Complex port, LAN, OpenVPN config. Custom servers with limited options

Hello. I have a network with a standard residential router, nothing fancy. Good news is that I can open whatever ports I want. On this home network sits several custom servers which need to now provide access outside of our group. The access granted is not going to be able to be more than very simple and basic access methods, which just needs to be URL (either a domain or IP address) that can be plopped into a browser.

*The custom servers only support HTTP, so right now I have a security mess on my hands because my home IP is now exposed AND has open ports, AND everything is going over HTTP.

The servers are not able to be modified (firmware/software/hardware) and I don’t have the code either.

The current config though, is a little weird/complex because in addition to being on my LAN (as described above) with open ports over the public internet, they ALSO happen to simultaneously connect to our own self-hosted VPN (more specifically, OpenVPN) since luckily the closed-off firmware does allow for a OpenVPN cert to be in use as well as the traditional LAN network settings.

Our OpenVPN is being run from a locked down remote server that only we have access to internally, and we have no issues with that set up. The catch is that the OpenVPN network is exclusively the method that my team and I use to connect and therefore we don’t want to support any other type of outside access to it. Additionally, I don’t have the ability to make changes to our OpenVPN server/config because the only developer I trust to touch that network is unavailable, and I don’t really think poking at it is in our best interest right now due to the risk that goes along with it effecting everyday operations.

My end goal is to secure the custom servers on my home LAN so that at least they are not discoverable publicly without any security at all, and while exposing my home IP. It would be great to offer some type of full HTTPS [or at least flexible (which Cloudflare offers as an option)], but far less important then actually making them not discoverable to the world.

I do have the ability to whitelist and blacklist IP ranges on the custom servers, so my approach was to whitelist my LAN subnet, blacklist all other IPs EXCEPT Cloudflare’s, and then create a proxied DNS record inside of my Cloudflare config for each of the custom servers. The only trade off with this method that the traffic from the custom servers to Cloudflare would be viewable over HTTP, but even with that weak spot I would be in a much better spot than now.

The issue there is that Cloudflare doesn’t support specifying port numbers for entries/target host machines for the plan I am on.

Any advice/options/suggestions would be most appreciated. Thanks! :pray:

Things to keep in mind for trying to help me:

  1. I don’t have the ability to add hardware to my LAN. So, adding something like a new Linux box and tunneling that to Cloudflare (and then somehow sending the customer servers through that new Linux box) won’t work.
  2. And the only options I have configurable on the servers are:
  • LAN IP (which right now each server has a unique based address), including DNS, Subnet Mask, and gateway. I can also select DHCP or PPPoE (of which I don’t even know what PPPoE is, lol).
  • Choose/change the port that each server listens on.
  • Enable HTTPS, but then can’t disable HTTP. Also, *HTTPS gives back an invalid/not trusted cert error, so not a good idea is what my gut says.

One last option would be to see if it’s possible to spin up some kind of cloud server that can either act as a VPN or proxy network, then maybe modify the OpenVPN certificate to actually talk to 2 different servers (one being the OpenVPN server we have in place now, and second being a new cloud server acting as a proxy server). However, this seems utterly complex.

Would you be able to set-up a local server that acts as a proxy (or add it to each server, or some at least)?

If you were able to add this, you could use Cloudflare Tunnel to connect out from your network to Cloudflare, avoiding open ports and keeping HTTP confined to the local network, or even better each internal server.

With this setup you’d remove all issues with custom ports as that is automatically moved to the normal :443 HTTPS port.


1 Like

So could I add more hardware, yes. But I don’t think I will.

If I do decide to go this route, would a Raspberry Pi work? And how would I tell the custom servers to go through the Pi, or added Linux box?

Yes, depending on traffic amounts, of course.

That’s what the Cloudflare Tunnel instance does, read the docs :slight_smile:

Will do. I essentially discounted that as an option when I saw that it put even more responsibility on me to provide hardware. A trend I’m trying to reverse. Thanks!