I’m trying to figure out if I can accomplish a hardened Nextcloud deployment using VPN to circumnavigate ISP’s CGN and a lack of a private IP. I’ve spent hours researching and haven’t gotten anywhere.
Objective
â—Ź Deploy Nextcloud 13, hardened, and accessible at domain: DOMAIN.com
● I don’t care how I get there (likely Ubuntu VM), but of course pf is heavily involved.
● I have two issues: (a) I can’t connect the internal Nextcloud IP to DOMAIN.com and (b) I can’t use certbot to obtain SSL
Scenario / Constraints
â—Ź ISP
â—‹ Single provider available to all units in condo building, cost = HOA dues pass through
○ Static IPs offered @ $20/month (which I can’t bring myself to do for a number of reasons)
â—‹ Ethernet to structured media enclosure, no modem to place in bridge mode, etc
â—‹ CGN being used
â—Ź VPN
â—‹ Provider = TorGuard / Port Forwards offered if port > 2048
â—‹ OVPN Client #1 = TG_Static = Shared Public IP w/ port forward
â—‹ OVPN Client #2 = TG_Dynamic = All other traffic
â—‹ Why?
â– TG_Static was set up as a test case / future use to facilitate the objective
â– Port 32400 Forwarded via Torguard / pfSense Port Forward created / Test Case = Pass
Is what I’m trying to accomplish achievable? Items I’ve looked into, but haven’t been able to piece everything together.
â—Ź Use VPN to bypass CGN (similar to Plex test case).
● VPN “443” Port Share (requires option added to VPN client and allows web server traffic to flow through to localhost:443. Haven’t been able to get this to work yet.
● I know Apache can be set to “listen” on a port other than 443. But I don’t think this allows the certbot script to succeed.
â—Ź ACME package. I have successfully edited DNS text record to achieve validation.
â—Ź Reverse proxy / HAproxy pf package. Unfamiliar.