Secure Cloud Infrastructure with OpenWrt DMZ Gateway + Comprehensive Monitoring
A production-ready infrastructure stack featuring OpenWrt as a cloud DMZ gateway, complete with VPN connectivity, security monitoring (Suricata IDS), and unified observability (Grafana, Loki, Mimir, Alloy).
This stack introduces a cloud DMZ pattern using OpenWrt as a virtual router/firewall in cloud environments (OCI, AWS, Azure, GCP). All traffic flows through OpenWrt, providing:
- π‘οΈ Enterprise-grade security at the network edge
- π WireGuard VPN for encrypted site-to-site and remote access
- ποΈ Complete visibility with Suricata IDS, firewall logging, and GeoIP analysis
- π Unified monitoring of infrastructure, applications, and security events
- π Easy deployment across any cloud provider
- Features
- Architecture
- Quick Start
- Use Cases
- Components
- Documentation
- Cloud Provider Guides
- Contributing
- License
Last Updated: December 21, 2025 Production Stack: Fully Operational β
| Server | IP | Role | Services |
|---|---|---|---|
| Oracle01 | 10.0.206.10 | Monitoring Hub | Grafana + Loki + Mimir + Alloy |
| Oracle02 | 10.0.206.20 | Application Server | Nginx + Redis HA + Suricata IDS |
| OracleWrt | 10.0.5.1 | Cloud DMZ Router | OpenWrt + WireGuard + Firewall |
| OpenWrt | 10.0.100.1 | Local Gateway | OpenWrt + WireGuard + VPN |
| Tecklord01 | 10.48.1.15 | Dev Server | Docker Swarm + MariaDB |
- β 7 Production Dashboards - NGINX analytics, Redis HA, Suricata IDS, Router monitoring
- β GeoIP World Maps - Visitor geolocation on all web and security dashboards
- β Redis HA Cluster - Sentinel-managed master/replica with automatic failover
- β Docker DNS Sync - Automatic container DNS registration across Swarm cluster
- β Migrated to Grafana Alloy - Unified agent replacing Promtail
- Firewall Logs: 2 routers streaming syslog with GeoIP enrichment (ports 1515, 1516)
- Web Traffic: Nginx access logs with visitor geolocation from 10+ websites
- Security Events: Suricata IDS alerts with threat source mapping
- System Metrics: CPU, memory, disk, network from all infrastructure
- Container Metrics: Docker resource usage via cAdvisor
Live Log Sources: 8 active streams
ββ openwrt_syslog (local router)
ββ oraclewrt_syslog (cloud router)
ββ nginx_access (10+ websites)
ββ nginx_error
ββ suricata (IDS/IPS)
ββ syslog (system logs)
ββ system_logs
Metrics Collection: 5 servers monitored
ββ node_exporter, cAdvisor, collectd
- β OpenWrt Cloud DMZ - Virtual router/firewall at cloud network edge
- β WireGuard VPN - Site-to-site tunnels + mobile client support
- β Suricata IDS/IPS - Real-time threat detection and prevention
- β Zone-based Firewall - Granular network segmentation
- β DNS over TLS (Stubby) - Encrypted DNS queries
- β GeoIP Analysis - Geographic threat intelligence
- β Grafana Alloy - Unified agent for logs and metrics
- β Grafana Loki - Scalable log aggregation
- β Grafana Mimir - Long-term Prometheus metrics storage
- β Low-Cardinality Logging - Optimized for Loki's architecture
- β Pre-built Dashboards - System, Docker, nginx, security monitoring
- β Centralized Logging - Single pane of glass for all infrastructure
- β Docker-based - Easy deployment with docker-compose
- β Multi-server Support - Scales from 1 to 100+ servers
- β Infrastructure as Code - Reproducible deployments
- β Cloud Provider Guides - OCI, AWS, Azure, GCP deployment docs
- β Backup/Restore Scripts - Data protection automation
Point to Point
MTU 1388
INTERNET <============<VPN WIREGUARD TUNNEL>============> INTERNET
β β
βΌ βΌ
βββββββββββββΌββββββββββ ββββββββββββΌβββββββββββ
β OCI - Gateway β β Local Gateway β DDNS
β WAN:201.xxx.xxx.xxxβ Static IP β WAN: 97.xxx.xx.xxx β Dynamic IP
β OpenWrt Router β β OpenWrt Router β
β (10.0.5.1 wg0 ) β β (10.0.100.1 wg0) β
ββββββββββββ¬βββββββββββ ββββββββββββ¬βββββββββββ
β β
β β
β β
βββββββββΌβββββββββ ββββββββββΌβββββββββ
β Local Network β β β
β Lan β ββββββββΌββββββββββββββββββΌβββββββββ
