External and internal URLs

I want to present my current challenge as I don’t think my use case is that uncommon.

My setup:

  • Synology DSM 7.2
  • NextCloud AIO
  • DSM Reverse Proxy (this is a must on DSM, as it’s on Kernel 4.4 still and as mentioned here one of the container being spawn cannot bind to port 443 unless host is running kernel 4.11 or later.
  • Powerline for local network: this is an important detail, one need to understand how powerline works. Communication between two powerline devices is Point-to-point, it does not go through the home router. It is also extremely important it does not go through the router, because it would basically cut the (already poor) bandwidth in two. For this reason, it is important that all devices on the network can access nextcloud via a local IP, not the public IP of the router.
  • Multiple clients on the network run split VPN (for privacy and for work). Meaning, their DNS lookups go to public DNS servers, resolves to a local IP, and then the local client directly access this local IP because the VPN is allowing local network traffic.

Hence, my challenge is: I need two domains for nextcloud, a local one and a external/public one. Having a single external domain would cause all local traffic to go the public IP of the home router first, which I do not want (see above).

I have successfully setup the internal domain, it works fine (had to disable collabora for now, it was causing massive performance issues, I’ll look into that later).

I have assigned a proper certificate to the synology box, which includes internal and external domains both.

I have configured an external domain, which is routed to the DSM reverse proxy.

The problem is, nextcloud seems to redirect to the internal domain everytime, which of course fails when accessing from outside my home network.

Question: is there a way to disable this redirect?

In fact you don’t want two domains. This is complete hassle if you try to collaborate - e.g. share files with others - you need to now https://mynas.internalurl/somefile2345 is the same as https://cloud.externalurl/somefile2345. and as you move around you need to adopt your client/browser to connect with “another” system… It’s very hard or even impossible when you build more complex setup e.g. nextcloud-office or collabora-online

The solution for you issue is called “split brain” or “split horizon” DNS. The idea is to create a local DNS record for your public DNS inside of your network pointing to a local IP of the system (in your case reverse proxy). Then you can access your system using public DNS but local IP from your network. Everything else remains unchanged: same URLs, same TLS certificate, very similar connection path (starting with reverse proxy). splitbraindns

Simple architecture:

more detailed drawing you find here:


Split horizon DNS does not work when I have client with split VPN unfortunately.

A split VPN will always use the DNS inside the VPN tunnel, and if it resolves to a local IP, it will go outside the VPN tunnel and directly to the local network. At least this is my experience with the 4 different VPN SP I deal with here (proton VPN, IVPN, mullvad, cloudflare WARP). And yes, my extended household is a mess.

Hence, two domains needed for my scenario. Seeing how common these VPNs are getting, I assume this issue will also become more common.

But I see your point about added complexity.

Ok two domains is possible. You need e.g. “trusted_domains” for both domains


Also configure web services, certificate and DNS. For Lets encrypt use temp access from internet

It depends. If you’re using a desktop client from one of the usual suspects known from the countless Youtube ads, I don’t know, but in general you can certainly do split DNS in combination with a VPN, if necessary by creating a local host override directly in the client’s hosts file.

Who said that? Using a (privacy) VPN can make sense for certain use cases, but routing all Internet traffic permanently through such a service is neither common nor does it generally make sense.

Well, adding another domain to Nextlcoud doesn’t add much to the complexity you already created with all those VPN tunnels. :wink: Sorry but all this sounds like a complete mess to me, with probably little to no privacy benefit, or whatever you think you are going to acheive with such a setup.

1 Like

sure, but 80% of the devices on my home network are mobile devices.

a quick internet search gives this link: https://www.security.org/vpn/statistics/

I did not writ they are common, I wrote that they are becoming common. It’s a trend, they are getting more and more popular.

I did not add these VPNs myself, people living in the same household as I do installed them on their devices. I am attempting to set up a nextcloud instance for everyone, that’s it.

But you are correct it’s a mess, but my argument is that such mess will become increasingly common.

