Link to home
Create AccountLog in
Avatar of CEHJ
CEHJFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Alternative NAT with OpenWrt

I want to be able to hit my dev website when using my VPN instead of the live website so I experimented, trying to use these rules in /etc/config/firewall:


# When developing with test web server on nucmm and using VPN (source IP) - HTTP
config redirect
   option target 'DNAT'
   option src 'wan'
   option dest 'lan'
   option proto 'tcp'
   option src_ip '130.100.100.100'
   option src_dport '80'
   option dest_port '80'
   option name 'WEB'
   option dest_ip '192.168.2.164'

config redirect
   option target 'DNAT'
   option src 'wan'
   option dest 'lan'
   option proto 'tcp'
   option src_dport '80'
   option dest_port '80'
   option name 'WEB'
   option dest_ip '192.168.2.144'

# When developing with test web server on nucmm and using VPN (source IP) - HTTPS
config redirect
   option target 'DNAT'
   option src 'wan'
   option dest 'lan'
   option proto 'tcp'
   option src_ip '130.100.100.100'
   option src_dport '443'
   option dest_port '443'
   option name 'HTTPS'
   option dest_ip '192.168.2.164'

config redirect
   option target 'DNAT'
   option src 'wan'
   option dest 'lan'
   option proto 'tcp'
   option src_dport '443'
   option dest_port '443'
   option name 'HTTPS'
   option dest_ip '192.168.2.144'

Open in new window

The only trouble is that this didn't work. It seemed to NAT to the test server irrespective of source IP. What should I do?

       

   

     

   

Avatar of noci
noci

First NAT is "EVIL".... (IMHO)

First what do you mean VPN.... OpenVPN "private" tunnel or one of those "NordVPN" etc. VPN provided tunnels.
For the NordVPN type you have no connection to your public endpoint.

With a private tunnel you setup:
If you run a VPN you should not need NAT, you can plain route between the VPN endpoints.
You may need to allow this in the firewall.

Your VPN needs to have a Network on the router end-point. (The LAN).
Avatar of CEHJ

ASKER

It's Wireguard with the server on a VPS. The Apache access log, with a working connection to the web server, show the VPN server address as the one from which the web request originated
Ok I use wireguard on my phone to my home router (not OpenWRT but a homebrew one based on Gentoo).
For ALL traffic, so all traffic from my phone goes to the Router with a AllowIP of 0.0.0.0/0
(I also filters all DNS requests through a pi-hole VM).

Using this i can enter the complete Internet through this tunnel.

Using this setup i can also use VOIP through the tunnel for internal phone calls.
Also you can access this VPS with its public address to get into the VPS itself then.
Avatar of CEHJ

ASKER

OK, but I need to solve my actual problem
you need to get to your dev-website from your mobile.......

Your website is on the internet:   use wireguard to your router that goes to your router with AllowedIP 0.0.0.0/0   => you get to the internet through your router.
Your router will handle NAT if configured to do that.

Your website in on the LAN side of your router:  
Wireguard to your router AllowedIP: your LAN
You don't need NAT, your router will handle all routing stuff.

Your website is terminated ON your router with the PUBLIC IP:
Still: The Website is on the internet case, your router needs to allow a HAIRPIN route.

Your devwebsite is on your LAN......
Your wireguard is on some VPS....
Again: Wireguard as for the Internet
On your VPS establis another tunnel between your VPS and your Home router.
The last tunnel should not need NAT, just plain routing,  through the tunnel.

If that is NOT your actual problem then describe the situation better, not in terms of OpenWRT config files but in terms of required funtionality.
We need to solve your access problem not the OpenWRT config conundrum.
The OpenWRT config is derived from your what you want / expect to work (network access to the website).
Avatar of CEHJ

ASKER

Actually, we can probably simplify this by taking Wireguard out of the picture. I'll try it and get back

the source network should probably not be lan but rather whatever the vpn virtual interface or corresponding network is called.


i do concur the nat layer is at best overly complex with a vpn. just use the server ip directly.

Wireguard is a layer to get from A to B over a "hostile"  world and skip some complexity.... introducing it's own dynamic.
We need a picture like on the left is the Mobile, on the right there is the website and in between there is the map needed to travel from Mobile to Website.
Using components you can control (more or less), liek Mobile, Wireguard tunnel, Home router (with interfaces) and IP address labels sufficient to distinguish them, then can be pseudonyms.

in the router, the test rule should use

option src 'wirequard' # or whatever identifies the address on the remote (your side) of the vpn
rather than option src 'wan'

... but this is useless as you should be able to reach the server directly without using a nat rule


taking wireguard out of the picture is quite easy as your existing rule allows to reach the server and the source ip is known.

can be as simple as allowing your ip address only if it does not change often possibly on the server itself but preferably on the router.


mtls also comes to mind if you always use the same machine for dev but move around a lot. it is fast and safe. feature-wise, you do not gain any other network access which could either be a good thing or a missing feature in your case.


given the context, it might be convenience over safety as long as it is not unreasonably open so some password on the dev instance could also be good enough.

Avatar of CEHJ

ASKER

I've parked this for a few days, but just to say I'm using CMS systems. These (inc. Wordpress) don't allow addressing the website(s) with anything other than a full domain name.
So any rule has got to work purely based on the request address and forward to the correct server
ASKER CERTIFIED SOLUTION
Avatar of skullnobrains
skullnobrains

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Using the full domain name can be handled in a /etc/hosts file if needed.
This is mostly consulted BEFORE DNS.

Or use a different DNS server which gives developers a different view for some of the domains.

Another solution might be a Reverse proxy which patches through depending on source.
Avatar of CEHJ

ASKER

Thanks folks. As it happens, I did think of /etc/hosts a long time ago and possibly rejected it for reasons I don't remember. It does however, fit this use case, so thank you

if you do not like the hosts method, you have many browser extensions that allow to tamper with headers as a whole or the host header specifically.

most of them do not fool the browser entirely so ssl will produce errors. vhosts on the other hand are fine. the good old "modify headers" can be configured to send the adequate host when you access specific ips which is quite convenient and much less hackish assuming you changed the wp_config to make it work.


regarding wordpress, there is no reason why either wordpress or other frameworks insist on building hard coded urls. the 2 variables i mentioned are in wp_config. i cannot remember the names for sure. something like base_url. anyway those are the ones hard coded to your current domain which are easy to spot in the config file.

Avatar of CEHJ

ASKER

regarding wordpress, there is no reason why either wordpress or other frameworks insist on building hard coded urls. the 2 variables i mentioned are in wp_config. i cannot remember the names for sure. something like base_url. anyway

I know that is the theory but I seem to remember (ages since I looked at this issue) that the domain name is peppered all over the database, so if one wants to change the domain name, say for dev purposes, a full sed job needs to be done on the db dump. Or possibly a plugin, which in WordPress is often needed for almost anything you need to do ;)

not as far as i know, but i do not use wordpress nowadays.


i remember having a hard time with subdirectories, though.


also note that most proxies can be configures to rewrite urls on the fly or use the actual url and switch backend based on a cookie, header or whatever seems convenient.