β 10.0.206.0/24 β β Local Network ββ Local Network β
ββββββββββββββββββ β Secure ββ Lan DEV β
β β 10.48.1.0/24 ββ192.168.10.0/23β
ββββββββββββββ΄βββββββββββββ βββββββββββββββββββββββββββββββββββ
β β β β
βββββββββΌβββββββ βββββββββΌββββββββ β β΄ββββββββββ
β Ubuntu β β Ubuntu β β β
β oracle01 β β oracle02 β βββββββββΌβββββββ βββββββββΌββββββββββ
β 10.0.206.10 β β 10.0.206.20 β β Debian VM β β DEV TEST β
β (10G RAM) β β (12G RAM) β β tecklord01 β β DEVIL01 β128GB RAM
ββββββββββββββββ βββββββββββββββββ β 10.48.1.15 β β192.168.10.0/24 β64 Epyc
β (4G RAM) β β192.168.20.0/24 β2 4790 TI 32GB
ββββββββββββββββ βββββββββββββββββββ12 TB STORAGE
(VMware Fusion on Mac) ( DEVS PLAYGROUND )
Logs:
OpenWrt Routers β Alloy (syslog:1515, syslog:1516) β Loki (firewall logs + GeoIP)
Servers β Alloy (file collection) β Loki (app logs, system logs)
Nginx β Alloy (access/error logs) β Loki (web traffic + GeoIP)
Suricata β Alloy (eve.json) β Loki (IDS alerts + GeoIP)
Metrics:
Servers β Alloy β Mimir (via prometheus.remote_write)
Docker β cAdvisor β Alloy β Mimir
node_exporter β Alloy β Mimir
collectd β Alloy β Mimir (OpenWrt metrics)
GeoIP Enrichment Pipeline:
Raw Log β stage.logfmt/json β stage.geoip β stage.pack β Loki
β β
GeoLite2-City JSON Embed
(MaxMind DB) (queryable)
Query: {job="..."} | json | geoip_country_name="China"
- Docker & Docker Compose (or Docker Swarm for HA)
- Linux server with 4GB+ RAM (Ubuntu 22.04+ or Debian 11+)
- (Optional) OpenWrt router for DMZ gateway
# Clone the repository
git clone https://github.com/teckglobal/teckglobal-cloud-dmz-stack
cd teckglobal-cloud-dmz-stack
# Deploy Loki (log aggregation)
cd grafana-loki && docker-compose up -d && cd ..
# Deploy Mimir (metrics storage)
cd grafana-mimir && docker-compose up -d && cd ..
# Deploy Alloy (unified collection agent)
cd grafana-alloy && docker-compose -f docker-compose-oracle01.yml up -d && cd ..Dashboards are located in grafana/dashboards/. Import via Grafana UI:
- Open Grafana:
http://your-server:3000 - Go to Dashboards β Import
- Upload JSON file or paste dashboard ID
- Select your datasources (Loki, Prometheus/Mimir)
See grafana/dashboards/README.md for full dashboard documentation.
| Service | URL | Default Login |
|---|---|---|
| Grafana | http://your-server:3000 | admin/admin |
| Loki API | http://your-server:3100 | - |
| Alloy UI | http://your-server:12345 | - |
| Mimir API | http://your-server:9009 | - |
Deploy OpenWrt as a virtual router in your cloud VPC to control all traffic ingress/egress with enterprise firewall capabilities.
Connect multiple cloud regions or connect cloud infrastructure to on-premises networks with WireGuard VPN.
Monitor all network traffic with Suricata IDS, analyze threats with GeoIP geolocation, and visualize security events in Grafana dashboards. Track attack sources by country, identify malicious patterns, and respond to threats in real-time.
Aggregate logs from all servers, containers, and network devices into a single Loki instance for easy search and analysis.
Track CPU, memory, disk, network metrics across your entire infrastructure with pre-built dashboards.
Monitor nginx access/error logs, track request rates, analyze status codes, and identify performance issues.
| Component | Purpose | Port |
|---|---|---|
| OpenWrt | DMZ Gateway/Router | 22 (SSH), 80/443 (LuCI) |
| WireGuard | VPN Tunnels | 62100, 62225 (UDP) |
| Suricata | IDS/IPS | N/A (inline) |
| Component | Purpose | Port |
|---|---|---|
| Grafana | Visualization | 3000 |
| Grafana Loki | Log Aggregation | 3100 |
| Grafana Mimir | Metrics Storage | 9009 |
| Grafana Alloy | Unified Agent | 12345 |
| Prometheus | Metrics Scraping | 9090 |
| Component | Purpose | Port |
|---|---|---|
| node_exporter | System Metrics | 9100 |
| cAdvisor | Container Metrics | 9200 |
| nginx_exporter | Nginx Metrics | 9113 |
- Installation Guide
- GeoIP Setup Guide - IP geolocation for threat intelligence
Pre-built dashboards ready to import. See grafana/dashboards/README.md for details.
