Question of Port Forwarding & Lets Encrypt

Hello Nextcloud Community!

I am very new to administering this kind of service and have successfully installed a full client with Ubuntu Server 20.04 LTS. Everything works perfectly on the Nextcloud front, couldn’t be happier with the product!

The predicament surfaces when I introduce a VPN server within my network. I have two pubic DNS services with separate domains which both use HTTP to point to my public IP. The domain I use for VPN, when visiting in a browser, lands on a Nextcloud page explaining “accessing from an un-trusted domain” and doesn’t appear to go anywhere with any options.

To correct / alter this I tried to change the /etc/apache2/ports.conf file from 80 & 443 to my desired ports. Then changed the /etc/apache2/sites-available/nextcloud.conf file from 443 to my port of choice. Updated the port forwarding rules in my router and restarted the apache2 service.

When going to public Nextcloud site it says the certificate isn’t valid and doesn’t allow access to the site.

Reading on the Let’s Encrypt best practice page it explains to retain the opening of port 80 and its initial forwarding so Let’s Encrypt can keep functioning as intended. So, as I am not using the VPN much yet I have disabled the server and adjusted the public IP setting on the respective public DNS service so it goes nowhere.

My questions are:

  1. Is it a major security risk to leave the VPN domain that directs to the bad Nextcloud landing page as is?
  2. If I were to change it so that I direct port 80 to a non-use IP on my network and thus rending the public VPN site to time out when accidentally loaded on a page; would I need to redo the Let’s Encrypt and specify it to use the adjusted port rather than 80?

Thank you for your time and support with this great product!

Could you explain this a little more? It’s not very clear what you’re trying to do.

When properly configured, the VPN should not interfere with normal Nextcloud operation.

I think you may be getting ahead of yourself here. Understand the issue before you start shuffling port numbers around.

I would not consider leaving it like that…

Port 80 must go to your web server for certbot to renew the certificate (although you don’t have to actually serve Nextcloud on port 80, just certbot).

The op has other issues to resolve, but a little sidebar.

There’s an alternative method of validating domain for certbot using dns. Specifically it’s call DNS-01. Take a look at User Guide — Certbot 1.11.0.dev0 documentation . Effectively the bot uses a limited api key to generate proper TXT record for validation which then gets removed.

That’s right, but given the above, I think it’s best not to introduce another element of complication. I don’t know that he’s even using a supported DNS provider.

@CBK

I don’t quite understand what your goal is. Do you want your Nextcloud to be publicly accessible and use the VPN as an addition for other things or do you want the Nextcloud to only be accessible over the VPN?

@KarlF12

I am using DuckDNS for NextCloud and using NoIP for a VPN. I am using NoIP for a VPN because my router has settings compatible with it for DDNS.

Out of curiosity I went to the site I set as my VPN address and it loads to a Nextcloud landing page stating your are not accessing this site from a trusted domain, contact you site administrator.


I tried the port shuffling because a friend of mine using the same VPN service went to his NoIP VPN address and it loaded to a login of his router. To remedy it he adjusted port 80 to direct to an IP he will never use. I was hoping to have a similar outcome.


I have turned off my VPN service until I find a solution to this, having a site like that come up just didn’t sit well with me.


I don’t understand this last one. If I have to renew the Let’s Encrypt I can, my fear is that if I do that I’d adversely affect the ability for the certificate to stay valid & renew as the service is meant to do.

@bb77

Ah, I found out how to quote - haha, sorry new to the forum.

My goal is to have them as two separate services. I do want my Nextcloud public facing so my family can use it. I want the VPN because I want the ability to access my home network away from home.

I have the port forwarding set in my router for the VPN to work; and it does. I just don’t like the idea of having that faulty Nextcloud landing page on a URL that doesn’t even closely resemble my Nextcloud server URL. I think my router is taking the port 80 traffic for both URLs and pointing them to Nextcloud. When the VPN URL loads up it isn’t in the Nextcloud config as a trusted domain so it states exactly that.

My goal is to have them as two separate services. I do want my Nextcloud public facing so my family can use it. I want the VPN because I want the ability to access my home network away from home.

Ah ok. No need for a seperate domain name then, because the vpn runs on a diffrent port anyways. Just forward the port for the VPN e.g. Port 1194 to the other device and add the port number to the domain name you are allready using for your nextcloud in the vpn client like that: yourname.ddns.com:1194.

I like the simplicity of this. :grinning: It would mean to do my VPN server over again but that isn’t a big deal. Or at least alter the configuration files it is using. I will try this a little later today and get back to this forum.

An afterthought, if I wanted to have a public facing site aside from Nextcloud- say something like WordPress. Would this affect that too? I know, getting ahead of myself, but how would something like that be averted?