I’m sorry I can’t follow you explanations. I have to admit I have zero experience with service you describe - I know VPN from the “old school” perspective when you access a company or your home network using a VPN. in this terms a VPN makes your computer “living in some random network” to “become part of the VPN network”. In other words it logically changes your network location. This network switch could be very strict - when no traffic is allowed outside of the VPN tunnel or less strict (known as “split tunnel”) when you still access some resources directly.

But at the end nothing changes - a user is “internal” or “external” in network terms. There are tricks to make the internal user act as an external and vice versa but it doesn’t change the intention - usually (let’s skip geo-blocking etc.) you want the user access your system using the optimal network path. Depending on the issues you must fine-tune the problematic technology. If an internal user access the system through public DNS and your network routes all the traffic into the internet and back - “split brain DNS” is your choice. If you are using some VPN service which makes an internal user access the system from random external location - you want to check if there is some “local breakout” config in your VPN software - often you can define networks or domain you want to exclude form VPN… there is no “one size fits all”



many thanks for this @devnull, I did not know about this. Unfortunately it does not work or I made a mistake.

I added the domain to my config.php:

 'trusted_domains' =>
  array (
    0 => 'localhost',
    1 => 'nextcloud.internal.com',
    2 => 'nextcloud.external.com',

I restarted all containers, but unfortunately it’s still redirecting me.

Certificate used by DSM reverse proxy includes nextcloud.external.com in the SAN, DNS is configured, clouflare points to the DSM reverse proxy.

Connection is established when loading nextcloud.external.com, but it immediately redirects to nextcloud.internal.com. Works fine when on the local network, it fails of course when accessing from outside.

I noticed in config.php there is also the following line:

'overwritehost' => 'nextcloud.internal.com'

Maybe that needs to be disabled?

Hi, see GitHub - nextcloud/all-in-one: The official Nextcloud installation method. Provides easy deployment and maintenance with most features included in this one Nextcloud instance.

Hi, no problem, thanks a lot for taking the time to answer.

A “split VPN” is a VPN which routes specific IP ranges outside the VPN.

Example, in companies, it is common to split cloud services out of the VPN tunnel, because it does not make sense to route all the traffic for cloud back to the company network, since it has to go to the cloud anyway.

You can configure most VPN clients to “allow LAN access”, which means it will detect that is the LAN subnet, and any traffic to an IP of this subnet will go local and not through the VPN tunnel.

Basically, a device running split VPN has two network interfaces: the VPN, with an IP of the remote network, and the “local” interface, with an IP from the local network.

So far I have Plex and Home Assistant who deal well with my (admittedly messed up) setup, both with very different approaches. Home Assistant’s approach is cleaner in my view and I somehow thought I would be able to get it to work with NextCloud as well.

Thanks @szaimen , I missed this statement in the installation doc. Then it’s clear cut, I won’t get multiple domains to work for now:

Can I use AIO with multiple domains?

No and it will not be added.

I will look at performance when traffic goes twice over powerline, maybe it’s sufficient for small files.

1 Like

yes this is my understanding as well. but this doesn’t match you example config

which uses DNS records. even if it works you need to exclude domains/URLs from your VPN tunnel.

I’m under impression some VPN clients support not only specific IPs but URLs exclusions as well. at least for Proton VPN you can exclude apps which would help you with Nextcloud client already Split tunneling on Windows and Android - Proton VPN Support and if additionally you use didicated “non-VPN” browser for Nextcloud this would perfectly work internally and externally using split-brain DNS…

Powerline highly depends on the cabling and might provide connection similar to twisted pair network. as long your router is not the only device connected through powerline this double-hop could occur with public DNS or even with local URL…

and finally - multiple domains might help you in some situations but add headaches for another scenarios (think about TLS certificates and permanent re-configuring client applications) - I would recommend you try to avoid multi-URL scenario.


No, no, in the public DNS provider, I also configured “nextcloud.internal.com” and it resolves to an internal IP. Then the steps are:

  1. Client running split VPN looks up nextcloud.internal.com
  2. DNS Lookup goes to public DNS
  3. Public DNS returns “”
  4. client sends traffic to “”
  5. Traffic matches the subnet of the local network
  6. Traffic routed outside the VPN directly to local network.

