this post was submitted on 21 Apr 2024
99 points (95.4% liked)

Selfhosted

40495 readers
705 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

I need help figuring out where I am going wrong or being an idiot, if people could point out where...

I have a server running Debian 12 and various docker images (Jellyfin, Home Assistant, etc...) controlled by portainer.

A consumer router assigns static Ip addresses by MAC address. The router lets me define the IP address of a primary/secondary DNS. The router registers itself with DynDNS.

I want to make this remotely accessible.

From what I have read I need to setup a reverse proxy, I have tried to follow various guides to give my server a cert for the reverse proxy but it always fails.

I figure the server needs the dyndns address to point at it but I the scripts pick up the internal IP.

How are people solving this?

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 36 points 7 months ago (4 children)

The easiest and quickest way thats still safe is to just use tailscale.

Its a zero config VPN that you can install on all your devices. I've been using it for quite some time now and I'm still fascinated by how easy to use it is.

[–] [email protected] 14 points 7 months ago (3 children)

I would want to go that appros but it feels very inconvenient having to connect to VPN every time I want to check something, also the battery drain if I stayed connected all the time

[–] WASTECH 9 points 7 months ago (1 children)

I’ve been using Tailscale for about 2 months now. It has a VPN-on-demand setting that I keep enabled. That way, anytime I am not on my local WiFi, it automatically connects the VPN. According to my battery health settings, Tailscale has used 5% of my battery in the last 10 days. And I am even using a Mullvad exit node, which would use even more battery.

[–] [email protected] 1 points 7 months ago (1 children)

Where is VPN in demand setting?

[–] WASTECH 1 points 7 months ago

On iOS, I tap on my profile in the upper right, and the VPN-on-demand setting is right below my account.

[–] [email protected] 2 points 7 months ago

Not sure is it same, I don't use tailscale, but using pure wireguard. In my experience battery drain is not even noticable, but staying connected is not smooth as I'd like. I tried to keep active VPN all the time, but then sometimes I just notice my internet is not working ( I have disable or restart VPN connection). It could be issue with my phone (Android), missconfig or something else, but I switched to manually enabling VPN every time I need it. Not amazing, but few clicks every now and then is more than acceptable for my use case

[–] [email protected] 2 points 7 months ago

No significant battery drain for me, and I use it a lot, almost all the time.

Yea, it's a little drain, just nothing to worry about.

[–] tudor 1 points 7 months ago

Or Twingate. It works very well for me

[–] [email protected] 1 points 7 months ago

I found Tailscale/Headacale way more difficult to setup than Wireguard.

load more comments (1 replies)
[–] [email protected] 27 points 7 months ago (4 children)

It's easiest to just register a domain name and use Couldflare Tunnels. No need to worry about dynamic DNS, port forwarding etc. Plus, you have the security advantages of DDoS protection and firewall (WAF). Finally, you get portability - you can change your ISP, router or even move your entire lab into the cloud if you wanted to, and you won't need to change a single thing.

I have a lab set up on my mini PC that I often take to work with me, and it works the same regardless of whether it's going thru my work's restricted proxy or the NAT at home. Zero config required on the network side.

[–] [email protected] 5 points 7 months ago

Just a reminder that even though the tunnel itself is encrypted, the whole connection is not E2E encrypted between your remote client and the server. Cloudflare as a CDN/PoP provider can see the traffic in plaintext.

In all other aspects, this is a great solution, as we even get to use the edge caching(over top of all others mentioned above) facility - which further reduces the requests to origin server.

[–] [email protected] 3 points 7 months ago

I recently went this route after dabbling with other options. I had a wireguard VPN through my Unifi router, with rules to limit access to only the resources I wanted to share, but it can be a struggle for non savvy users, and even more so if they want to use Jellyfin on their TV. Tried Twingate too and would recommend if it fits your usecase, but Cloudflare Tunnels were more applicable to me.

load more comments (2 replies)
[–] [email protected] 22 points 7 months ago (1 children)

By "remotely accessible", do you mean remotely accessible to everyone or just you? If it's just you, then you don't need to setup a reverse proxy. You can use your router as a vpn gateway (assuming you have a static ip address) or you can use tailscale or zerotier.

