Score:0

Reach LAN Web Server from Amazon ec2 OpenVPN AS Instance. Possible?

cn flag

Here's my desired end state: From a WAN connection (my phone, a PC that I happen to be using outside my home, etc.), I want to be able to enter an URL (https://example/myapp) that my web server (nginx) serves up from my LAN. I'm currently trying to do this through an Amazon ec2 OpenVPN AS instance (because I'm out of other ideas). I believe I'm close to success (keep reading), but something is preventing it from happening.

DETAILS: I’ve been able to access my LAN server online for years from the WAN via its domain name and connecting via SSL (using Let’s Encrypt certificates).

However, I recently changed to a new Internet provider, and the gateway has ZERO (as in NONE) configuration options.

As a result, I can no longer reach my LAN server from the WAN.

A friend said he thought I could use an Amazon ec2 server to create a VPN tunnel to my LAN server.

So, I have created an Amazon ec2 OpenVPN AS instance, and assigned my domain name to it. I am able to access the Amazon ec2 OpenVPN AS instance using my domain name.

I set up OpenVPN on my LAN server box (Arch Linux) and established a connection with the Amazon ec2 OpenVPN AS instance. So far, so good!

However, I am unable to reach my nginx web server on my LAN server box.

When I type the URL to my domain, I get served the Amazon ec2 OpenVPN AS server login page.

How do I reach my nginx web server (at the other end of the VPN tunnel I created)?

I’m probably making this more difficult that it needs to be, but I’ve tried a few different configuration changes and just can’t get it to work.

I have watched countless videos (and read as many web pages) as I could find on this topic, but they seem to be focusing on things like just getting a domain associated with their ec2 instance or creating a SSL certificate or creating a web server on the ec2 instance, etc. Non of which are my issue.

I have no firewall installed on my LAN server. I also have no special routing configurations. Further, I do not see how to configure NAT/routing from the Amazon ec2 OpenVPN AS configuration UI.

Thank you for any help you may provide!

sb

cn flag
Why not just use the VPN to connect to your home LAN and then browse as normal?
steadybright avatar
cn flag
I'm not sure how this would work. Our phones need to connect to the LAN caldav server to sync every hour. We also connect to our LAN-based chat server from various WAN devices.
cn flag
Sorry, I read your question as talking about a very small home lab so assumed 1 user. You also only mentioned the one website not the caldav server and chat servers. Either way, a VPN would work fine to get clients onto the LAN: user runs VPN client, connects to VPN server/concentrator in your LAN, hey presto they're now on the LAN. Rather than expose your LAN to the internet via EC2, you bring your clients to the LAN.
steadybright avatar
cn flag
Using the method you described, I infer that I need the OpenVPN server on my serving machine in my LAN, and I need to connect my WAN machines/devices to an OpenVPN client on the Amazon OpenVPN Access Server? I'm currently doing it the other way: I'm using the Amazon ec2 OpenVPN Access Sever as the OpenVPN server and the client is connecting to the server from my LAN server.
steadybright avatar
cn flag
Sorry, just re-thought what I believe you are saying: 1) Ditch Amazon ec2 OpenVPN instance, 2) Install OpenVPN server on my LAN server, and 3) Connect to my LAN server with my WAN devices directly. Wait, that doesn't work, because I still need to get the my LAN server address... so maybe my first response above is correct after all.
cn flag
What do you mean need to get the LAN server address? You've said you've "accessed the server from the WAN for years". So I'd guess you have a DNS entry that points to your internet gateway... I suggest you go read about OpenVPN and Dynamic DNS if needed. Literally thousands of businesses use VPN solutions and it works fine.
steadybright avatar
cn flag
Exactly. I was able to access my LAN server via WAN devices because I used Dynamic DNS to point traffic to my domain's gateway/router IP. I then port forwarded port 80 and 443 to my LAN server. It worked great. My new gateway cannot be configured, so I cannot port forward any longer. So I updated DNS to point to my domain at the Amazon elastic IP associated with my ec2 OpenVPN AS instance. That works.
steadybright avatar
cn flag
Next, I brought up the OpenVPN client on my LAN server, connected to the OpenVPN server on my ec2 instance. All good. However, I can only reach the OpenVPN login/configuration pages on the ec2 instance via my domain address. I do not understand how to reach my server now. I expect it's something simple/basic that I'm missing.
steadybright avatar
cn flag
I appreciate your help. You're the only person that's engaged me on this. I'm happy to go read something specific to this issue. I know many people use these solutions successfully every day. I'm trying to teach myself how to do it also, and I was hoping for some specific tip or area to study next. I'll get "there" eventually, was just hoping for help in getting there. Thank you.
cn flag
Ah okay - I understand more now. If you've connected to the VPN you want to enter the LAN IP of your server to reach the page, not the domain name. It should route the traffic over the VPN server and (config permitting) to the server.
steadybright avatar
cn flag
That's helpful. Thank you! Meanwhile, I've terminated my ec2 instance after having received a surprised bill from Amazon for ec2 services. I (thought I) was careful to select only free tier options, but I dorked that up somehow. Hoping to try this again this weekend, when I can take more time to read through everything a little more carefully.
steadybright avatar
cn flag
Stinkin'. As it turns out ec2 instances are only free for the first 12 months you have AWS. They're not on the forever free plan, so I think I'm dead in the water (again).
cn flag
Your best option might be to reach out to your ISP and see if you can a) put your own network device in as gateway, or b) request a new gateway, or c) get them to configure it. :)
mangohost

Post an answer