How to Use a NethServer Leader Node as a Gateway to Access Applications on Private Worker Nodes?

gateway45 · December 9, 2024, 4:07pm

I am using NethServer 8 (NS8) to deploy a cluster with two nodes:

Leader Node (Node 1): Deployed on a VPS with a public IP address.
Worker Node (Node 2): Located on a private local network behind NAT.

I have configured a DNS record that points to the public IP of the leader node. Applications hosted on the leader node are accessible from the internet as expected. However, I want the leader node to act as a gateway to route traffic from the internet to applications hosted on the worker node in the private network.

Currently, applications on the worker node are not accessible via the DNS or the leader node. I need guidance on how to:

Configure the leader node to route traffic to the worker node.
Ensure that applications on the worker node are accessible through the same DNS.

Any advice or best practices on setting up this configuration would be greatly appreciated. Thank you!

mrmarkuz · December 9, 2024, 7:50pm

Hi,

welcome to NethServer Community!

You could create HTTP routes on the Leader Node to the worker nodes Wireguard VPN IPs.

I tested it with the webserver app on a 3 node cluster, 1 worker node at home.

On the leader node I set following http route:

The Host has to match the app hostname on the worker.

You’ll find the wireguard VPN IPs on the Nodes details pages. On CLI you could use:

ip a s dev wg0

Elongated7 · January 9, 2025, 1:08pm

Thank you for the details.
I am planning a similar setup but would also have another host running apps at home.

Would it be possible to use the leader node to redirect (and manage SSL certificates) to another host on the worker node’s subnet (not the VPN subnet), essentially using the “advertise routes” of the wireguard protocol?

If that was not entirely clear, I would have a 3rd machine not running NethServer in the same subnet of the Worker Node at home.
The aim is to use the Leader Node (on the VPS) as DNS target IP and the Leader Node to redirect and manage SSL for a few apps that run on a non-nethserver host. Assume internal firewall rules allow unrestricted traffic within subnet.

Much appreciated.

mrmarkuz · January 9, 2025, 7:25pm

Hi Donny,

and welcome to NethServer Community.

You could use 2 HTTP routes, the first one to provide a cert and redirect from the VPS node to the wireguard IP of the home node and the second one to redirect from the home node to the “3rd machine” in your network.
In my test I entered the domain name pointing to my NS8 VPS in my browser and I got the web page of the old NethServer 7 at home.

In this example the home node is node 3 and has wireguard IP 10.5.4.3 and the VPS node is node 1.
internalsite.domain.com points to the VPS node in DNS.

The first HTTP route:

Node: 1
URL: http://10.5.4.3
Host: internalsite.domain.com
Request Let’s Encrypt certificate: Enabled (to get a valid cert)

The second one:

Node: 3
URL: http://192.168.1.10 (IP of the 3rd machine in LAN)
Host: internalsite.domain.com

Now it should be possible to browse to internalsite.domain.com and see the webpage of the 3rd machine.

Elongated7 · January 10, 2025, 11:27am

That worked like a charm.

Thank you so much for taking the time to respond and also I really appreciate all you contributions!

Many thanks,
Donny