If you want to make your services remotely accessible to everyone without using a vpn, then you'll need to expose them to the world somehow. How to do that depends on whether you have a static ip address, or behind a CGNAT. If you have a static ip, you can route port 80 and 443 to your load balancer (e.g. nginx proxy manager), which works best if you have your own domain name so you can map each service to their own subdomain in the load balancer. If you're behind a GCNAT, you're going to need an external server/vps to route traffics to its port 80 and 443 into your home network, essentially granting you a static ip address.

[–] [email protected] 7 points 7 months ago

You don't need a static IP to host a VPN. You can do it using a dynamic DNS which updates the DNS records to match your IP when/if it changes. You do need a public IP though, so CGNAT goes straight out.

[–] [email protected] 21 points 7 months ago

Im using wireguard VPN. You have to setup VPN server (using your DynDNS address, but duckdns in my case), open wireguard port in your router and configure each device that needs access. Reverse proxy is not needed, but I have it so I can use jellyfin.example.com instead of 192.168.100.40:8096. I use NPM (nginx proxy manager) with awesome GUI that can create lets encrypt certificates. I also use piHole for local DNS server

[–] odious 17 points 7 months ago (1 children)

If you are the only one using the services, then go for a VPN instead of port forwarding or sth. This way, your stuff isn't openly accessible from the internet to anyone poking around

[–] anamethatisnt 3 points 7 months ago (1 children)

I agree with this, protecting everything behind a VPN is the way to go. I help friends setup their vpn client to my stuff if I want them to access an internal service.

[–] [email protected] 3 points 7 months ago

Set up VPN = scan QR code. Love how easy everything has gotten

[–] [email protected] 14 points 7 months ago* (last edited 7 months ago)

If you are going for a reverse proxy, I highly recommend using Caddy. Issuing TLS certificates is all done automatically and reverse proxy headers are all automatically set.

In many cases, this simple config is enough:

example.org {
    reverse_proxy localhost:1234
}
[–] [email protected] 12 points 7 months ago* (last edited 7 months ago) (1 children)

My advice is to just use Tailscale. It’s a 5 minute setup and you get access to your stuff from anywhere, securely, without opening ports to the public internet. It will give your server a second IP address, which you will be able to access from any other device which is also registered to your Tailscale account.

My personal setup:

  • Tailscale installed on all devices that need access to my home lab
  • Custom domain with root A record set to server’s Tailscale IP
  • caddyserver reverse proxy on server, with DNS https authentication configured (regular http with won’t work because it’s not on the public internet)
  • services all on subdomains
[–] [email protected] 2 points 7 months ago

Btw you can self host an open source Tailscale server called Headscale. And there's NetBird which is a fully open source alternative to Tailscale.

[–] [email protected] 8 points 7 months ago* (last edited 7 months ago) (1 children)

I have a wireguard tunnel set up between my home server and the VPS, with persistent keepalive. The public domain name points to the VPS, then I have it set up (simply using iptables) so that any traffic there in port 80 and 443 is sent back to my honeserver and there it’s handled by caddy, and sent to the actual service.

The only ports I need to open are 80 and 443 on my VPS to make this setup work. So, no open ports on my local machine. This does however require you to pay for VPS. Since you aren't doing much on it though, you can get away with a cheap one. I have a $12/year VPS from Rack nerd that I use for this job.

For completely free options, you can do one of three things. (That I can think of. There are probably more ways.)

  1. Either open up some ports on your machine. You'll need to make sure that you aren't behind a CGNat for this. I simply don't like opening ports to the internet, though.
  2. You can use a VPN. Tailscale works great for this. I use it personally for sshing remotely into my machines.
  3. You can use cloudflare-tunnels. Potentially bad privacy-wise since they can technically access the data. So don't use it for sensitive stuff. Also, their policy doesn't allow traffic that's not mostly HTML. So something like a Jellyfin server would violate this. But you do get to use their firewall which is great for protection against DDOS attacks.

P.S. If you need help setting any of these up, lmk.

[–] betweenchaosandshape 2 points 7 months ago (1 children)

Your setup sounds great! I hadn’t come across something like that and I’d love to try it out, myself. Do you have a guide or any other resources with more info? I’m currently using a reverse proxy, but I’m not excited about the open ports, even with firewall rules keeping them contained.

