Hello everyone! I am trying to set-up port forwarding, but I'm stuck. I'll get straight to the point.
I have an OpenWRT router that is handling a few Dynamic DNS domains (on 192.168.1.1), and firewall. I have also set up port forwarding, so that all 80 and 443 traffic is redirected to IP 192.168.1.100, where I am running an Apache2 reverse proxy. This reverse proxy redirects, again, traffic depending on the domain: pve.domain.com points to 192.168.1.101, where Proxmox VE is running, cloud.domain.com points to 192.168.1.102, where Nextcloud is running, and so on.
This is great for HTTP and webservers - but as soon as the service changes, I am completely lost.
I am running an MC server on 192.168.1.107, on port 25565. Now, the issue is that I can't use the reverse proxy for this, so I set OpenWRT to directly forward 25565 to that IP.
Unfortunately, however, this means that any domain will allow access to the server - even cloud.domain.com, which makes no sense. I only want game.domain.com to point to that port - but I'm missing the knowledge on how to do it.
I'm not asking for a complete solution, but can anyone point me in the right direction?
Yeah well, I only have one public IP available, unfortunately. This is a home network after all. If you are talking about local IPs (OpenWrt --> local server) - then I could definitely change the game.domain.com to point directly to the game server, and it'd be a good solution, but I don't know how to do it - afaik, it's impossible.
EDIT: I was thinking, isn't there a reverse proxy that actually works with protocols other than HTTP, HTTPS and WS? This is extremely easy for web servers; I don't see why it would be impossible with other stuff, given the tech spec of the protocol. Or even just directly proxying traffic without any kind of interpretation.
I'm sorry, but I don't understand your message. You're probably being ironic, but sometimes text messages can be misleading - sorry if this is not the case, lol.
If you are serious - then yes, all my subdomains are pointing to my home server, which has a single IP. This is not an issue for web-based applications as I can just use Apache2 to send different domains to different servers and directories. The issue arises when I want to redirect TCP/UDP ports, which I'm probably going to solve by switching from Apache2 to HAProxy, squid or even just nginx.
So, in the end, it will work like this:
[multiple domains] -> [one public IP] -> [openwrt] -> [reverse proxy server] -> [multiple other servers].
Update: ok, there's no way of doing this locally. The only possibility is to tunnel the game server through a VPN, that can be for example a cheap VPS. This has the benefit of adding kind of a DDoS protection, but also, then, I'd be relying on yet another server just to access my own stuff, which I'm not particularly fond of.
Either way, nothing that can be done in OpenWRT by itself.
What you are trying to achieve is not possible. The reverse proxy operates on http https protocol level whereas the ip forwarding operates on the ip level of the OSI layer. The MC server connects and operates on IP level and it is not designed to work on the https http level. In order to enable that one would need to rewrite the MC server and MC client programs and distribute them among the players.
I'm terribly sorry for what I just said. No excuse for that, I've had a bad day and I let it out here. Took me 1 minute to press the Reply button and rethink my decision. Unfortunately, it was already too late.
Also, I assumed yours was a report of some sort, like scolding me for having posted it in two places, which was maybe not in the rules.
I'll explain why this is not possible and then you can just move on..
A packet comes into your server. You want to know what to do with it. The decision you would like to make is based on which domain name did the client look up before they connected to your server this is information only the client computer knows.
It works for http because when the http connection comes in there is an http header the client sends to your server saying "I'm connecting to www.cnn.com" or whatever. But at the IP level in a firewall etc or even in a generic proxy for a general TCP based or UDP based protocol the information about which hostname the client looked up before it connected to you is simply mind-reading that you can't do.
HAPROXY will manage all of your incoming requests. But configuring it is a steep learning curve. Make sure you understand how to configure it correctly otherwise you could expose your system to potential hacking.
The only time HAPROXY doesn't work well is if the traffic header is encrypted and has no SNI written into the header. It's not the end if there is no SNI if you have some control over the client connection but in general if you're dealing with encrypted traffic the header will need to have the SNI included for you to direct encrypted traffic correctly.
know nothing about minecraft so maybe out of my league. But my understanding is he has a dynamic IP and wants to access services hosted at his home from the public side. Even if the minecraft client doesn't include SNI host headers he still can configure HAPROXY to manage the connections it just won't be very elegant. One way would be to have the minecraft server as the final server on the list as a catchall. There can be only one catchall in the list so it has its limits.