Are you running the vpn server on port 80? That wouldn’t work anyways beacuse port 80 is allready forwarded to the ip of the nextcloud server and there it is already in used by the http server.

An afterthought, if I wanted to have a public facing site aside from Nextcloud- say something like WordPress. Would this affect that too? I know, getting ahead of myself, but how would something like that be averted?

Nope it would not affect that directly, but then a second domain name respectively a seperate subdomain would be preferable.

Roughly said there are three diffrent ways how you can host multiple websites at home with one external ip address:

  • on a single host/webserver with one domainname in subdirectories
  • on a single host/webserver with multiple virtualhost configurations and multiple sub domains in seperate directories (preferable)
  • on diffrent hosts/webservers with a reverse proxy in front of them.

What you can’t do is use diffrent protocols like vpn and http(s) on the same port number with only one external ip address. And you cannot forward the same port number to multiple internal ip addresses.

If you want to use a diffrent name for the vpn anyways you could. Then you just have to configure your web server and your Nextcloud that they either accept the second domain name or simpley configure a a virtual host on your webserver that redirects all requests that do not contain the domain name of your nextcloud to 403 or a blank page or whatever. In apache it would look like this:

<VirtualHost *:80>
 ServerName null
 ServerAlias *
 Redirect 403 /
</VirtualHost>

<VirtualHost *:443>
 ServerName null
 ServerAlias *
 Redirect 403 /
</VirtualHost>

Of course you would still have to provide the port number in the vpn client. Therfore I see no benefit from doing so other than estetics.

Hope that is clearing things up a little :slight_smile:

I don’t think I am. I think it is just a matter of the port 80 traffic inadvertently visiting the ddns.com URL brings to my router automatically gets translated to my Nextcloud internal server IP then gets the untrusted domain landing page. The VPN protocol is set to the default VPN port and directs to the correct internal IP.

I like the idea of this so I can use a different URL for VPN. I am worried to mess up my Nextcloud configuration I spent hours doing. I will make a backup before I attempt anything. :rofl:

I would only use one url. Requests on port 80 or 443 with any domain name that points to your external ip will always hit your webserver. You can only decide what to do with the request there. Of course you could put a proxy in front and filter the urls there but that would complicate things even more :wink:

@cbk did someone mention do you that this a nextcloud security setup in config/config.php and has nothing to do with letsencrypt and open ports?

@Reiner_Nippes
CBK wants to use a diffrent dyndns name for his vpn server and of course requests on port 80/443 for both dyndns names then hit the nextcloud server. I redirect such traffic to 403 but he dosen’t want to mess with the configuration of his webserver. So either he uses the same domain name for both the vpn and his Nextcloud or he has to live with the “no trusted domai name” warnings of the second dyndns name.

what do we have:

  • one ip adress
  • two dns entries
  • port 80/443 for nextcloud
  • port 1194 for openvpn

that doesn’t conflict at all. or?

this error
grafik
is caused when you don’t put both fqdns in your trusetd dmain settings in the config.php.

or?

thats exactly the “problem” but one dns entry works fine, therfore I would also use the working dns-entry for opnVPN if I were CBK. Otherwise configuration changes become necsecary. Then the easiest way in my opinion would be redirecting the second domain to 403. :wink:

I did this and it is working fine. :star_struck:

Thanks for this suggestion. If I do want to explore the option for adding another web server later I may revisit this thread to review your other thoughts.

Thanks so much! :smiley:

1 Like

No worries, glad to be of help :slight_smile:

good evening. Your problem seams a default kind everyone is dealing when starting with nextcloud.
Just change in cd /var/www/nextcloud/config/config.php.

in config.php is a line listing all trusted domains from where you can enter your nextcloud. Every domain aksing for acces to your nextcloud must be enlisted in this file.

Just to clarify, No-IP is a DDNS provider, not a VPN. Your actual VPN is something running on your LAN.

What’s happening here is both of your DDNS services have DNS A records pointing to the same IP address. At that IP address, a port can only be forwarded to one place. At that point the name is irrelevant except that 1.) it’s used for SSL certificate validation and 2.) as a security measure Nextcloud also checks the name against its internal list of trusted domains.

So in this case you have forwarded port 80 to your Nextcloud server.

Sounds like he does not have his router setup correctly… it should never be accessible over the internet.

So here‘s the big question: what port is your VPN server listening on? It should not be 80 or 443 if you intend to also host Nextcloud.

Then you should change your virtual host setup in your web server so it doesn’t return the Nextcloud site when it wasn’t the site that was requested.

When I set these up, I redirect to bing.com or something similar if the request doesn’t come in with a valid SNI. That way when people crawl the site by IP, they don’t even see that Nextcloud is there.