2, 192.168.1.3
This will only route those two clients via the VPN.
WireGuard docs are a sticky in this forum: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397
About step 2, I actually have compiled in nginx in my build (but not used it yet) but that will not make it to public build but you can add it to the router via Entware, you can also install Squid via Entware and probably also HA proxy:
https://wiki.dd-wrt.com/wiki/index.php/Installing_Entware _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087 |
|