Jump to content

OpenVPN:Integration: Difference between revisions

From jb-vpn.uk Wiki
← Older edit
Major update - configuration guide: OpenVPN Integration with Reverse Proxy (27 sections)
Updated documentation from markdown files
 
Line 5: Line 5:
The OpenVPN server is essential for the reverse proxy system:
The OpenVPN server is essential for the reverse proxy system:


=== '''Synology NAS connects''' via VPN (10.8.0.2) ===
=== '''Synology NAS connects''' via VPN (10.8.0.2) for DSM, Plex, and SSH ===
== '''Nginx reverse proxy''' forwards requests to 10.8.0.2 ==
== '''Caddy reverse proxy''' forwards public hostnames to local VPS services or to 10.8.0.2 via VPN ==
== '''Services are accessible''' via public subdomains without direct internet exposure ==
== '''Services are accessible''' via HTTPS without exposing the NAS directly to the internet ==
== '''All traffic is encrypted''' through the VPN tunnel ==
== '''All traffic is encrypted''' through the VPN tunnel ==


Line 13: Line 13:


<pre>
<pre>
Internet → VPS (87.106.61.62)  
Internet → VPS (87.106.61.62)
   → Nginx Reverse Proxy
   → Caddy
   → OpenVPN Tunnel (tun0: 10.8.0.1 → 10.8.0.2)
   → (local) MediaWiki / WebApp on 127.0.0.1
  Synology NAS Services
  → (VPN) OpenVPN tun0 → 10.8.0.2 → DSM / Plex
</pre>
</pre>


== How It Works ==
== How It Works ==


=== Client accesses a public subdomain (e.g., <code>wiki.jb-vpn.uk</code>) ===
=== Client accesses a public subdomain (e.g., <code>dsm.jb-vpn.uk</code> or <code>wiki.jb-vpn.uk</code>) ===
== DNS resolves to VPS public IP (87.106.61.62) ==
== DNS resolves to VPS public IP (87.106.61.62) ==
== Nginx receives the request on port 443 (HTTPS) ==
== Caddy receives the request on port 443 (HTTPS) and terminates TLS ==
== SSL is terminated at the VPS ==
== For VPS-hosted services (wiki, WebApp), Caddy proxies to <code>127.0.0.1</code> ==
== Nginx forwards the request through the OpenVPN tunnel to the Synology NAS (10.8.0.2) ==
== For Synology services (DSM, Plex), Caddy proxies through the OpenVPN tunnel to <code>10.8.0.2</code> ==
== The service on the Synology NAS responds ==
== The backend responds; Caddy returns the response to the client ==
== The response travels back through the VPN tunnel ==
== Nginx sends the response to the client ==


== Benefits ==
== Benefits ==
Line 45: Line 43:


=== '''OpenVPN server must be running''' on the VPS ===
=== '''OpenVPN server must be running''' on the VPS ===
== '''Synology NAS must be connected''' to the VPN (10.8.0.2) ==
== '''Synology NAS must be connected''' to the VPN (10.8.0.2) for DSM/Plex/SSH forwards ==
== '''VPN tunnel must be active''' (tun0 interface up) ==
== '''VPN tunnel must be active''' (tun0 interface up) for Synology-backed hostnames ==
== '''Nginx must be configured''' to forward to 10.8.0.2 ==
== '''Caddy must be configured''' in <code>/etc/caddy/Caddyfile</code> ==


== Verification ==
== Verification ==
Line 63: Line 61:
ping -c 2 10.8.0.2
ping -c 2 10.8.0.2


== Check Nginx can reach Synology ==
== Check wiki on VPS ==
curl http://10.8.0.2:8080
curl -s -o /dev/null -w "%{http_code}" http://127.0.0.1:8010/
 
== Check DSM on Synology (via VPN) ==
curl -k -sI -m 5 https://10.8.0.2:5001/ | head -1
</pre>
</pre>


Latest revision as of 14:04, 16 May 2026

This document describes how the OpenVPN server integrates with the reverse proxy system.

Integration Overview

[edit]

The OpenVPN server is essential for the reverse proxy system:

Synology NAS connects via VPN (10.8.0.2) for DSM, Plex, and SSH

[edit]

Caddy reverse proxy forwards public hostnames to local VPS services or to 10.8.0.2 via VPN

[edit]

Services are accessible via HTTPS without exposing the NAS directly to the internet

[edit]

All traffic is encrypted through the VPN tunnel

[edit]

Network Flow

[edit]
Internet → VPS (87.106.61.62)
  → Caddy
  → (local) MediaWiki / WebApp on 127.0.0.1
  → (VPN) OpenVPN tun0 → 10.8.0.2 → DSM / Plex

How It Works

[edit]

Client accesses a public subdomain (e.g., dsm.jb-vpn.uk or wiki.jb-vpn.uk)

[edit]

DNS resolves to VPS public IP (87.106.61.62)

[edit]

Caddy receives the request on port 443 (HTTPS) and terminates TLS

[edit]

For VPS-hosted services (wiki, WebApp), Caddy proxies to 127.0.0.1

[edit]

For Synology services (DSM, Plex), Caddy proxies through the OpenVPN tunnel to 10.8.0.2

[edit]

The backend responds; Caddy returns the response to the client

[edit]

Benefits

[edit]
  • No Direct Exposure: Synology NAS is not directly accessible from the internet
  • Encrypted Tunnel: All traffic between VPS and NAS is encrypted via OpenVPN
  • Secure Access: Services are accessible via HTTPS while remaining isolated
  • Centralized Management: All services accessible through a single VPS

Requirements

[edit]

For the integration to work:

OpenVPN server must be running on the VPS

[edit]

Synology NAS must be connected to the VPN (10.8.0.2) for DSM/Plex/SSH forwards

[edit]

VPN tunnel must be active (tun0 interface up) for Synology-backed hostnames

[edit]

Caddy must be configured in /etc/caddy/Caddyfile

[edit]

Verification

[edit]

Check that the integration is working: 

=== Check VPN is running ===
systemctl status openvpn

== Check VPN interface ==
ip addr show tun0

== Check Synology is connected ==
ping -c 2 10.8.0.2

== Check wiki on VPS ==
curl -s -o /dev/null -w "%{http_code}" http://127.0.0.1:8010/

== Check DSM on Synology (via VPN) ==
curl -k -sI -m 5 https://10.8.0.2:5001/ | head -1
[edit]
  • [System Overview](index.md) - Overall system architecture
  • [Server Configuration](server-configuration.md) - OpenVPN server setup
  • [Adding Services](index.md) - Configuring services
Retrieved from "https://wiki.jb-vpn.uk/index.php?title=OpenVPN:Integration&oldid=260"