Which VPN Server Software is Best for Running Virtualmin Behind a VPN?

Virtualmin
22

if it helps for you :wink: why shouldnā€™t work, right!

23

Letā€™s Start Fresh!

First of all, thank you for all the responses so far; I truly appreciate everyoneā€™s effort to help. However, it seems thereā€™s still some confusion about what I need, and I take responsibility for not being clear enough earlier.

To fix this, I will provide detailed information on:

  1. What I want to achieve.
  2. What I have already done.
  3. What I still need help with.

Please take a moment to grab a coffee and carefully read this post from start to finish.

Important: Only reply if you fully understand the setup and the issues Iā€™m describing. If this seems confusing or unclear (and thatā€™s okay!), please refrain from replying. The goal here is to avoid further confusion and keep the thread focused and productive.

Thank you for your understanding. Letā€™s reset and move forward!

Reset
I recently set up a WireGuard VPN server on a VPS (hosted with OVH Cloud) and configured my Virtualmin server (Debian 12) as a WireGuard client. The goal is to route Virtualminā€™s external traffic through the VPN server and ensure forwarded ports are accessible. However, Iā€™m encountering a couple of issues:

  1. I can access Virtualmin via VPN_SERVER_IP:20000, which means port forwarding is partially working.
  2. The Virtualmin serverā€™s external IP still shows its on-premise IP, not the VPN server IP.
  3. Visiting VPN_SERVER_IP:443 shows the NGINX default page, not Virtualminā€™s services.

Hereā€™s the complete rundown of the steps I took:

1. WireGuard VPN Server Setup (OVH VPS)

  1. Installed WireGuard and enabled IP forwarding on the VPS:

    sudo apt update
sudo apt install wireguard -y
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

  2. Generated server keys:

    cd /etc/wireguard
umask 077
wg genkey | tee server_private.key | wg pubkey > server_public.key

  3. Configured WireGuard server (/etc/wireguard/wg0.conf):

    [Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <SERVER_PRIVATE_KEY>
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <CLIENT_PUBLIC_KEY>
AllowedIPs = 10.0.0.2/32

  4. Started WireGuard:

    sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

  5. Forwarded Ports on the VPN server to the VPN client (10.0.0.2):

    sudo iptables -t nat -A PREROUTING -p tcp --dport 20000 -j DNAT --to-destination 10.0.0.2:20000
sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 10.0.0.2:443
sudo iptables -t nat -A POSTROUTING -j MASQUERADE

YES I ALSO DID ALL OTHER PORTS LIKE: 25, 80, 53, e.t.c.

2. WireGuard VPN Client Setup (Virtualmin Server)

  1. Installed WireGuard and generated client keys:

    sudo apt update
sudo apt install wireguard -y
cd /etc/wireguard
wg genkey | tee client_private.key | wg pubkey > client_public.key

  2. Configured WireGuard client (/etc/wireguard/wg0.conf):

    [Interface]
Address = 10.0.0.2/24
PrivateKey = <CLIENT_PRIVATE_KEY>
DNS = 10.0.0.1

[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
Endpoint = <VPN_SERVER_IP>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

  3. Started the WireGuard interface:

    sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

  4. Confirmed the connection with wg show.

Current Situation

  • I can reach the Virtualmin login page at VPN_SERVER_IP:20000, so port forwarding works for port 20000.
  • However, Virtualminā€™s external IP still shows the on-premise IP instead of the VPN server IP (10.0.0.1).
  • Accessing VPN_SERVER_IP:443 shows the default NGINX page rather than Virtualminā€™s services.

What I Want to Achieve

  1. All traffic from the Virtualmin server should route through the WireGuard VPN, so the external IP for Virtualmin reflects the VPN server IP.
  2. Port 443 (and other forwarded ports) should point to the Virtualmin server instead of showing the NGINX default page.

Questions for the Community

  1. How can I ensure that Virtualmin routes all external traffic (including its services) through the VPN?
  2. Why is VPN_SERVER_IP:443 showing the NGINX default page instead of forwarding correctly to Virtualmin?

Any guidance or corrections to my setup would be greatly appreciated!

Thanks in advance for your help!
atest Update:
After waiting for the DNS records to propagate and ensuring the nameservers at the domain registry are set correctly, email services have started working again. However, the websites are still down.

  • If I go to HTTP://domain.com, I see the default Nginx welcome page.
  • If I go to HTTPS://domain.com, I get an error: ā€œNot Foundā€ or ā€œServer not foundā€.
24

Hi everyone,

I wanted to update my previous post about the WireGuard VPN setup with Virtualmin, where I was facing an issue with the external IP still showing the on-premise IP and HTTPS services not working as expected.

After some troubleshooting, I found the fix. Hereā€™s what I did:

Problem Recap:

  • HTTP (http://domain.com) showed the default NGINX welcome page.
  • HTTPS (https://domain.com) resulted in a ā€œServer not foundā€ error.
  • Virtualmin was still using the on-premise IP instead of the VPN-assigned IP for external traffic.

Solution:

  1. Update Virtualminā€™s Network Settings:
  • I went to Virtualmin and updated the local IP addresses for all virtual servers to 10.0.0.2 (the VPN clientā€™s IP).
  • The external IP for each virtual server was changed to the VPN serverā€™s IP (the external IP of the WireGuard VPN server).
  1. Set Default Network Settings:
  • Under System Settings ā†’ Network Settings, I made sure the default network interface used the VPN IP (10.0.0.2), ensuring all traffic goes through the VPN.

After these changes, everything started working:

  • I can now access my websites via http://domain.com and https://domain.com.
  • The external IP now reflects the VPN server IP.
  • Email and other services are functioning correctly as well.

Additional Notes:

  • If youā€™re using Letā€™s Encrypt for SSL certificates, make sure they are valid and properly configured for your VPN server IP.
  • If you face any issues after these changes, remember to restart the WireGuard service (sudo systemctl restart wg-quick@wg0) and verify the NGINX configuration.

Thanks again to everyone for their help! I hope this solution helps anyone facing similar issues.