Access services from Internet behind router

Well, there are about 130 other DNS hosts supported by acme.sh–who do you use for DNS hosting?

Sorry, re you sure you understand me well? I apologize but my English is not perfect.

I have a public web server on the internet and I bought a * .mydomain.eu certificate for it. The associated DNA is recorded by BlazeArts. I don’t want to change this unless absolutely necessary.
Nethserver runs on our physical server and on our local network. Nethserver does not work on the Internet.

I wanted to do a Let’s Encrypt certificate for Nethserver with nethserver.intranet.mydomain.eu (FDQN). But I don’t want the *. mydomain.eu certificate to change. Maybe it’s necessary?

No, certificates don’t conflict with each other, so there’s no inherent reason you couldn’t have both certificates. It may not be technically feasible to get and maintain the intranet cert for other reasons, but conflict between certs wouldn’t be the reason.

But are you saying your DNS hosting is provided by these folks?

I don’t see anything on their website about hosting anything, so can’t say whether they have a DNS update mechanism that acme.sh supports–you might want to ask their support if they can handle, e.g., nsupdate. If so (or if they can handle one of the other mechanisms listed on the acme.sh doc page here: dnsapi · acmesh-official/acme.sh Wiki · GitHub), you can use the instructions in the first link I gave, substituting the relevant credentials for the Cloudflare ones I mention.

Failing that, there are a few other options. In ascending order of technical difficulty:

  • Switch your DNS hosting (only DNS; web hosting isn’t affected) to Cloudflare. It’s free and it works well with acme.sh (and other clients as well, if you prefer). As long as you control your current DNS records, the only thing you need to do is change the NS records to point to Cloudflare.
  • On your router, forward port 53 to your Neth server and install acme-dns as described in my second link. You’ll need to make a couple of DNS entries to get it going, but it’s been working well for me for several internal hosts for a couple of years now.
    • You can also use acme-dns without installing it locally (and therefore without requiring the port forwarding) by using the author’s public acme-dns instance–just point the hook script to https://auth.acme-dns.io (which, IIRC, would mean you wouldn’t need to edit it at all). This isn’t really recommended, as it gives him the power to issue certs for your domains if he were to choose to, but a lot of people still do it.
  • If your router is something reasonably-capable like pfSense/OPNsense, you can get the cert on the router, and then use scripting to get it installed onto your Nethserver.
1 Like

Hi Dan,

you are very helpful, thank you.

No, my DNS hosting (BlazeArts Kft. or Internet CZ, a.s.) you can found it here in English language: Cost effective domains, webhosting and servers | FORPSI.COM

I haven’t Cloudflare acoount…

I rarely maintain DNA records. I also created a Let’s Encrypt certificate maybe twice for public web server but it was easy …
The solution you suggested I don’t know I have never used this. It’s not a problem to always learn new things. I learn new things every day. Now, I’m trying to understand and apply it to my circumstances, but I can’t find a solution yet.

Regards

This could be resolved at the cost of nothing more than a few minutes’ time. As to the rest, let me know what your questions are.

Hi Dan,

I am beginning to understand how the solution works.
I need to contact my DNS service to see what solution they support.

Regards

Unfortunately, my DNS provider does not support the use of the DNS API.
I will continue to use my own local CA.

Thanks and Regards

I likewise use a dedicated firewall router. I am in the process of setting up nethserver and an OPNsense firewall for my daughters new law office.

In my own business I have always used a dedicated PFsense or OPNsense firewall and used it to be the OPNvpn server. And I use SME Server (Koozali) for the fileserver (will upgrade to Nethserver with new hardware soon - after 12 years its time) I always found running the VPN from the firewall more secure and less complicated. No special configuration was required to access the file server, intranet (local in house) email, or to remote into the other office computers.

But Nethserver has so much more functionality than my antique SME Server file server I was curious if there was an advantage to using the Nethserver box as the VPN server instead? It seems inherently more insecure. But is it harder to use the outward facing functions like nextcloud and collaboration software that I only want accessed locally or via the VPN anyways?

I want to get my daughters install right the first time. She will need to be accessing files and videos from the courtroom often.

@pauldiggsjazz

Hi Paul
And Welcome to the NethServer Community!

I’m using the combination OPNsense (hardware) + NethServer (VM) + Proxmox (Hypervisor) - and for some larger clients started using PBS Proxmox Backup Server.

All my clients only run virtualized servers, something I’d strongly suggest for you. You get so much more features - not all you might need, but the bottom line is much better availability. Features like Live Backups (NethServer does it’s Backups, Proxmox does its…), but also fast Snapshots (Nice before a critical upgrade)… Sensational fast disaster recovery! Proxmox is as free as NethServer & OPNsense.

Nowadays, most people suggest using VMs for server, and I can confirm this. No Hardware dependencies! And 5 years NO issues!

Among my clients there’s also a law office using the above setup - and a Windows “Member Server” for their law “software”…

Now to your original question:

OpenVPN on OPNsense or NethServer?

I’d suggest using OpenVPN on OPNsense! Mind you, during tests I have confirmed that NethServer’s OpenVPN implementation is rock solid, but as you, My clients and I prefer that running on the gateway / firewall, and my clients also want a dedicated box for this. Maybe swiss mentality? But It works great!

