How to access via domain name behind a personal VPN?

paquiteau · August 24, 2023, 12:35am

Hello there!

I would like to access my home server, lying in VPN network using subdomains , via a VPS gateway.

here is the detailled setup:

a domain name (domain.tld)
A VPS Server wit a static public IP (123.456.78.90)
- Running Debian 11 and Yunohost
- Installed Apps: Wireguard Server (10.10.10.0), Static website, and mails.
- all diagnostic are green.
At home, a Rasperry Pi, with external drives
- Running Yunohost
- Installed Apps: Wireguard Client (10.10.10.1), Nextcloud, (and other data-hungry apps).
In another home, a backup server, with wireguard configured.
- This would later be use for , you guess it, backups.
A few laptops and phones, with wireguard client installed.

Currently:
I have build a VPN network between the 3 servers (adresses 10.10.10.x). I can access domain.tld from everywhere, and any 10.10.10.x addresses when the vpn is on.

What I would like to have is to be able to access the VPN network from outside, using subdomains, without having to fire the vpn everytime I want to get some nextcloud file.

For instance, home.domain.tld should points to the Rasperry Pi at home (so the route should ), and backup.domain.tld should points to the backup server (again via the VPN). The top domain (domain.tld) should point to the VPS server.

I have try to use off-the-shelf apps, but I can’t make it work. I have try to:

Use the redirect app to redirect the subdomains to the right server, but this fails (too many redirect it seems)
Use the reverse proxy app, but this fail too (404)
add 10.10.10.1 home.domain.tld to the /etc/hosts file of the VPS server, but this simply does nothing (it redirects to domain.tld)

Some options I am considering:

Write some proper nginx config (where though ?)
setup a DNS server on the VPS server (how ? I think I would also have to add some NS lookup on the domain name provider side ?)
Setup several ssh reverse proxies to bring the home server to the vps (e.g. 10.10.10.1:80 → 10.10.10.0:8001 , 10.10.10.1:443 → 10.10.10.0:8443), and then use the redirect apps. (this feels dirty)

Bonus points:

also apply the redirection for ssh (so a ssh user@home.domain.tld works from anywhere)
Share the accounts between the two instances (but I am probably asking too much at this point…)

Potential related posts:

Distributing Yunohost over 2 servers (one for Nextcloud/storage) - #12 by wbk
How to have two Yunohosts servers at home? - #9 by folaht
Homemade WireGuard VPN on a VPS server - #91 by rungeard
- The iptables black magic is not applicable here, as I am not in a one-to-one mapping.

Thanks in advance !

paquiteau · August 26, 2023, 4:38pm

So, after some hacking around I have the following better setup:
I removed the yunohost on the VPS, and switch for a simpler wireguard + nginx setup (+fail2ban and ufw for security). I managed the certificate by certbot

On the VPS I added the wireguard ui ( same as the Wireguard Server app from yunohost), to manage clients .
Then I setup the nginx reverse proxy as such:

# my-vps /etc/nginx/conf.d/home.comby.xyz 
server {
    server_name             home.domain.tld;
    #   include                 /etc/nginx/conf.d/redirect_http.inc;

    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location / {
	proxy_pass https://10.10.10.2/;    # https because thats what yunohost likes.
	proxy_redirect off;
	proxy_set_header    X-Forwarded-By       $server_addr:$server_port;
	proxy_set_header    X-Forwarded-For      $remote_addr;
	proxy_set_header    X-Forwarded-Proto    $scheme;
	proxy_set_header    Host                 home.domain.tld;
    }
}

server {
    if ($host = home.domain.tld) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen                  80;
    listen                  [::]:80;
    server_name             home.domain.tld;
    return 404; # managed by Certbot


}

I used certbot for the certificates on the because that’s what I am use to from previous project (and its well packaged in debian), apparently acme.sh is also a good option.
The yunohost-managed home server is setup with the domain home.domain.tld and a self-signed certificat

Now, it almost work.

I can access https://home.domain.tld/nextcloud or any other app
Subdomain apps does not work, unless I do all the routing on the proxy side.
Trying to access /yunohost/sso : I keep getting the login prompt after sign in.

tituspijean · August 26, 2023, 5:46pm

FYI some similar work has started on feature: new global setting options to enable SNI-forward to external domains by alexAubin · Pull Request #1697 · YunoHost/yunohost · GitHub.

paquiteau · August 27, 2023, 12:39pm

Great , very promising. To be sure this configuration would be for the home-based Yunohost server or for the VPS one ? In the latter case, I guess I could adapt it , and who knows, maybe write a guide about it