| Dashboard | Description | Datasource |
|---|---|---|
| NGINX Web Analytics | Web traffic, GeoIP maps, visitor stats | Loki |
| Redis HA - TeckGlobal | Sentinel cluster monitoring | Redis |
| Suricata IDS | Security alerts, threat analysis | Loki |
| OpenWRT Appliance | Local router metrics | Prometheus |
| OracleWRT Appliance | Cloud gateway metrics | Prometheus |
| Claude Code Analytics | AI assistant usage tracking | MySQL |
| Network Overview | Infrastructure overview | Loki + Prometheus |
- Grafana Alloy - Unified log/metric collection agent
- Grafana Loki - Log aggregation and storage
- Grafana Mimir - Long-term metrics storage
- Suricata IDS - Network intrusion detection
- Redis HA Stack - Sentinel-managed Redis cluster
- Docker DNS Sync - Automatic container DNS registration
This stack has been tested and verified on:
- Oracle Cloud (OCI) - β Production deployment
- AWS - β Tested
- Home Lab / Bare Metal - β Tested
OpenWrt can run as a VM on any cloud provider that supports custom images or nested virtualization.
Most cloud deployments lack proper network-level security:
- β Reliance on provider security groups only
- β No centralized firewall management
- β Limited threat visibility
- β Fragmented logging
OpenWrt provides enterprise features in a lightweight, open-source package:
- β Zone-based firewall with granular control
- β WireGuard VPN built-in
- β Intrusion detection with Suricata
- β Unified logging to monitoring stack
- β Cost-effective (runs on minimal resources)
Many users hit Loki's stream limits due to high-cardinality labels.
Before (Promtail with high cardinality):
{src_ip="1.2.3.4", dest_port="443", geoip_city="London",
geoip_lat="51.5081", geoip_long="-0.1278", filename="/var/log/nginx/site1.log"}
= 10,000+ streams β 429 errors
After (Alloy with optimized cardinality):
{job="nginx_logs", host="server01", website="site1"}
= ~20 streams
Query high-cardinality fields with LogQL:
{job="nginx"} | json | src_ip="1.2.3.4" | geoip_city="London"
Result: 99% fewer streams, no more errors, faster queries!
All log sources (routers, nginx, Suricata) include GeoIP enrichment for IP addresses. Query geographic data using LogQL:
# All firewall drops from China
{job="oraclewrt_syslog"} | json | geoip_country_name="China"
# Traffic from specific city
{job="openwrt_syslog"} | json | geoip_city_name="Moscow"
# Map attacks by country
{job=~".*_syslog"} | json | geoip_country_name!=""
| line_format "{{.SRC}} from {{.geoip_city_name}}, {{.geoip_country_name}}"
# SSH attacks from Asia
{job=~".*_syslog"} | json | DPT="22" | geoip_continent_name="Asia"
# Visitors from United States
{job="nginx_access"} | json | geoip_country_name="United States"
# 404 errors by country
{job="nginx_access"} | json | status="404" | geoip_country_name!=""
# API requests from Europe
{job="nginx_access", website="api.example.com"}
| json | geoip_continent_name="Europe"
# Map visitor locations
{job="nginx_access"} | json
| line_format "{{.remote_addr}} - {{.geoip_city_name}}, {{.geoip_country_name}}"
# Critical alerts from foreign countries
{job="suricata", event_type="alert"}
| json | severity="1" | geoip_country_name!="United States"
# SQL injection attempts by origin
{job="suricata"} | json | signature=~".*SQL.*"
| geoip_country_name!=""
# Malware callbacks mapped
{job="suricata"} | json | category="Malware"
| line_format "{{.dest_ip}} β {{.geoip_city_name}}, {{.geoip_country_name}}"
# DDoS sources by coordinates
{job="suricata", event_type="flow"} | json | geoip_location_latitude!=""
All enriched logs include these queryable fields:
geoip_country_name- "United States", "China", "Brazil"geoip_country_code- "US", "CN", "BR"geoip_city_name- "New York", "Tokyo", "London"geoip_continent_name- "North America", "Asia", "Europe"geoip_location_latitude- "40.7128"geoip_location_longitude- "-74.0060"
We welcome contributions! Please see CONTRIBUTING.md for guidelines.
- π Report bugs or issues
- π‘ Suggest new features or improvements
- π Improve documentation
- π§ͺ Test on new cloud providers
- π¨ Create new Grafana dashboards
- π§ Submit bug fixes or enhancements
This project is licensed under the MIT License - see the LICENSE file for details.
Created by: TeckGlobal Development Team
Based on: Production deployments monitoring 5+ servers, 38+ Docker containers, handling millions of requests per month.
Special Thanks to:
- Grafana Labs for the observability stack
- OpenWrt Project for the incredible router OS
- Suricata Project for IDS/IPS capabilities
If this project helped you, please β star the repository!
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Website: teck-global.com