this post was submitted on 17 Oct 2024
18 points (80.0% liked)

Selfhosted

40405 readers
858 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

I have a small homelab that is not open to the internet. I am considering the following setup. Please let me know if there are any glaring issues or if I am over complicating things.

  • I want to setup a reverse proxy in the cloud that will also act as a certificate authority. (I want to limit who can access the server to a small group of people.)

  • I will setup a vpn from a raspberry pi in my home to the reverse proxy in the cloud.

  • The traffic will pass from the raspberry pi vpn to my homelab.

I am not sure if I need the raspberry pi. I like the cloud as the reverse proxy as I do not have a static IP. I would just get a cheap vps from hetzner or something like that.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 1 month ago (1 children)

Doesn't work if you're behind CGNAT (which I am), unfortunately.

To tell, if your public IP matches what your router/modem reports as its WAN IP, you might be golden. If that's the case, try messing w/ port forwards on your router to see what the ISP lets through. If it's not the case, you're behind CGNAT and either need to pay your ISP ($5-10 usually) or use a VPS. I'm behind CGNAT, so I went for the VPS because it's the same price and I find more value in that vs a publicly routable address.

[–] [email protected] 1 points 1 month ago (1 children)

Ah. Yeah. I think then you'll want to look into cloudflare tunnels. I believe that should get you through the cgnt and deal with the dynamic IP ll in one go.

[–] [email protected] 3 points 1 month ago

Yup, cloudflare should work.

I personally set up a VPS w/ a WireGuard tunnel, with a reverse proxy at the VPS that sends traffic to connected WireGuard clients. My exact setup is something like this:

  1. VPS w/ HAProxy and WireGuard - routing happens based on SNI
  2. Caddy on homelab to handle TLS trunking
  3. router configured with static DNS routes so I can use public addresses w/o hitting the WAN on my LAN

This could easily be adjusted to only have HAProxy work over the WireGuard interface so there are no public addresses to worry about.

But I used Tailscale for a while to solve this problem, and cloudflare tunnels would work as well. Lots of options to work around stupid ISP policies...