share
Server FaultSet up multiple servers behind a NAT
[+1] [1] bkrupa
[2011-07-11 19:08:01]
[ domain-name-system vpn domain nat hosts ]
[ https://serverfault.com/questions/289156/set-up-multiple-servers-behind-a-nat ]

I am currently trying to set up a network with both a secure webserver and an internal openvpn server. The webserver is running windows 2008 and the vpn network is running the Access server from OpenVPN. The problem that i'm having is that I want to be able to access both servers from outside the NAT. I would like to do something like this:

                    Outside
                       |
                       |
                      NAT
                       |
           ------------------------------------
           |                |                  |
        test.org           vpn.test.org       dns.test.org

and host test.org and vpn.test.org on different machines. I want both to be accessible from port 433 and from the outside. I'm not sure how to go about doing this so any help would be greatly appreciated.

Do you have multiple public IP addresses pointing to the NAT? - ghm1014
[+6] [2011-07-11 19:19:01] EEAA [ACCEPTED]

If you need them both to be available on port 443, you'll need two IP addresses on the WAN interface of your NAT device.


There isn't any way to do this through DNS? - bkrupa
(4) DNS only resolves names to an IP address, it has nothing to do with port numbers. - EEAA
Yes, but is there a way to have test.org and vpn.test.org resolve to different ip addresses behind the nat? - bkrupa
(1) Well technically yes, you could set those two DNS names resolve to the internal addresses of the hosts, but that's not going to satisfy your requirement that they be accessible from the outside. - EEAA
Or even to have DNS return a different port number so that from the outside the url looks the same but the ports are different? - bkrupa
(3) Once again, DNS has zero control over port numbers. No, it's not possible. - EEAA
Is it possible to forward port 443 from test.org to vpn.test.org when necessary? - bkrupa
You might be able to do it kind of slick-like if you had a proxy server in the mix based on the requested URL coming in. This is all speculation on my part though. - SpacemanSpiff
(2) Assuming that you're running SSL over port 443, everything is encrypted. How would you suppose you'd be able to tell where traffic should be routed? - EEAA
My best guess would be based on the URL. I don't even know if it's possible to forward a port from one machine to another conditionally. - bkrupa
(1) @bkrupa - if the traffic were not encrypted, and if you and some sort of intelligent proxy you could possibly do something like this. Neither of those are true in your case, though. - EEAA
So you're saying that it would be possible on port 80 but not on 443? - bkrupa
@bkrupa, port 443 in and of itself has nothing to do with it. The same constraints would hold true for any port number. As I mentioned, the issues are that 1) your traffic is likely encrypted and 2) you don't have any sort of proxy in-line to direct requests. - EEAA
How difficult would it be to set up a proxy? - bkrupa
@ErikA let us continue this discussion in chat - bkrupa
Sounds good - I'm already over there. - EEAA
1