System:Network Architecture: Difference between revisions

Latest revision as of 14:04, 16 May 2026

This document describes the network architecture of the jb-vpn.uk infrastructure.

Network topology

Internet → VPS (87.106.61.62) → Caddy (443)
              ├→ 127.0.0.1 — Docker (WebApp, MediaWiki, phpMyAdmin)
              └→ OpenVPN (tun0) → NAS (10.8.0.2) — DSM, Plex, SSH

Network components

VPS public IP: 87.106.61.62

VPN network: 10.8.0.0/24

VPN interface: tun0 (10.8.0.1 on VPS)

NAS VPN IP: 10.8.0.2

Edge proxy: Caddy (ports 80/443)

TLS: Let's Encrypt (automatic via Caddy)

Traffic flow

Client request — user opens a hostname (e.g. wiki.jb-vpn.uk)
DNS — record points to 87.106.61.62
Caddy — receives HTTPS on port 443, terminates TLS
Routing — Caddy proxies to a local upstream or through tun0 to 10.8.0.2
Response — backend → Caddy → client

Example (main wiki):

Browser → wiki.jb-vpn.uk:443 → Caddy → 127.0.0.1:8010 (wiki-mediawiki)

Example (DSM):

Browser → dsm.jb-vpn.uk:443 → Caddy → https://10.8.0.2:5001

Network diagram

┌─────────────┐
│   Client    │
└──────┬──────┘
       │ HTTPS (443)
       ▼
┌─────────────────────────────────────┐
│         VPS (87.106.61.62)          │
│  ┌───────────────────────────────┐  │
│  │  Caddy (TLS + routing)        │  │
│  └───────────┬───────────────────┘  │
│              │                       │
│     ┌────────┴────────┐              │
│     ▼                 ▼              │
│  127.0.0.1         tun0 → 10.8.0.2   │
│  Docker stacks     NAS services      │
│  - 8010/8011 Wiki  - 5001 DSM        │
│  - 8008/8009 App   - 32400 Plex      │
│  - 8080 phpMyAdmin                   │
└─────────────────────────────────────┘

Ports

Public (VPS)

Port	Purpose
80	HTTP → HTTPS redirect (Caddy)
443	HTTPS (Caddy)
22	SSH (VPS admin)
1194/udp	OpenVPN server
22222	SSH forward to NAS (iptables)

Local (VPS `127.0.0.1`)

Port	Service
8010	Main MediaWiki
8011	Werbs MediaWiki
3307	Wiki MariaDB
8008	WebApp production
8009	WebApp beta
8080	phpMyAdmin

NAS (via VPN `10.8.0.2`)

