Score:0

Best way of configuring a OpenVPN to allow access from the Internet to hosts behind a firewall

tz flag

I have a Proxmox node with a bunch of VMs connected to a virtual bridged network. I have one VM on that bridged network that I want to connect to a Cloud VPS running OpenVPN. I then want to run an Nginx reverse proxy or directly port forward from the VPN host to the VMs on the client's subnet (the virtual bridge). Therefore I should be able to directly access these VMs from the broader internet (specifically without having to connect to the VPN).

What is the best way of configuring OpenVPN for this? I understand I can use a bridged (tap) network to connect the VPC subnet and the Proxmox bridge subnet as one private network which should allow me to forward incoming connections on the VPN host directly to the relevant local IP on this subnet.

However, I believe I can also use a tun interface with static routes set correctly to achieve the same thing? I understand this may also has a performance benefit on the VPN.

Which configuration is optimal? Ideally I want to centralise the routing as much as possible to avoid having to reconfigure multiple VMs if I add another host to the Proxmox bridge.

I was wondering also if it would be possible to forward ALL incoming traffic from the internet on the VPN host to the Proxmox client and then run nginx/port forwarding from there to the VMs on the virtual bridge? This seems more complicated though.

I'm reasonably confident I can get the iptables/netplan rules set correctly for these configurations (more guidance may be needed however), but I'm not sure which overall architecture would be best.

Each Proxmox host is also connected to the Internet via the firewalled/non-portforwardable network so they can access the internet without having to go through the VPN tunnel.

I believe I can tell the VMs which interface/gateway to use by default by configuring the priorities in iptables? Please correct me if I am wrong.

For reference, the VPN client and host are running Ubuntu Server 22.04 LTS, and the hosts are mostly also running Ubuntu Server.

djdomi avatar
za flag
I dont see inhere any business environment or relationship. I would just use the firewall to enable a vpn or s2s access
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.