How to get SSL without access to external ports 443/80?

1. The problem I’m having:

Hello, I’m running a couple a service in my home lab and recently I had the need to expose them to be accessed from outside. My whole home network goes through Mullvad VPN which is installed in my router running OpenWRT. Mullvad alllows me to get some ports from their server (e.g. port 54996), which I can then use to access my services through mullvad-server-outgoing-ip:mullvad-port. I cannot have access to default external ports (443/80) because Mullvad generate random one for me, always with numbers 5000+.

Accessing “mullvad-server-outgoing-ip:mullvad-port” would lead to my OpenWRT router, which then port forwards this request to my server within the LAN in any port that I want.

I have a domain and managed to get a valid certificate using Mullvad server IP by runing cerbot and addind a DNS record for _acme-challenge. But I can’t seem to use this certificate.

Can I access my services through my VPN, using my domain, with non-default ports and get valid SSL?

2. Error messages and/or full log output:

There are no error messages, I just can’t get SSL to work. Caddy itself doesn’t throw errors.

3. Caddy version:


4. How I installed and ran Caddy:

apt install caddy
systemctl start caddy

a. System environment:

Ubuntu Server 22.04

b. Command:

My problem isn’t associated with any specific command.

c. Service/unit/compose file:


d. My complete Caddy config:

        http_port 54995
        https_port 55426
} {
        reverse_proxy localhost:8096

5. Links to relevant resources:

See this article:

I did that, created an account on cloudflare, configured my domain there, now my Caddyfile looks something like this:

        http_port 54995
        https_port 56781
} {
        reverse_proxy localhost:8096
        tls {
                dns cloudflare <secret>

But I still can’t reach it and Caddy throws this:

2023/03/16 21:39:46.466	INFO	http	server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS	{"server_name": "srv0", "https_port": 56781}
2023/03/16 21:39:46.466	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2023/03/16 21:39:46.466	INFO	tls.cache.maintenance	started background certificate maintenance	{"cache": "0xc000618e70"}
2023/03/16 21:39:46.466	INFO	tls.cache.maintenance	stopped background certificate maintenance	{"cache": "0xc000618e70"}

Remember, I have to access it through typing on a browser. My router forwards that port to my server on the same port, so WAN:57681 → SERVER:57681. I tried to forward it to 443 and change the Caddyfile, but couldn’t get it to work.

Make sure to include https:// in front, otherwise browsers will assume HTTP.

What do you mean by “can’t reach it”? What error are you seeing? Turn on the debug global option and make a request with curl -v.

Those are normal INFO level logs. There’s no problem there at all.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.