Everyone have a cloud, I want a cloud too... but in between countries!
Country A have no possibility to open a port to the internet and expose my httpd(8) with nextcloud on it... but what I do have is another server on Country B with full control of the ports and connection and all the OpenBSD set of tools to play with it. In this episode we'll combine wg(4), httpd(8) and relayd(8) to solve this issue.
Country A is an apu2 running nextcloud, the setup is the same I described on that article but without relayd(8), which instead will be in Country B where I have full control of the open ports and flow connections, you have a full relayd(8) setup on the nextcloud article. We have Country A with a full nextcloud setup over httpd(8) as the MESSAGE in the package says (fully functional over local network of course) and we have Country B exposed to the internet, how we can connect the cloud to the open internet? Exactly! Let's make a wg(4) tunnel from A to B.
Sorry but no, I will not explain how to make a tunnel between 2 OpenBSD machines, I already did that here and if you don't like my way, solene also wrote one.
We have now Country A and Country B connected by wireguard, let's say that Country B has a 10.10.0.0/24 network for the VPN and it's the gateway with the IP 10.10.0.1 and Country A it's connected to it with the internal IP 10.10.0.10.
On Country A I set my pf to allow the http (not https since that will be manage by Country B over relayd(8)) and ssh connections over all the networks I have, local and VPN with something like:
...
pass in log on any proto tcp from any to any port 22
## http
pass in log on any proto tcp from any to any port 80
...Let's check if we can reach Country A's ports from Country B inside the tunnel, the result should be something like this:
countra_b$ telnet 10.10.0.10 80
Trying 10.10.0.10...
Connected to 10.10.0.10.
Escape character is '^]'.The locations can see each other now, time to add the Country A to the relayd(8) config. If you already read the article specially the relayd(8) part, you have it running on Country B with other sites and servers, so following the same syntax we add the Country A stuff.
The table:
...
table <countra_a> { 10.10.0.10 }
...The protocol:
...
tls keypair "cloud.country-a.com"
...
match request quick header "Host" value "cloud.country-a.com" tag "country_a"
pass request quick tagged "country_a" forward to <countra_a>
...The relay:
...
forward to <countra_a> port 80 check tcp
...Pretty easy, now reload it, and check that the host is UP across countries:
$ doas rcctl reload relayd
relayd(ok)
$ doas relayctl show hosts
4 table country_a:80 active (1 hosts)
4 host 10.10.0.10 100.00% up
total: 2/2 checksWe are done, if you go to the url cloud.country-a.com you should see the nextcloud instance or whatever you have running there, we have now a cloud across countries running inside a tunnel and exposed to the internet using almost all OpenBSD's base tools.