[–] [email protected] 2 points 7 months ago* (last edited 7 months ago) (1 children)

I'm afraid that I don't have any guides. But, you're halfway there anyway. Which one of these methods do you prefer? I can maybe give you some pointers.

[–] betweenchaosandshape 2 points 7 months ago (1 children)

I like the idea of using the VPS and forwarding requests via WireGuard. I’m about to switch my setup from using NPM to Traefik. The next step after that may be to put the VPS in front of it all.

[–] [email protected] 2 points 7 months ago (1 children)

My setup looks like the following:

/etc/wireguard/wg-vps.conf on the VPS
-----------------------------------------------------
[Interface]
Address = 10.8.0.2/24
ListenPort = 51820
PrivateKey = ********************************************

# packet forwarding
PreUp = sysctl -w net.ipv4.ip_forward=1

# port forwarding 80 and 443
PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.1:80
PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.8.0.1:443
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.1:80
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.8.0.1:443

# packet masquerading
PreUp = iptables -t nat -A POSTROUTING -o wg-vps -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o wg-vps -j MASQUERADE

[Peer]
PublicKey = ********************************************
AllowedIPs = 10.8.0.1
/etc/wireguard/wg-vps.conf on my home-server
---------------------------------------------------------------
[Interface]
Address = 10.8.0.1/24
PrivateKey = ********************************************

[Peer]
PublicKey = ********************************************
AllowedIPs = 10.8.0.2
Endpoint = <VPS-DDNS>:51820
PersistentKeepAlive = 25

Now, just enable the tunnel using sudo systemctl enable --now wg-quick@wg-vps. Make sure that the port 51820, 80, and 443 are open on the VPS. Now, allow 80, 443 through the firewall on the home-server (not on the router, just allow it locally), and it should work.

[–] betweenchaosandshape 2 points 7 months ago

Thanks so much! Hopefully I’ll be giving this a try soon.

[–] [email protected] 8 points 7 months ago* (last edited 7 months ago)

I am using duckdns.org and let my router ping it when it's public IP changes. Then I use nginx as a reverse proxy with help of https://nginxproxymanager.com/ so I don't need to write config files and it also runs certbot for my so I don't need to deal with https manually.

Actually I also have my own domain so I use a subdomain pointing via CNAME to the duckdns subdomain. This way I can easily change the provider of dyndns.

[–] [email protected] 7 points 7 months ago

wireguard and dynamicdns

[–] [email protected] 6 points 7 months ago (2 children)

I do it the simple way. I just stick nginx in front of everything. If I don't want it to be publicly accessible I stick nginx basic auth in front of it.

The advantages is that I can easily access the services from anywhere on any device with just the password. I only need to trust nginx's basic auth to keep me protected, not various different service's authentication.

The downside is that some services don't work great when you have basic auth in the front. This is often due to things like public links or APIs that need to be accessed with other auth.

I just use nginx because I've always used it. I've heard that there are newer reverse proxies that are a bit easier to configure.

[–] Opisek 1 points 7 months ago

I do that, but only allow access to private services from local IP addresses, rather than putting auth in front of them. Then I use IPsec to access my local-only things.

[–] [email protected] 1 points 7 months ago (1 children)

How safe/secure is that approach

[–] [email protected] 1 points 7 months ago

It depends on how much you trust nginx. A HTTP server is probably a bit more complex that your average VPN solution so probably more likely to have vulnerabilities, but it is also the most popular web server on the planet, so if there is a zero day I'm probably not the first target. If you stay up to date you are probably fine.

[–] slazer2au 6 points 7 months ago

Try to scout opening ports on your modem. CloudFlare tunnel plus traefik reverse proxy is an option you can go.

There are many how-to guides like Jim's Garage that walk you through setting it up.

[–] [email protected] 5 points 7 months ago (1 children)

VPS with public IPv4, Wireguard/Tailscale/Headscale and my own Domain.

[–] [email protected] 1 points 7 months ago (1 children)

What has your experience with Headscale been like? Also, have you tried NetBird?

[–] [email protected] 2 points 7 months ago

Headscale is pretty straight forward to set up and easy to use. And there are multiple WebGUIs available to choose from, if you need. If you have any questions, let me know.

