Currently, I’m planning out how to remotely access some local servers (VMs) running behind a CGNAT that I have no control over. My idea is to install a VPN server (WireGuard) on a VPS and have a dedicated VPN client VM that will also run a reverse proxy (Caddy). My domain will point to the VPS, which will forward HTTP / HTTPS traffic to the VPN client, which will then reverse proxy the traffic to the respective servers based on subdomain. That takes care of getting traffic to flow in from behind the CGNAT.
What I’m a little unsure of is how the servers will try to route the return traffic. Each server’s default gateway is set to the local subnet’s router. So, if a remote user initiates a connection to the VPS which eventually ends up at a local server, won’t the server try to send that return traffic via the default gateway? Or will it know to send it back to the VPN client which will forward it back through the VPN to the VPS? I feel like I’m forgetting some networking fundamentals here…
I could simply configure each server’s default gateway to be the VPN client, but I’m only using the VPN to bypass the CGNAT and would rather use my local ISP connection for all other traffic.
TLDR: Will a host know to send return traffic via the same path it was received, or will it always try the default gateway?
Any suggestions on my plan are also welcomed. I’ve considered configuring each client to connect to the VPS VPN server directly and running the reverse proxy on the VPS, but it seems simpler to just to worry about one VPN connection instead of separate connections for each server.
No comments:
Post a Comment