My Powerline provides 80Mbps max, 40Mbps if the traffic has to go to router first and then back to LAN server. (I use top of the line powerline, the electrical wiring and the electrical devices here seem to cause the bandwidth to be what it is)

TLS certificates are not a problem, I use a single one for Home Assistant for example, SAN includes both domains simply.

I’m not sure what I would have to permanently reconfigure?

Companies are using VPN connections to access local services from outside the company network, not the other way around.

Not exactley applications that are used in companies. :wink:

Traffic doesn’t go through the router and over the powerline if you are using a local DNS server with local host overrides for your public domain name.

For example the Nextcloud client on a laptop or on your phone. If your device is outside of your local network you would have to re-configure the URL to domain.external.tld. Or If you want to share a link with someone outside of your local network while you’re logged in via domain.internal.tld, the person that receives the link cannot use it, so you would have to manually re-write it to domain.external.tld.

1 Like

And by the way, setting up local IPs on a public DNS server is bad practice and the reason why you need two domain names in the first place.

With a proper Split Horizon DNS setup, you can resolve cloud.domain.tld to your router’s public IP on the public DNS server, and then let you local DNS server resolve the same domain name to Nextcloud’s internal IP on your local network.

1 Like

You misread me. Companies are indeed using VPN to access local services from outside the company. With split VPN they avoid sending traffic through the VPN tunnel (hairpinning it) which is anyway destined to the internet, such as cloud services.

The cloud services traffic does NOT travel inside the VPN, is my statement. (in this example)

Never said that either, please read my message again, there’s a misunderstanding.

Did you read my previous messages? It seems to me you are not grasping the concept of split VPN.

For example the Nextcloud client on a laptop or on your phone. If your device is outside of your local network you would have to re-configure the URL to domain.external.tld. Or If you want to share a link with someone outside of your local network while you’re logged in via domain.internal.tld, the person that receives the link cannot use it, so you would have to manually re-write it to domain.external.tld.

Yes, multiple URL support would need to be implemented in the apps as well, just like the Home Assistant app does. It does not make sense to only implement it server-side, I agree.

I agree, but unless you can name concrete downsides, I don’t really care.

Incorrect, I configure it this way because of the split VPN (again, I really think you should read my message above where I outlines step-by-step how split VPN works in my case).

Again, no, because of split VPN, which is outlined above.

The downside is that you can no longer use the same domain name for your public IP address, sound familiar? :wink:

Oh, I understand the concept of split VPN, but you don’t seem to understand the concept of split DNS.

Again, yes, you just have to find a way to use a local DNS server that overrides the public IP addresses for the services you host locally, rather than sending all DNS requests directly through the VPN tunnel. Unfortunately, I’m not familiar with all these commercial VPN providers and their client software, so I can’t help with the details on how to set that up.

But in general it is possible to use Split VPN and Split DNS in combination. It will just make things even more complicated. But I guess that’s the price you have to pay if you want to route all your internet traffic through a VPN service while hosting services locally that also should be available publicly.

1 Like

I don’t understand where “use the same domain name for my public IP” is coming, I never said I was doing this, you are talking about something entirely different now. (but, incidentally, yes it is technically possible to have two domains pointing to the same public IP)

If you know a way to do this, I am all ears. It is not possible with all split VPN solutions I have tested. (details of the VPN providers I tested are above).

No, but you absolutely should do it that way. That’s what I and others here are trying to tell you. Using the same Nextcloud with multiple domain names is a pain, not because of the technicalities of setting it up, but in everyday use, and apparently AIO doesn’t support it, so there’s that.

Yes, but you can’t use public DNS to point the same domain name to the internal and external IP of your Nextcloud server at the same time, which is why you want to use two separate domain names with Nextcloud in the first place. What you want do do is a workaround to solve a problem that wouldn’t exist with a proper split DNS setup.

Of course you can do whatever you want and add as many domain names as you like, at least to a manual Nextcloud installation. But again, I would not recommend it for reasons already mentioned in this thread.

1 Like