Hey all, I'd love some more eyes on this problem I've been having.
Context:
- I'm behind a CGNAT.
- I have a domain
- I have VPN with a dedicated IP
- My DNS records are pointed at that dedicated IP
- I have a TP_Link A8 Router, and a Surfboard DOCSIS 3.1
- Router has Bonded light
- I'm running a server with Proxmox VM
- It works amazing locally
Goal(s):
- Use NextCloud/OwnCloud
- Ability to access NC/OC from outside local network
- Being able to use domain name instead of dedicated IP when accessing page
Actions:
- Install a Debian 12 VM (or LXC depending upon attempt)
- Update package repositories
- Add user to sudoers file
- Install UFW
- Install VPN application
- Enable UFW
- Deny ALL but 40,443
- Install Docker Engine
- Enable VPN
- Install Cosmos Server
- Go through initial setup
- Configure domain as Dedicated IP
- Go through initial setup
- Here my attempts just hang.
- I have tried this using NGINX Reverse Proxy
- I have tried this using Apache2 as a reverse proxy
Technical Information
- Port scanning options see ports as open
- SSL certificate application (letscrypt) hangs
I have also followed the 'how to' https://docs.nextcloud.com/server/latest/admin_manual/installation/source_installation.html from Nextcloud, using manual installation, and can install it, but when I get to the letscrypt stage, I can never get it to complete. I've tried the AIO as well. as the Docker image.
The issue is always with SSL/connecting from the outside. I can access it locally, but that doesn't help me leave commercial clouds behind!
I've included my network diagram of what I *think* is going on
Thanks!
You can use Let's Encrypt DNS authentication to get an SSL without using any ports. The idea is to insert a CNAME of a string of text to your DNS to verify that you own the domain, thus getting the certificate issued. Google for that and there should be a guide for the OS that you use.
Was going to suggest the same. A guy at work was trying to tell me we'd have to open ports eventually for an application behind a VPN. While he was telling me I was wrong, I added the record, and pulled certs. They should really lead with that IMHO
sudo certbot certonly --manual --preferred-challenges dns -d
And it's a TXT record that you need to add.