I am trying to use DigitalOcean VPS as a openVPN server to access services (e.g. nextcloud) hosted on my home network through subdomains (e.g. nextcloud.example.com).
I have set up the following:
- [working] kylemanna/openvpn docker on Digital Ocean VPS
- [working] Connected my home pfSense router as VPN client to Digital Ocean VPS
- [working] Set up the nextcloud service on my home network
- [working] When connected to the VPN, I can ping between devices and also access the nextcloud service through the internal IP
- [Not working] jwilder/nginx-proxy to route nextcloud.example.com through the Docker VPN tunnel to nextcloud's internal IP
I have tried to add a virtual_host file for nextcloud.example.com to nginx-proxy routing request to the openvpn port 3000, and then within the openvpn container using iptables to forward all request on port 3000 to the internal nextcloud IP.
Would really appreciate any help as I am to be honest a bit in the deep end here?
kylemanna/openvpn - iptables config forwarding
user@Debianwebhost:~$ docker exec -it vpn bash
bash-4.4# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:3000 to:192.168.0.99:80
DNAT udp -- anywhere anywhere udp dpt:3000 to:192.168.0.99:80
DNAT udp -- anywhere anywhere udp dpt:3000 to:192.168.0.99:80
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT tcp -- anywhere 192.168.0.99 tcp dpt:http to:172.17.0.2:3000
SNAT udp -- anywhere 192.168.0.99 udp dpt:http to:172.17.0.2:3000
nginx-proxy virtual host config
user@Debianwebhost:/etc/nginx/vhost.d$ cat nextcloud.example.com
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
listen 80;
access_log /var/log/nginx/access.log vhost;
return 503;
}
# nextcloud.example.com
upstream nextcloud.example.com {
## Can be connect with "bridge" network
# vpn
server 172.17.0.2:3000;
}
server {
server_name nextcloud.example.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
location / {
proxy_pass http://nextcloud.example.com;
}
}
nginx-proxy nginx.conf
user@Debianwebhost:/etc/nginx$ cat nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
nginx-proxy default.conf
user@Debianwebhost:/etc/nginx/conf.d$ cat default.conf
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
default $http_x_forwarded_proto;
'' $scheme;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
default $http_x_forwarded_port;
'' $server_port;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
default upgrade;
'' close;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header
map $scheme $proxy_x_forwarded_ssl {
default off;
https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log off;
resolver [hidden ips, but there are 2 of them];
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
listen 80;
access_log /var/log/nginx/access.log vhost;
return 503;
}
# nextcloud.example.com
upstream nextcloud.example.com {
## Can be connect with "bridge" network
# vpn
server 172.17.0.2:3000;
}
server {
server_name nextcloud.example.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
location / {
proxy_pass http://nextcloud.example.com;
}
}