I have a Proxmox node with a bunch of VMs connected to a virtual bridged network. I have one VM on that bridged network that I want to connect to a Cloud VPS running OpenVPN. I then want to run an Nginx reverse proxy or directly port forward from the VPN host to the VMs on the client's subnet (the virtual bridge). Therefore I should be able to directly access these VMs from the broader internet (specifically without having to connect to the VPN).
What is the best way of configuring OpenVPN for this? I understand I can use a bridged (tap) network to connect the VPC subnet and the Proxmox bridge subnet as one private network which should allow me to forward incoming connections on the VPN host directly to the relevant local IP on this subnet.
However, I believe I can also use a tun interface with static routes set correctly to achieve the same thing? I understand this may also has a performance benefit on the VPN.
Which configuration is optimal? Ideally I want to centralise the routing as much as possible to avoid having to reconfigure multiple VMs if I add another host to the Proxmox bridge.
I was wondering also if it would be possible to forward ALL incoming traffic from the internet on the VPN host to the Proxmox client and then run nginx/port forwarding from there to the VMs on the virtual bridge? This seems more complicated though.
I'm reasonably confident I can get the iptables/netplan rules set correctly for these configurations (more guidance may be needed however), but I'm not sure which overall architecture would be best.
Each Proxmox host is also connected to the Internet via the firewalled/non-portforwardable network so they can access the internet without having to go through the VPN tunnel.
I believe I can tell the VMs which interface/gateway to use by default by configuring the priorities in iptables? Please correct me if I am wrong.
For reference, the VPN client and host are running Ubuntu Server 22.04 LTS, and the hosts are mostly also running Ubuntu Server.