Netgate SG-1000 microFirewall

Author Topic: Nextcloud Deployment Possible for me? Issues = CGN, etc. (take 2)  (Read 66 times)

0 Members and 1 Guest are viewing this topic.

Offline svtkobra7

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile

NOTE: I posted this under General Questions, but realize that the OVPN subforum may be a better fit as I'm sure I will have to use VPN to achieve my objective if possible.
https://forum.pfsense.org/index.php?topic=143950.msg783787#msg783787

Preface
Long time lurker here. I've been running pfSense since I built my AIO server in early 2017. I don't have an IT background, so while I can eventually figure things out, it takes forever. On this particular item, I've struggled spending days (literally - attempting to fulfill a simple objective, but have been unsuccessful and figured I would turn to the forum to ask for a kind hand. Thanks in advance for any guidance you can offer.

Objective
● Deploy Nextcloud 13, hardened, and accessible at domain: DOMAIN.com
● I don't care how I get there (likely Ubuntu VM), but of course pf is heavily involved.
● I have two issues: (a) I can't connect the internal Nextcloud IP to DOMAIN.com and (b) I can't use certbot to obtain SSL

Scenario / Constraints
● ISP
  ○ Single provider available to all units in condo building, cost = HOA dues pass through
  ○ Static IPs offered @ $20/month (which I can't bring myself to do for a number of reasons)
  ○ Ethernet to structured media enclosure, no modem to place in bridge mode, etc
  ○ CGN being used
● VPN
  ○ Provider = TorGuard / Port Forwards offered if port greater than 2048, i.e. can't forward 443
  ○ OVPN Client #1 = TG_Static = Shared Public IP w/ port forward
  ○ OVPN Client #2 = TG_Dynamic = All other traffic
  ○ Why?
    ■ TG_Static was set up as a test case / future use to facilitate the objective
    ■ Port 32400 Forwarded via Torguard / pfSense Port Forward created / Test Case = Pass

Is what I'm trying to accomplish achievable? Items I've looked into, but haven't been able to piece everything together.
● Use VPN to bypass CGN (similar to Plex test case).
● VPN "443" Port Share (requires option added to VPN client and allows web server traffic to flow through to localhost:443. Haven't been able to get this to work yet.
● I know Apache can be set to "listen" on a port other than 443. But I don't think this allows the certbot script to succeed.
● ACME package. I have successfully edited DNS text record to achieve validation.
● Reverse proxy / HAproxy pf package. Unfamiliar.

Again, thanks!  :)