Reverse Proxy & VPN CLient on OpenWrt Router with multiple web servers behind it

I have a rather complicated setup, and am about to make it even more complicated, so please bare with me.

I am successfully tunneling a Raspberry Pi Lemp web/email server through a VPN cloud server in order to obtain an IP address that allows me to set PTR records. My current configuration, is Internet>Vultr_Cloud_Instance_VPN_server>OpenWRT_Router>Raspberry_PI_web_server/vpn_client.

My Pi successfully tunnels all web and email traffic through Wireguard, onto the VPN Cloud Server, and successfully obtains the IP address of the cloud instance. The cloud instance is properly configured to forward open nginx and postfix ports back to the attached wireguard client (the Pi Web Server). This setup works flawlessly.

However, I now want to attach another web server to my openwrt router while using only one public IP Address from my VPN Cloud Server, so that my configuration looks like this:

Pi Server 1
Local IP: 192.168.1.2
Public IP: 123.456.789.10
SERVED URL's: www.example1.com

Pi Server 2
Local IP: 192.168.1.3
Public IP: 123.456.789.10
SERVED URL's: www.example2.com

Essentially what I want to do, is for my Wireguard Cloud Server instance's public IP address to be shared accross multiple web/email servers on the lan, by using a reverse proxy of some sort.

STEP 1 (in theory):
Theoretically, I believe I can accomplish the FIRST STEP, by making my OPENWRT Router connect to my VPN Cloud instance (the VPN Server), as a VPN client. Great! However, I only want my servers on the Openwrt router to send and recieve traffic through the tunnel. Then I want any other devices on the router to use my default home IP address. Essentially, I help and advice on how to create a split tunnel on wireguard so that Pi Server 1 and Pi Server 2 both have the IP address of the VPN Tunnel, and the rest of the connected devices use my home IP address. How do I configure this exactly? Any help or recommended configuration settings for split traffic would be great.

STEP 2 (in theory):
I believe I need to use a reverse proxy of some sort on the OpenWRT Router that redirects requests to www.example1.com, to 192.168.1.2 (web server #1) on the LAN. Then I need to also set up that proxy to redirect requests to www.example2.com to 192.168.1.3 (web server #2) on the LAN. However I am not very familiar with reverse proxys aside from nginx. And at that, I still wouldn't know how to configure an Nginx virtual host to redirect traffic to a LAN Ip address. If you recommend Nginx to accomplish this, could you also provide some directions and example configuration files that would redirect requests to it's corresponding servers on my lan, (when also factoring in the split VPN tunnel)?

If Nginx on my router isn't the answer, I have read mentions of HAProxy and squid (I don't even know what that is). Could you please advise me if using HA Proxy or squid (or even something else), would be recommended, and if so, how would you go about setting this up to obtain the desired results? Could you please provide example config files and what not?

Any other thoughts or suggestions are much appreciated. A detailed answer with example configuration settings and config files would be hugely appreciated as well.

Thanks for the help!

From high flying view, it looks like you are hosting 1 web and 1 mail server at home and trying to access both from clients on the road.

The starter for such would be, to create 2 port forwarder rules on OpenWRT router:

• publicRouterIP:Port1 -> homeserverIP1:mailport
• publicRouterIP:Port2 -> homeserverIP2:webport

You could then use a DynDNS Service or the public router IP or an A-record, to remote access your 2 home servers from offroad clients.

You could also install a VPN service on OpenWRT and expose the VPN service port. Clients then connect to this VPN endpoint, the VOn service does preauthentication and forwards preauthenticated requests to the 2 LAN servers.

But what is the ptr record meant for in that use case? (ptr resolves IP addresses -> DNS names, which is the more uncommon direction and not of use here)

You also have this additional cloud server, and you seem to have created a VPN tunnel between OpenWRT and the cloud server.

• Is it the exit point of a privacy tunnel for home devices, to reach the Internet?
• is the cloud server a cloud hosted VPN concentrator, such that road clients connect to your LAN servers via this cloud VPN server?

If you already have a VPN, and don't expect strangers to connect to your servers without VPN access, I don't see the problem - just connect to your internal hosts through the tunnel, no changes necessary.

If you do want public access for some resources, IPv6 might be the easy way out.

/keep it simple

This post is highly irrelevant and doesn't answer any questions properly. The servers I am running are all Public servers accessible from the internet. The VPN tunnel from the web server to the cloud vpn server is for the sole purpose of using the cloud vpn servers ip address and setting a ptr record for the IP address. If I did not tunnel my web servers through a cloud server, then I would have to pay money to my ISP to get a static IP address and have my ISP set the PTR record for my ip address. Using a Cloud VPN Server is a workaround. So essentially, I need to know how to route public requests to www.example1.com to forward to server1 and public requests to www.example2.com to server2 on my lan. I know for certain, that hosting 2 web servers on one single lan using 1 single Public IP address, requires a revers proxy of some sort, so that public requests to example1.com and example2.com know which web server devices on the lan to forward the requests to. Otherwise, once the public request to www.example1.com wont know which server to contact on my home router. Same goes for any public request to www.example2.com. I need a way to tell my router which machine on the LAN to direct requests to.

Can anyone that understands my setup correctly please help and advise?

... or get two free for life OCI hosts, run one for each RPi.