1

I am currently trying to set up a network with both a secure webserver and an internal openvpn server. The webserver is running windows 2008 and the vpn network is running the Access server from OpenVPN. The problem that i'm having is that I want to be able to access both servers from outside the NAT. I would like to do something like this:

                    Outside
                       |
                       |
                      NAT
                       |
           ------------------------------------
           |                |                  |
        test.org           vpn.test.org       dns.test.org

and host test.org and vpn.test.org on different machines. I want both to be accessible from port 433 and from the outside. I'm not sure how to go about doing this so any help would be greatly appreciated.

bkrupa
  • 121
  • 7

1 Answers1

6

If you need them both to be available on port 443, you'll need two IP addresses on the WAN interface of your NAT device.

EEAA
  • 109,363
  • 18
  • 175
  • 245
  • There isn't any way to do this through DNS? – bkrupa Jul 11 '11 at 19:21
  • 4
    DNS only resolves names to an IP address, it has nothing to do with port numbers. – EEAA Jul 11 '11 at 19:21
  • Yes, but is there a way to have test.org and vpn.test.org resolve to different ip addresses behind the nat? – bkrupa Jul 11 '11 at 19:23
  • 1
    Well technically yes, you could set those two DNS names resolve to the internal addresses of the hosts, but that's not going to satisfy your requirement that they be accessible from the outside. – EEAA Jul 11 '11 at 19:24
  • Or even to have DNS return a different port number so that from the outside the url looks the same but the ports are different? – bkrupa Jul 11 '11 at 19:25
  • 3
    Once again, DNS has *zero* control over port numbers. No, it's not possible. – EEAA Jul 11 '11 at 19:26
  • Is it possible to forward port 443 from test.org to vpn.test.org when necessary? – bkrupa Jul 11 '11 at 19:28
  • You might be able to do it kind of slick-like if you had a proxy server in the mix based on the requested URL coming in. This is all speculation on my part though. – SpacemanSpiff Jul 11 '11 at 19:29
  • 2
    Assuming that you're running SSL over port 443, everything is encrypted. How would you suppose you'd be able to tell where traffic should be routed? – EEAA Jul 11 '11 at 19:30
  • My best guess would be based on the URL. I don't even know if it's possible to forward a port from one machine to another conditionally. – bkrupa Jul 11 '11 at 19:32
  • 1
    @bkrupa - *if* the traffic were not encrypted, and *if* you and some sort of intelligent proxy you could possibly do something like this. Neither of those are true in your case, though. – EEAA Jul 11 '11 at 19:33
  • So you're saying that it would be possible on port 80 but not on 443? – bkrupa Jul 11 '11 at 19:35
  • @bkrupa, port 443 in and of itself has nothing to do with it. The same constraints would hold true for any port number. As I mentioned, the issues are that 1) your traffic is likely encrypted and 2) you don't have any sort of proxy in-line to direct requests. – EEAA Jul 11 '11 at 19:38
  • How difficult would it be to set up a proxy? – bkrupa Jul 11 '11 at 19:40
  • @ErikA let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/773/discussion-between-bkrupa-and-erika) – bkrupa Jul 11 '11 at 19:40
  • Sounds good - I'm already over there. – EEAA Jul 11 '11 at 19:41