Port	Service
5001	DSM (HTTPS)
32400	Plex
22	SSH

@@ Line 1: / Line 1: @@
-= Network Architecture =
+This document describes the network architecture of the jb-vpn.uk infrastructure.
-This document describes the network architecture of the reverse proxy system.
+== Network topology ==
-== Network Topology ==
 <pre>
-Internet → VPS (87.106.61.62) → OpenVPN Tunnel (tun0) → Synology NAS (10.8.0.2)
+Internet → VPS (87.106.61.62) → Caddy (443)
+              ├→ 127.0.0.1 — Docker (WebApp, MediaWiki, phpMyAdmin)
+              └→ OpenVPN (tun0) → NAS (10.8.0.2) — DSM, Plex, SSH
 </pre>
-== Network Components ==
+== Network components ==
+* '''VPS public IP''': <code>87.106.61.62</code>
+* '''VPN network''': <code>10.8.0.0/24</code>
-* '''VPS Public IP''': 87.106.61.62
+* '''VPN interface''': <code>tun0</code> (<code>10.8.0.1</code> on VPS)
-* '''VPN Network''': 10.8.0.0/24
+* '''NAS VPN IP''': <code>10.8.0.2</code>
-* '''VPN Interface''': tun0 (10.8.0.1)
+* '''Edge proxy''': Caddy (ports 80/443)
-* '''Synology NAS IP''': 10.8.0.2 (via VPN)
+* '''TLS''': Let's Encrypt (automatic via Caddy)
-* '''Web Server''': Nginx (reverse proxy)
+== Traffic flow ==
-* '''SSL Certificates''': Let's Encrypt (managed by Certbot)
+# '''Client request''' — user opens a hostname (e.g. <code>wiki.jb-vpn.uk</code>)
+# '''DNS''' — record points to <code>87.106.61.62</code>
+# '''Caddy''' — receives HTTPS on port 443, terminates TLS
+# '''Routing''' — Caddy proxies to a local upstream or through <code>tun0</code> to <code>10.8.0.2</code>
+# '''Response''' — backend → Caddy → client
-== Traffic Flow ==
+Example (main wiki):
-= '''Client Request''': User accesses a subdomain (e.g., <code>wiki.jb-vpn.uk</code>) =
+<pre>
-= '''DNS Resolution''': DNS resolves to VPS public IP (87.106.61.62) =
+Browser → wiki.jb-vpn.uk:443 → Caddy → 127.0.0.1:8010 (wiki-mediawiki)
-= '''Nginx Receives''': Nginx listens on ports 80 (HTTP) and 443 (HTTPS) =
+</pre>
-= '''SSL Termination''': If HTTPS, SSL is terminated at the VPS =
-= '''Reverse Proxy''': Nginx forwards the request through the VPN tunnel to the Synology NAS =
-= '''Service Response''': Synology service responds back through the tunnel =
-= '''Client Response''': Nginx sends the response back to the client =
-== Network Diagram ==
+Example (DSM):
+<pre>
+Browser → dsm.jb-vpn.uk:443 → Caddy → https://10.8.0.2:5001
+</pre>
+== Network diagram ==
 <pre>
 ┌─────────────┐
 │   Client    │
-│  (Browser)  │
 └──────┬──────┘
         │ HTTPS (443)
-       │
         ▼
 ┌─────────────────────────────────────┐
 │         VPS (87.106.61.62)          │
 │  ┌───────────────────────────────┐  │
-│  │      Nginx (Reverse Proxy)    │  │
+│  │  Caddy (TLS + routing)        │  │
-│  │  - SSL Termination            │  │
-│  │  - Request Routing            │  │
-│  │  - Header Rewriting           │  │
 │  └───────────┬───────────────────┘  │
 │              │                       │
-│              │ OpenVPN Tunnel        │
+│     ┌────────┴────────┐              │
-│              │ (tun0: 10.8.0.1)      │
+│     ▼                 ▼              │
-└──────────────┼───────────────────────┘
+│  127.0.0.1         tun0 → 10.8.0.2   │
-               │
+│  Docker stacks     NAS services      │
-               │ HTTP (Internal)
+│  - 8010/8011 Wiki  - 5001 DSM        │
-               ▼
+│  - 8008/8009 App   - 32400 Plex      │
-┌─────────────────────────────────────┐
+│  - 8080 phpMyAdmin                   │
-│      Synology NAS (10.8.0.2)        │
-│  ┌───────────────────────────────┐  │
-│  │    Internal Services          │  │
-│  │  - Port 8080 (Wiki)          │  │
-│  │  - Port 8081 (Werbs-Wiki)    │  │
-│  │  - Port 5001 (DSM)           │  │
-│  │  - Port 32400 (Plex)         │  │
-│  └───────────────────────────────┘  │
 └─────────────────────────────────────┘
 </pre>
-== Network Ports ==
+== Ports ==
-=== Public Ports (VPS) ===
-* '''Port 80 (HTTP)''': Redirects to HTTPS
-* '''Port 443 (HTTPS)''': SSL/TLS encrypted traffic
-* '''Port 22 (SSH)''': Server administration
-* '''Port 1194 (UDP)''': OpenVPN server
+=== Public (VPS) ===
-=== Internal Ports (Synology NAS via VPN) ===
+{| class="wikitable"
+|-
+| Port || Purpose
+|-
+| 80 || HTTP → HTTPS redirect (Caddy)
+|-
+| 443 || HTTPS (Caddy)
+|-
+| 22 || SSH (VPS admin)
+|-
+| 1194/udp || OpenVPN server
+|-
+| 22222 || SSH forward to NAS (iptables)
+|}
-* '''Port 8080''': Wiki service
+=== Local (VPS <code>127.0.0.1</code>) ===
-* '''Port 8081''': Werbs-Wiki service
+{| class="wikitable"
+|-
+| Port || Service
+|-
+| 8010 || Main MediaWiki
+|-
+| 8011 || Werbs MediaWiki
+|-
+| 3307 || Wiki MariaDB
+|-
+| 8008 || WebApp production
+|-
+| 8009 || WebApp beta
+|-
+| 8080 || phpMyAdmin
+|}
-* '''Port 5001''': Synology DSM
+=== NAS (via VPN <code>10.8.0.2</code>) ===
-* '''Port 32400''': Plex Media Server
+{| class="wikitable"
+|-
+| Port || Service
+|-
+| 5001 || DSM (HTTPS)
+|-
+| 32400 || Plex
+|-
+| 22 || SSH
+|}
-* '''Port 22''': SSH (forwarded via iptables on port 22222)
+== Related documentation ==
-== Related Documentation ==
+* [Components Components] — component details
-* [Key Components](components.md) - Detailed component information
+* [[Services:Current Services]] — hostname inventory
-* [OpenVPN Server](index.md) - VPN configuration
+* [[OpenVPN:Integration|OpenVPN Integration]] — VPN and proxy interaction
-* [[Documentation:Index|Troubleshooting]] - Network troubleshooting
 [[Category:Documentation]]
 [[Category:Documentation/System]]

Latest revision as of 14:04, 16 May 2026

Network topology

Network components

Traffic flow

Network diagram

Ports

Public (VPS)

Local (VPS 127.0.0.1)

NAS (via VPN 10.8.0.2)

Related documentation

Local (VPS `127.0.0.1`)

NAS (via VPN `10.8.0.2`)