I have a problem concerning configuration and routing on a reverse proxy that is connected to my local network and via WireGuard VPN to a gateway to the internet. Let me explain:
My home network 192,168,178,0/24 is connected to the internet through carrier grade nat. So my “public” ipv4 is shared with many other users and cannot be used for incoming connections to my nextcloud home server over the internet. My ISP dislikes home servers so much, even my IPv6 prefix changes every 24 hours. I did find a solution for that (do[dot]de does dynamic dns for ipv6 as an included service if you have a domain with them) but I am regularly on networks which support only ipv4. That’s why I am currently working on a different solution to be able to connect via ipv4.
The easiest thing would be to dig a tunnel through the CGNAT to a vps with a public ipv4. But that way I would always - even on my LAN - connect to my nextcloud home server through the internet using the slow upload of my internet connection (only 30Mbit). So this is not a good option. I already have a reverse proxy on my LAN and I want to configure it in a way that it can accept connections from both my LAN and the internet via a WireGuard VPN connections to my vps. I do have a an idea of the setup I want, so let me try to sketch what I am thinking.
[WAN] -–(https)--> [(eth0)-WG-gateway-(wg0)] --> \\
[(eth0)/(wg0)-localRP-(eth0)] --> [NCServer]
[LAN] -------(https)---------------------> //
[NCServer]: My Nextcloud server, running in my LAN: 192,168,178,55
[localRP]: Reverse Proxy running in my LAN: eth0 (192,168,178,50) currently providing SSL certificates for my nextcloud. Needs to accept incoming requests over wg0 and eth0 interfaces and pass them on to [NCServer]. Planned: WireGuard client, connecting to WG-gateway: wg0 (10,8,0,3) (wg0)
[WG-gateway]: virtual server running WireGuard VPN server and nginx reverse proxy server. Public interface: eth0 (some.public.ip.4), WireGuard interface: wg0 (10,8,0,1). Plan: reverse proxy passthrough to upstream reverse proxy in my LAN [localRP] on interface wg0 (10,8,0,3).
In this setup, my domain points to my vps (WG-gateway) which has a static public ipv4. Incoming https-traffic would be passed on to a connected WireGuard client that sits on my LAN [localRP] (10,8,0,3) via a passthrough reverse-proxy. The [localRP] still has the SSL certificates and forwards incoming requests to the nextcloud server.
I believe I can manage to set up and configure most of the plan. Where I am struggling: How do I configure my local reverse proxy routing in such a way that it connects to [WG-gateway] and still accepts incoming https-connections both on wg0 and eth0 and forwards them all to 192,168,178,55? Is there even hope of this working? I don’t really understand routing yet. Help is much appreciated!