Nextcloud 12 / FreeNAS / pfSense [Request for Help]

[svtkobra7]

Kindly note that I have spent countless DAYS trying to get Nextcloud up and running, and as a last resort I'm asking for the counsel of the FreeNAS community. I know there are a number of moving parts, including pfSense, so this may not be the most appropriate place to post this plea for help. I need help tying everything together as this is driving me insane. In an attempt to assist, I've tried to clearly define my Objective, Configuration, Constraints, as well as pfSense Config.

Any help that can be offer would truly be appreciated!

Objective:

• Deploy Nextcloud 12, hardened, and accessible at domain: DOMAIN.com
• I don't care how I get there, whether jail, Ubuntu VM, etc.
• I have two issues: (a) I can't connect the internal Nextcloud IP to DOMAIN.com and (b) I can't use certbot to obtain SSL

Config:

• VMware ESXi 6.5.0 Update 1
  
• FreeNAS-11.0-U4
• pfSense 2.4.2-RELEASE
• DOMAIN.com redirected to TG_STATIC IP

Constraints:

• Double NAT scenario with no static IP offered by ISP.
• Ports which can't be opened by VPN provider:
  Code:

  tcp:4500,udp:4500,tcp:6060,udp:6060,tcp:4443,udp:4443,tcp:7070,udp:7070,tcp:8443,udp:8443,tcp:8444,udp:8444,tcp:8445,udp:8445,tcp:8446,udp:8446,tcp:8447,udp:8447,tcp:8448,udp:8448,tcp:8449,udp:8449,tcp:8450,udp:8450,tcp:8451,udp:8451,tcp:8452,udp:8452

Success to Date:

• While I don't care much about Plex being externally accessible, I used that as a "test case" to defeat the fact that I'm being double NATed and don't have a static IP.
  
• I did so with the following configuration in pfSense: (a) Configured OpenVPN Clients [1], (b) Created appropriate Firewall Rules [2], (c) and Added a Port Forward [3].
• Plex is externally accessible. Shamefully I should admit this took me quite some time to figure out.

[0] pfSense Summary

[1] pfSense: VPN / OpenVPN / Clients

Summary:


TG_DYNAMIC Config:


TG_STATIC Config:


[2] pfSense: Firewall / Rules / WAN & LAN


[3] pfSense: Firewall / NAT / Port Forward

 

[Jailer]

If you are behind your ISP's double NAT no sort of trickery is going to fix that. See if your ISP will give you a static public IP.

 

[svtkobra7]

If you are behind your ISP's double NAT no sort of trickery is going to fix that. See if your ISP will give you a static public IP.

I appreciate your reply - thank you. Not in debate, but because I think there may be a way:
1. Given, the VPN + Port Forward "trickery" allows external Plex access,
2. That same trickery can be used to expose Nextcloud, so it becomes a question of how to get cert.
3. I just lack the knowledge to put the pieces together, but can't I use one, some, all of the following:
A. ACME package in pf, I have successfully edited DNS text record to achieve validation.
B. VPN "443" Port Share (requires option added to VPN client and allows web server traffic to flow through to localhost:443.
C. I know Apache can be set to "listen" on a port other than 443.
D. Reverse proxy / HAproxy pf package.

On my mobile forgive my brevity / typos.

Regarding my ISP, I'd rather use a 56k modem than pay them another $. The contract for the building is 100 Mbps "near symmetrical" and while I don't have an IT background, I know there is symmetrical and asymmetrical and "near symmetrical" is made up BS. I'm not paying $20/month for a private IP given I'm being robbed of 30 Mbps with my 100/70 "near symmetrical" connection. End of rant.

Thanks again!

 

[svtkobra7]

@Jailer A bit more on my research / progress now that I'm at home ...

A. ACME package in pf, I have successfully edited DNS text record to achieve validation.

Able to obtain / renew the cert using the "ACME Certificates" package in pfsense.

Code:

domain.com_cert
Renewing certificateaccount: domain.com_key
server: letsencrypt-production
/usr/local/pkg/acme/acme.sh --issue -d 'domain.com' --home '/tmp/acme/domain.com_cert/' --accountconf '/tmp/acme/domain.com_cert/accountconf.conf' --force --reloadCmd '/tmp/acme/domain.com_cert/reloadcmd.sh' --dns 'dns_nsupdate' --log-level 3 --log '/tmp/acme/domain.com_cert/acme_issuecert.log'
Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[NSUPDATE_SERVER] => /tmp/acme/domain.com_cert/domain.com/nsupdate
[NSUPDATE_KEYTYPE] => host
[NSUPDATE_KEYALGO] => 157
[NSUPDATE_KEY] => /tmp/acme/domain.com_cert/domain.com/nsupdate
)
[Wed Dec 13 21:52:52 EST 2017] Registering account
[Wed Dec 13 21:52:53 EST 2017] Already registered
[Wed Dec 13 21:52:54 EST 2017] Update account tos info success.
[Wed Dec 13 21:52:54 EST 2017] ACCOUNT_THUMBPRINT='blah blah'
[Wed Dec 13 21:52:54 EST 2017] Single domain='domain.com'
[Wed Dec 13 21:52:54 EST 2017] Getting domain auth token for each domain
[Wed Dec 13 21:52:54 EST 2017] Getting webroot for domain='domain.com'
[Wed Dec 13 21:52:54 EST 2017] Getting new-authz for domain='domain.com'
[Wed Dec 13 21:52:54 EST 2017] The new-authz request is ok.
[Wed Dec 13 21:52:54 EST 2017] domain.com is already verified, skip dns-01.
[Wed Dec 13 21:52:54 EST 2017] Verify finished, start to sign.
[Wed Dec 13 21:52:55 EST 2017] Cert success.

B. VPN "443" Port Share (requires option added to VPN client and allows web server traffic to flow through to localhost:443.

To be extra sneaky/careful with an OpenVPN server, take advantage of OpenVPN's port-share capability that allows it to pass any non-OpenVPN traffic to another IP behind the firewall.
Often on locked-down networks, only ports like 80 and 443 will be allowed out for security reasons, and running OpenVPN instances on these allowed ports can help to get out in situations where access may otherwise be restricted.
The usual use case for this would be to run the OpenVPN server on port tcp/443, and in place of a port forward, let OpenVPN hand off the HTTPS traffic to a web server.
To set this up, configure an OpenVPN server to listen on TCP port 443, and add a firewall rule to pass traffic to the WAN IP (or whatever IP used for OpenVPN) on port 443. There are no port forwards or firewall rules required to pass the traffic to the internal IP.
In the custom options of the OpenVPN instance, add the following:

Code:

port-share x.x.x.x 443

Reference: https://doc.pfsense.org/index.php/Sharing_a_Port_with_OpenVPN_and_a_Web_Server

So do you think this is impossible or just a PITA?