[–] PieMePlenty 5 points 7 months ago

I use nginx as a reverse proxy and assign each service either a subdomain or a specific url. SSL is configured once so all services get https. Its not the best though, some services don't like being behind a reverse proxy or don't play nice with the url, subdomain management can get cumbersome and if the service doesn't have a login page, it is open to bad actors.. i was thinking of making a website with login and exposing other web services through an iframe but i don't know how viable that may be.

A vpn would probably be the best way to go from a security standpoint but accessing services may be a pain on remote devices where a vpn isn't supported - like how would a TV on a remote network access tour jellyfin server if the service is only accessible through a vpn tunnel and the tv has no way of connecting to it? Not sure.

[–] [email protected] 4 points 7 months ago

If it's only you (or your household) that is accessing the services then something like hosting a tailscale VPN is a relatively user friendly and safe way to set-up remote access.

If not, then you'd probably want to either use the aforementioned Cloudflare tunnels, or set up a reverse proxy container (nginx proxy manager is quite nice for this as it also handles certs and stuff for you). Then port forward ports 80 and 443 to the server (or container if you give it a separate IP). This can be done in your router.

In terms of domain set-up. I've always found subdomains (homeassistant.domain.com) to be way less of a hassle compared to directories (domain.com/homeassistant) since the latter may need additional config on the application end.

Get a cheap domain at like Cloudflare and use CNAME records that point domain.com and *.domain.com to your dyndns host. Iirc there's also some routers/containers that can do ddns with Cloudflare directly, so that might be worth a quick check too.

[–] Reddfugee42 3 points 7 months ago

OpenVPN to internal network

[–] Presi300 3 points 7 months ago

Wireguard, simply connect to it whenever I'm out somewhere and boom, instant access to everything on my local network

[–] [email protected] 3 points 7 months ago

Mhh I don't know if I can help you too much. I initially followed spaceinvader ones tutorials for my unraid machine. But with time I changed from swag to nginx proxy manager. And I changed from using a duckdns docker to a router based dyndns tracker. But honestly I don't remember too much from the process I currently try to switch domain but just can't get them to work :D so I am in a smilar spot like you.

[–] [email protected] 3 points 7 months ago* (last edited 7 months ago) (1 children)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
CF CloudFlare
CGNAT Carrier-Grade NAT
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
IP Internet Protocol
NAT Network Address Translation
SSL Secure Sockets Layer, for transparent encryption
SSO Single Sign-On
TLS Transport Layer Security, supersedes SSL
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)
nginx Popular HTTP server

[Thread #695 for this sub, first seen 21st Apr 2024, 07:55] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] 1 points 7 months ago
[–] [email protected] 2 points 7 months ago

I used to use Wireguard with Authelia, then I switched to Tailscale (with a self-hosted Headscale server), and now I'm trying out Netbird (which is open source btw)

[–] [email protected] 1 points 7 months ago

My IPv4 connection uses CGNAT, so I use a VPN to access my server. I also have IPv6, so I have a couple of things directly accessible over it in case the VPN drops for some reason. I do have dynamic DNS set up, although it's not really necessary. My IPv6 prefix doesn't seem to change unless I change the DUID on my firewall.

[–] [email protected] 1 points 7 months ago

Another response for "VPN". I don't have any of my self-hosted services exposed publicly & use WireGuard with the on-demand settings so that whenever I'm not at my house, I am automatically connected.

Some users did mention that things like TV's, etc outside your network wouldn't be able to connect, but that hasn't been an issue for me, since I don't use my services like that.

[–] [email protected] 1 points 7 months ago

Wireguard for network access, istio gateway for exposing services, and keycloak for SSO. I want to experiment with Teleport for more fine grained access to my services.

If I had more exposed services I would mess with crowdsec for some another firewall rule set and maybe even exposing it through a TOR service proxy.

[–] [email protected] 1 points 7 months ago* (last edited 7 months ago)

I have two servers (and different other machines) on two different LANs joined by a wireguard tunnel between the routers, with DynDNS running on both, and wireguard on all mobile devices that need access to the LAN.

If your router can natively run wireguard, I'd highly recommended. It just works. Or just use tailscale, it's wireguard for lazy people

load more comments
view more: next ›