NethServer profits from the - in my Opinion - best communities in OpenSource! Plenty of know-how and good will amassed here - enough to tackle almost ANY problem, not necessarily NethServer related!

And, as you, I also used SME for around 10+ years - before switching to NethServer! Never regretted the move!

I’d strongly suggest using LetsEncrypt for correct SSL, something which will give you much less headaches with Mail-Clients, but also NethServer / NextCloud. Almost anything web-available nowadays NEED SSL. Mail will often NOT work (Outlook!) with a custom certificate (Self generated incl. CA)…
Lets Encrypt is free and works well on NethServer (Or OPNsense).

My 2 cents
Andy

Thank you so much Andy,

Your prompt reply confirms all my inherent biases. :slight_smile: and assumptions. I’ve been using SME so long that I still have the dot matrix printed out Mitel Admin Guide in a binder. Likewise I have been following and testing Proxmox for ages but never found the need to implement it because my needs were so set and met with older hardware on hand and the advantage of separate appliances. Now that I am pushing 70 and preparing for retirement I want to promote the best opensource solution for my “kids” endeavors on a shoestring - and promote the inherent value of open source (FOSS). Frankly, virtualization is returning us to the days of the UNIX mainframe computer and “dumb terminals” with its ease of administration, but with the advantages of optimizing performance on modern hardware while containerizing and segregating vulnerabilities as much as can be done in software. Back to the future.

To your points:

  1. OPNvpn on OPNsense makes perfect sense for ease of configuration while minimizing vulnerabilities from software overlaps. Not a great candidate for virtualization.

  2. Proxmox as base for Nethserver. Agreed that makes a lot of sense. My only concern is administration by not tech savvy people who are running a business (law practice) and not interested in IT admin. I won’t be around to sort out their issues for long. Does it make sense for a self administered network of not tech savvy users? Simplicity and intuitive Gui is what I am striving for. (I will discuss file systems, raid levels, data redundancy, snapshots and back ups under that umbrella.)

  3. LetsEncrypt - Amen brother! Thank you for the pointers. often overlooked but proper SSL is essential to just plain working.

Thanks for your 2 cents. looking forward and grateful for your perspective.

Paul

@pauldiggsjazz

Hi Paul

  1. Virtualized OPNsense in Proxmox - not ideal, but doable, and astoundling stable. A friend needed to do this because the old server died 2 days before his vacation, no time to order a replacement and set it up. So remote in to Proxmox with Anydesk on Mobile Hotspot, setup OPNsense in Proxmox, and did the rest via VPN… A reboot of Proxmox drops your Internet connection, but is available in 3-4 Minutes with VPN back up and running!

I still prefer a dedicated box, and I always have a spare at home, as “jumper”, which I can use at any of my 30 clients…

  1. Proxmox…

I’ve been a VMWare user since before the millenium, even as beta tester before Workstation 1.0. I used VMWare ESXi until about 2015, when I started switching to Proxmox.
There are so many advantages, like live backups for almost ANY OS. For Windows and Linux, that includes full disaster recovery, but also comfortable GUI based restore of folders or files.
I’ve moved all my clients to Proxmox, the only ESXi still running is at a client who still has Novell Netware running. It’s only there for archive reasons, but as bookkeeper, with our strict swiss laws, he needs to keep stuff available for 10 years. And there’s no way Novell Netware will run on Proxmox. Even the E1000, an often used driver for Netware, works on ESXi, but crashes Netware (ABEND) on Proxmox.
The clue? ESXi is running inside Proxmox, as Nested virtualization. Inside are Netware 6.0 and 6.5 servers… :slight_smile:
Almost anything is nowadays administratable via WebGUI on Proxmox… :slight_smile:

It’s that rock solid!


I also use Zabbix to monitor all of my clients. Here are a few samples:

My Home LAN:

A client (State institute)

A doctors practice:

Another doctors practice:

A financial company (Treuhand):

Some special “Features”:

  • All clients use a Raspberry PI as dedicated NUT Server for UPS.
  • All clients have their “Off Site Backup” at home, on a NAS, via VPN from the Office. This NAS is usually identical as the one in the office, and can double as a last drop emergency…
  • All clients use NethServer as AD, File, Print, Mail, NextCloud, Zabbix Monitoring and more.
  • Windows “Servers” are only “member” servers in AD.

Most of my clients use a PCengines apu4d4 box for OPNsense, some have much more powerful hardware, like the IPU882 from NRG-Systems in Germany. All run OPNsense…

If you need any assistance, or specific questions, send a me a PM, and I’ll be glad to help.

My 2 cents
Andy

…and now you can even integrate Proxmox with your single sign-on infrastructure, doing things like this:
image


3 Likes

I have a few different setups and requirements for controlling access including some with separated campuses/offices on different LANs.

My go to solution is ZeroTier.

I either add the ZeroTier interface direct to the NethServer and manage there or setup OPNSense or a Raspberry PI to route/masq as required.

I also setup my own controller in some cases: https://key-networks.com/ztncui/

I would love to see ZeroTier and Controller integrated into NethServer :slight_smile:

Klaus

2 Likes