SSTP and WEB with Synology Reverse Proxy

Currently reading
SSTP and WEB with Synology Reverse Proxy

51
4
NAS
DS218+
Operating system
  1. Windows
Mobile operating system
  1. Android
In LAN I have router with SSTP server with address 192.168.0.1 (with forwarded port TCP 80 and 443 to NAS) and NAS with Web Server 192.168.0.2. I have two addresses vpn.example.com and example.com.

Should this configuration work (because it doesn't work now)?
Reverse Proxy:
ReverseProxy1.jpg

WebStation:
WebStation.jpg
 
Let my try to understand what's going on:
  1. You have a SSTP server running on the main LAN router (LAN IP 192.168.0.1).
  2. Your NAS is on LAN IP 192.168.0.2
  3. You are trying to use the NAS reverse proxy to pass HTTPS requests for vpn.example.com:443 back to the LAN router's TCP 443 port. Is this circular?
  4. HSTS on the NAS will force HTTP TCP 80 for vpn.example.com to be retried as HTTPS TCP 443.
  5. And then there's a Web Station virtual host/web service that is doing something for the main domain of example.com.
What are you trying to achieve? From where, and how is DNS configured (you need DNS working so vpn.example.com gets to the router first, and from wherever you are testing this)?
 
Thank you.
1. Yes
2. Yes
3. My mistake, in destination I have 444 port (and server SSTP on router is also 444)
4. So I have to turn it off?
5. This is a website

I want to have two services (WebSite and VPN SSTP) on my one static public IP without using any port other than TCP 443.
 
OK, so the SSTP server is listening on TCP 444. That make more sense.

So what I would think:
  1. External DNS records for resolve to the router’s WAN IP (example.com and vpn.example.com). For internal resolution you’d have to ensure that the same resolution happens to the NAS LAN IP, or local requests go to the router and it support local loop back so that it does step 2 for these too.
  2. Router port forwards TCP 443 to NAS LAN IP 192.168.0.2
  3. NAS configured separately for web site and SSTP service:
    1. SSTP service: DSM reverse proxy listening for vpn.example.com on TCP 443. Destination is router LAN IP on TCP 444. Set for HTTPS. I wouldn’t use HSTS if you’re never going to try HTTP.
    2. Web server: Web Station web portal (virtual host) listening for example.com HTTPS and directs to a DSM local folder… it should adjust the permissions on the folder to allow the web server to access it. There are now two parts to creating virtual hosts: web portal relies on a web service. I think you’ve shown the web portal screenshot Linking to the example web service.
You also need to setup SSL certificates for the rev-proxy and web portal so that your client apps know they can trust the connections.

I know that SRM’s VPN Plus clients don’t like (refuse) connections that come by a DSM reverse proxy.
 
1. Done
2. Done
3. Done
SSL done.
If turn off port forwarding on router, SSTP works on 444 port (I then add the address in Windows vpn.example.com:444), but of course WebSite not. If I enable port forwarding WebSite works, but SSTP on 443 not working.
I have SSTP configured on Mikrotik and when I have portforwarding enabled, no packet comes from Synology to connect the SSTP client, so I conclude there is some problem with the Reverse Proxy. Is there any way to read logs from Reverse Proxy (incoming and outgoing requests)?
 
It could be that the SSTP service cannot be proxied.

The port forward on the router for TCP 443 to the NAS LAN IP on TCP 443 will send all connection requests from the router to the NAS. The NAS has to determine how to handle the URL server name, which will be using an application portal, reverse proxy, or WS web portal.

You say you've got the example.com web site working, but the SSTP reverse proxy isn't. I guess you've also confirmed the reverse proxy doesn't work when the WS web site is disabled. The focus being that SSTP proxied isn't working. Generally it's easy and what you've done. You might try adding Custom Headers to the reverse proxy and adding WebSocket, in case that helps.

Have you confirmed that the SSTP service is listening on the router's LAN interface?

If you have to use another TCP port and there aren't that many permitted from where you intend to initiate the SSTP session, I've found TCP 8080 is sometimes left open in corporate FWs. Or try a few to see which work.
 
Still not working

Yes.

Is it possible to check incoming and outgoing traffic in Synology Reverse Proxy?
Also, each reverse host has its own log inside the nginx structure (also via ssh) so maybe something will be in there as well, especially in the error logs.
 
I accessed to log and when I trying connect I have message:
"SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ HTTP/1.1" 400 150 "-" "-" "-"

And I'm stuck, can't find a solution.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Old thread notice: There have been no replies in this thread for quite some time. The last reply was on .
The content in this thread may no longer be relevant. It might be better to open a new thread instead.

Similar threads

Maybe Wireshark can help? I am pretty sure there is a way to install it via docker. Maybe it deserves a try.
Replies
1
Views
504
  • Solved
<<<<< SOLVED >>>>> OK so I decide to solve this by myself accordingly. Synology did offer me to go check...
Replies
1
Views
1,162
The access permission applied on the user should work after they attempt to complete a login. The Login...
Replies
1
Views
2,549
  • Question
Right I’m with you now. I’ll take a look to see if I can get it to work with subdomain.domain.com and DDNS...
Replies
5
Views
2,065
You can if your router support it. So it’s not impossible in general
Replies
15
Views
9,780
Yep. Am on 900/900. Fortunately Fiberhop is small enough to talk turkey with, any of the big isps are...
Replies
7
Views
1,162
Howdy! After a long wait with internet companies, we've finally got our new line in to the new office. I...
Replies
24
Views
1,823

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top