Local connection to the Nethserver on the Internet

Nethserver 7.9.2009 (final)

Hi,
I made a Nethserver with a network card and a dummy interface.

The WAN (RED) interface of the Nethserver is the physical network card and the LAN (GREN) interface is the dummy interface. LDAP runs on the dummy interface. I placed the server behind our small office router and all users connect to it remotely with openVPN Roadwarrior VPN.

This is how I test the server before placing it in the cloud as a VPS server. Unfortunately, I cannot switch to a VPS for the time being because one of our programs requires me to run a Windows virtual machine, and this cannot be done on a VPS. The replacement of the program is in progress, but it will only be possible at the beginning of next year at the earliest. Until then I have time to test… :slight_smile:

My problem is the following: everyone can connect and work remotely, but if I try to connect to the server as a user from the same network as the server (connected to another port of the router), it fails, because the Nethserver connects to the router via the WAN interface. This is how it should work. In this case, you cannot connect with the VPN either.

I would like to know how I can access to the Nethserver services from the network to which it is connected behind the router via the WAN (RED) interface. Maybe this is a trivial, even stupid question, but I would be interested if it could be solved…
Of course, without having to install another physical card in the server, because then the test environment will change…

This would also be interesting because I may have to place the physical server temporarily on a server farm, but I don’t want them to access the server via the LAN port… You can’t access what you don’t have… :slight_smile:

Thanks for the help and advice.

Hi @steve

Easy enough…

Using a dynamic Name resolution, you can eg reach the external IP of your router, everything works via VPN (VPN with Port Forwarding to NethServer?) - that’s what I understand.

You can make an entry on your internal DNS, overriding the external DNS and pointing the OpenVPN directly to your NethServer. That way OpenVPN would work internally and externally, using a dynamic DNS resolution.

I have this working using DynDNS (Now Oracle).
My Router / Firewall is OPNsense, there a DNS entry points to the Nethserver (With the needed port forwarding for Internet WAN Users).
Internally and Externally I can connect eg to vpn.mydomain.com and with OpenVPN I can access all I need…

My 2 cents
Andy

@Andy_Wismer
Thank you for your advice.

Nethserver has a Let’s Encrypt certificate and the domain name entry is fine. On the router, VPN port 1195, ports 443 and 80 are redirected to the Nethserver.

How does this change your proposed solution?

Hi

Assuming your Router is acting as DHCP for your LAN (Network, RED for your NethServer):

Your router should have an option for “overriding” existing DNS entries, like Unbound or DNSmask have.

If your router has no options for DNS entries, then things look a little bleaker…

My 2 cents
Andy

That’s not what I meant, but thanks. I wanted to find out what the effect is if I don’t use DynDNS but have a fixed IP address and my own domain name with a Let’s Encrypt certificate.

I tried to enter the Nethserver domain name for the static DNS names in the router. Apparently it works over the Internet and in the local network when I connect to the Nethserver domain name with openVPN.

Thank you, your help was very useful.

One more question. If I take this Nethserver to a server farm, if there is a problem with it, how can I remotely or locally access the server for recovery, backup and reloading? It doesn’t have a LAN card… :slight_smile:
What if the same is required for VPS?

Always depends on what the “hoster” offers. There are several solutions / options available, depending on Hoster, used technologies…

Hetzner in Germany provides eg KVM access - when you need it (Not permanent).

Thank you, I will inquire about nearby server hosting companies.

Thanks and Regards

Sorry @Andy_Wismer, one more question.

In this case, when connecting to the Nethserver from the local network with a VPN, will all Internet traffic go through the Nethserver?

Not necessary or needed.
What goes where is decided per DNS, and whatever IPs are returned by the DNS.
That’s why a dynamic DNS must be used, as using the external IP alone would force the VPN to hit the external IP of the router - and I doubt that router can handle “Hairpin NAT” connections correctly.

