asked on
Alternative NAT with OpenWrt
I want to be able to hit my dev website when using my VPN instead of the live website so I experimented, trying to use these rules in /etc/config/firewall:
# When developing with test web server on nucmm and using VPN (source IP) - HTTP
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_ip '130.100.100.100'
option src_dport '80'
option dest_port '80'
option name 'WEB'
option dest_ip '192.168.2.164'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '80'
option dest_port '80'
option name 'WEB'
option dest_ip '192.168.2.144'
# When developing with test web server on nucmm and using VPN (source IP) - HTTPS
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_ip '130.100.100.100'
option src_dport '443'
option dest_port '443'
option name 'HTTPS'
option dest_ip '192.168.2.164'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '443'
option dest_port '443'
option name 'HTTPS'
option dest_ip '192.168.2.144'
The only trouble is that this didn't work. It seemed to NAT to the test server irrespective of source IP. What should I do?
ASKER
For ALL traffic, so all traffic from my phone goes to the Router with a AllowIP of 0.0.0.0/0
(I also filters all DNS requests through a pi-hole VM).
Using this i can enter the complete Internet through this tunnel.
Using this setup i can also use VOIP through the tunnel for internal phone calls.
Also you can access this VPS with its public address to get into the VPS itself then.
ASKER
Your website is on the internet: use wireguard to your router that goes to your router with AllowedIP 0.0.0.0/0 => you get to the internet through your router.
Your router will handle NAT if configured to do that.
Your website in on the LAN side of your router:
Wireguard to your router AllowedIP: your LAN
You don't need NAT, your router will handle all routing stuff.
Your website is terminated ON your router with the PUBLIC IP:
Still: The Website is on the internet case, your router needs to allow a HAIRPIN route.
Your devwebsite is on your LAN......
Your wireguard is on some VPS....
Again: Wireguard as for the Internet
On your VPS establis another tunnel between your VPS and your Home router.
The last tunnel should not need NAT, just plain routing, through the tunnel.
If that is NOT your actual problem then describe the situation better, not in terms of OpenWRT config files but in terms of required funtionality.
We need to solve your access problem not the OpenWRT config conundrum.
The OpenWRT config is derived from your what you want / expect to work (network access to the website).
ASKER
the source network should probably not be lan but rather whatever the vpn virtual interface or corresponding network is called.
i do concur the nat layer is at best overly complex with a vpn. just use the server ip directly.
We need a picture like on the left is the Mobile, on the right there is the website and in between there is the map needed to travel from Mobile to Website.
Using components you can control (more or less), liek Mobile, Wireguard tunnel, Home router (with interfaces) and IP address labels sufficient to distinguish them, then can be pseudonyms.
in the router, the test rule should use
option src 'wirequard' # or whatever identifies the address on the remote (your side) of the vpn
rather than option src 'wan'
... but this is useless as you should be able to reach the server directly without using a nat rule
taking wireguard out of the picture is quite easy as your existing rule allows to reach the server and the source ip is known.
can be as simple as allowing your ip address only if it does not change often possibly on the server itself but preferably on the router.
mtls also comes to mind if you always use the same machine for dev but move around a lot. it is fast and safe. feature-wise, you do not gain any other network access which could either be a good thing or a missing feature in your case.
given the context, it might be convenience over safety as long as it is not unreasonably open so some password on the dev instance could also be good enough.
ASKER
So any rule has got to work purely based on the request address and forward to the correct server
This is mostly consulted BEFORE DNS.
Or use a different DNS server which gives developers a different view for some of the domains.
Another solution might be a Reverse proxy which patches through depending on source.
ASKER
if you do not like the hosts method, you have many browser extensions that allow to tamper with headers as a whole or the host header specifically.
most of them do not fool the browser entirely so ssl will produce errors. vhosts on the other hand are fine. the good old "modify headers" can be configured to send the adequate host when you access specific ips which is quite convenient and much less hackish assuming you changed the wp_config to make it work.
regarding wordpress, there is no reason why either wordpress or other frameworks insist on building hard coded urls. the 2 variables i mentioned are in wp_config. i cannot remember the names for sure. something like base_url. anyway those are the ones hard coded to your current domain which are easy to spot in the config file.
ASKER
regarding wordpress, there is no reason why either wordpress or other frameworks insist on building hard coded urls. the 2 variables i mentioned are in wp_config. i cannot remember the names for sure. something like base_url. anyway
I know that is the theory but I seem to remember (ages since I looked at this issue) that the domain name is peppered all over the database, so if one wants to change the domain name, say for dev purposes, a full sed job needs to be done on the db dump. Or possibly a plugin, which in WordPress is often needed for almost anything you need to do ;)
not as far as i know, but i do not use wordpress nowadays.
i remember having a hard time with subdirectories, though.
also note that most proxies can be configures to rewrite urls on the fly or use the actual url and switch backend based on a cookie, header or whatever seems convenient.
First what do you mean VPN.... OpenVPN "private" tunnel or one of those "NordVPN" etc. VPN provided tunnels.
For the NordVPN type you have no connection to your public endpoint.
With a private tunnel you setup:
If you run a VPN you should not need NAT, you can plain route between the VPN endpoints.
You may need to allow this in the firewall.
Your VPN needs to have a Network on the router end-point. (The LAN).