I have a couple of questions.
I have been using DDNS (https://github.com/skibish/ddns) which keeps my server IP in sync through DigitalOcean’s API. So my domains are configured inside DO.
This works relatively ok, but I also use my server as a workstation and it’s my dev env.
The problem I have is that I cannot use protonvpn, as DDNS picks up my local IP, and updates DO with that, which means that I have to implement a solution inside my router that will forward all traffic to my DMZ. In this way I can still obfuscate my server Ip, and traffic to the base IP will still be routed.
I have looked at some options, and my router does support deSEC.
I see that when I configure my router, it asks for Domain Name, Username, Password.
Question here is, would I still be able to host multiple domains ? This auth inside the router and the specified domain does not mean that only that domain will be functional ?
… and am I assuming correctly that I will be able to implement protonVPN on my server, and still be able to host my sites via the router in the config ?
I appreciate your feedback
Thanks for your message, and welcome to deSEC!
Sure, you can have several domains in your account.
I don’t know protonVPN, so I can’t say what’s possible and what’s not. However, I can tell you that deSEC DNS does not impose any restrictions for VPN/routers etc., so maybe you can find a way.
I think the problem you will be facing if you have the VPN and DDNS in the same router, is that the DDNS will then take the IP address from Proton VPN and not the one from your ISP. As Proton VPN does not support port forwarding, your DDNS client or whatever endpoint you are trying to reach, will not be reachable.
If you get a way around that, do let me know as I am also searching.
deSEC supports specifying the IP address in the update url, rather than automatically determining it from the HTTP connection. (See our docs at desec.readthedocs.org.) If your router supports a placeholder for it’s WAN IP in the dyndns update URL, then you can circumvent this problem.
Thank you Peter, think I’ll start with an inactive domain, and bring my live systems over when I’ve done the testing.
I won’t implement the VPN on the router, but rather on my server and clients. I tested on my current config, made sure my dns was up to date, stopped the ddns service and started the vpn. For some reason I had issues. My router puts my server in a dmz and forwards all inbound traffic to it, where the server responds to 80 and 443. I might have to look at he iptables.
If your VPN terminates on the same machine (server) as your websites then the default route on that machine will probably point to the VPN. Thus inbound traffic for your websites will reach the webserver but its answers will probably go through the VPN. That is bound to cause problems.
Either use different machines for VPN and server or you might think about running your websites as VMs with their own networking, thus unaffected by the VPN.
@fiwswe, you are absolutely right. I should just spin up a KVM. I initially worked with my macbook and server side by side, but too many monitors and apple’s privacy encroachment with big sur, I decided to stop using the mac, until I can get ubuntu running on it properly. I’ve got node apps, sql, postgress and various crypto nodes running here, probably time to slice up everything into vm’s. Thanks for reminding me of what should be the most obvious solution