Better would be to allocate a Dynamic DNS service. Externally, they get the external IP of the router for OpenVPN, internally, they get redirected to the internal WAN IP of the NethServer (Iesentially in the same LAN/Network), creating much less load on the router, as the internal VPNs bypass the router entirely.

External:
vpn.domainname.com points to external IP of router, using NAT from the router the NethServer’s WAN is reached for VPN.

Internal:
vpn.domainname.com is redirected to the WAN IP of NethServer, on the internal LAN. The VPN is processed only by the NethServer.

Hope that’s halfway comprenhesible…

:slight_smile:

My 2 cents
Andy

I’m not sure I understand you well. It’s probably my fault…

Let’s clarify.
I have a public fixed IP address. The Nethserver is accessible from the Internet at this IP address and this IP address is registered in the public DNS. Thus, Nethserver can also be accessed on the Internet by entering the domain name. Nethserver has a Let’s Encrypt certificate. I think I managed to describe this accurately now…

The Nethserver is placed behind a Mikrotik router and only the VPN port is redirected from the Internet to the local network IP address of the Nethserver. Mikrotik router can handle Hairpin NAT.
The Mikrotik router can handle static DNS entries. Currently, I set this so that the domain name of the Nethserver points to the local network IP address of the Nethserver. Thus, public DNS servers (e.g. Google) resolve the name on the Internet, while the static name entry of the Mikrotik router on the local network.

My problem is that I don’t want to send all Internet traffic through the Nethserver if I connect to it via VPN from the local network. I would like the Internet traffic to go directly through the router even if I connect to the Nethserver via VPN.

Unfortunately, I don’t understand what you mean about DynDNS. I think in this case there is no difference between DynDNS and fixed public IP, both would point to the same place.
Are you thinking that I should give the Nethserver a different name in the internal network (e.g. alias) than on the Internet?
Should I set this internal name in the router to the local IP address of the Nethserver?

When I create the VPN certificates for connecting from the local network, should I create a certificate with the local name of the Nethserver? In this case, the user who wants to connect locally and remotely needs two certificates, one for the remote connection and one for the local connection… This is not the best solution…

openVPN can manage where Internet traffic should go, but there is no corresponding setting in Nethserver. I usually install an openVPN client on the Windows machine, then the Internet traffic does not go through the VPN, which is what I want now. Maybe I should test it with traceroute…

I apologize, maybe it was a bit long, but I hope that I have now managed to describe everything in a comprehensible way and define the essence.

Thanks for your help.

Hi

What you describe will work.

Inside the config file for OpenVPN, it can be set if ALL trafic goes through the VPN. I hardly use this, except in special occasions, as ALL trafic really means that any youtube video seen will pass your network twice, creating unnecessary traffic on your WAN connection.

You can also simply “edit” the config file for Internal clients using the VPN, and manually set the internal IP of Nethservers WAN address… :slight_smile:

I use LetsEncrypt for all my 30+ clients, so I’m fairly familiar with it. NethServer does LE, but also for the Internal AD of NethServer. This can be needed for certain JAVA or PHP apps, which was the case for me.

I just used DynDNS, as most users here on this forum don’t have a static IP. If you have a static IP, all the better! My Home connection also uses DynDNS, as my provider doesn’t have a static IP option… :frowning:

My 2 cents
Andy

This is exactly the crux of the problem. I don’t want the other traffic to burden the Nethserver. I don’t think this is a good idea for both local and remote VPN connections.

Of course I know the solution, I use it for testing. But I cannot entrust the editing of the config file to the average user (e.g. my wife, because she is not an IT specialist), so it is advisable to use a fixed solution. The use of separate VPN configurations for local and remote connections would not be easy for some users, therefore it is advisable to use a single configuration and I set the destination of the connection.

I am currently saving data on the Nethserver, after that I will test where Internet traffic goes to the Nethserver during the VPN connection with the basic settings. I will run traceroute to find out and everything will be clear.

1 Like