this post was submitted on 20 Jul 2023
35 points (94.9% liked)

Selfhosted

40690 readers
775 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

I live in a country where wireguard, openvpn and other vpn protocols have been blocked. Tailscale and Cloudflare Tunnels don't wok either. I do have a public ip and my router supports DMZ and port forwarding. For security concerns I'm not willing to forward ports. Is there any other method to use my VPS to forward traffic to my home server?

top 35 comments
sorted by: hot top controversial new old
[–] [email protected] 25 points 1 year ago (2 children)

Does ssh works? If yes, you can use autossh to create persistent ssh tunnel to your VPS.

[–] [email protected] 7 points 1 year ago

Yeah SSH still works. Thanks for the suggestion.

[–] nuclearkittens 2 points 1 year ago

autossh

That's what I've been doing for the last 7 months. Works perfectly !

[–] [email protected] 17 points 1 year ago (1 children)

I think your best bet is try to use OpenVPN via TCP over port 80 or 443. You could also try setting up an SSH VPN tunnel.

[–] [email protected] 4 points 1 year ago

That used to work but it doesn't anymore. Openvpn over cloak still works apparently. I'll give it a try.

[–] [email protected] 9 points 1 year ago (2 children)

I'm surprised they block WireGuard, especially with a preshared key. That makes it essentially pure randomness over UDP. I'd assume they block popular VPN providers and tunneling services which makes it easier to block by blocking the setup process which is usually just HTTPS.

Have you tried a basic plain WireGuard between your home and your VPS, with a preshared key and using some other protocol's port? Maybe like UDP on port 443 so it looks like QUIC?

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago) (1 children)

I haven't tried this. Will do. When wireguard still worked i used to use this script to set it up.

[–] [email protected] 6 points 1 year ago

Quick glance at the script shows it does randomize the port (but in the upper end of the space), but does not do preshared keys.

The PSK can hide the protocol better by not looking like a key handshake. Although I'm not sure ISPs have quite reached that level yet.

If you're in China, there's been some recent research showing that they block things that looks encrypted based on the entropy of the bits in a packet. I couldn't find the bypass software anymore but that might help you as well.

If you're not in China something like the XRay/v2ray proxy or shadowsocks might help as well.

Although honestly, port forwarding with a firewall only allowing your VPS IP should honestly be fairly sufficient security-wise. You could also try inverting the WireGuard connection and have the VPS connect to your home through port forwarding, traffic analysis is usually on egress not ingress.

[–] [email protected] 2 points 1 year ago

Wireguard is not meant to bypass detection of any kind of Deep Packet Inspection technology. It's also stated by the project website, under the Known Limitations sections.

https://www.wireguard.com/known-limitations/

There are many characteristics (except the handshake) which can make it stand out as a P2P or VPN(-ish) traffic, and then get blocked.

[–] [email protected] 6 points 1 year ago

Might I suggest Fast Reverse Proxy ( https://github.com/fatedier/frp )

It's a great solution if you don't have a public IP or can't/don't want to open any ports.

I found it super easy to setup and configure. I put caddy in front of the server side for mine to ssl offload there. But you could also route everything down the tunnel it makes and use a local reverse proxy to handle SSL offloading

[–] zikk_transport2 6 points 1 year ago (1 children)

Some time ago I've done a "public IP implementation" on my VPS when I was on mobile network (no public IP).

Basically set up IPSec/Wireguard on VPS and connect your router to it. Then setup EoIP over VPN between VPS and your router. Then add EoIP tunnel to your LAN's bridge in your router.

Then setup all ports forwarding (using iptables) from your VPS to your router on LAN, so if you connect to your VPS using tcp80, it will be simply forwarded (NAT'ed) to your router. Except tcp22, for SSH to your VPS obviously...

And now you have yet another public IP lol.

This is not something you asked, but might give you some ideas.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

So that setup effectively gives you an all-ports available connection (except 22) from your mobile device and anything that connects through it, like a laptop? The exit node would be the VPS.

Could I skip the home router and EoIP+VPN directly between mobile and VPS, for instance?

I am in a situation (restrictive firewall on ethernet/wifi, prefer personal mobile connection but it's cgnat or something equally crap) this could be very useful for me.

[–] zikk_transport2 2 points 1 year ago

Technically like this:

Anyone -tcp80-> vps -tcp80-> router -tcp80-> homeserver.

Exit of homeserver-originated traffic would be your router, not vps. Unless you specify custom routes in your router, then yeah, might be possible.

Also you don't need EoIP tunnel at all, since it's all in Layer4.

[–] [email protected] 4 points 1 year ago (1 children)

What is your ultimate goal? Are you trying to host stuff from your home though the VPS? Or are you trying to use the VPS as an internet connection? Or something else.

I would follow the other comments first try OpenVPN over 80 or 443 or SSL.

If your just interested is using the VPS's internet at home you could look at a hosting an internet proxy from the VPS. I think that would be all HTTPs traffic so it would just look like normal web traffic to the outside world and be hard to detect. Although it would limit your traffic to just HTTP traffic.

If your just trying to access your network remotely though the VPS. Depending on what kind of access you need. You could look at something like hosting Meshcentral on your VPS. It is mostly for remote controlling computers so you could access your network via a local computer or you could look at a feature called meshcentral router.

You can install that on a laptop and then used that to remote port to a local port on your laptop.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

My goal is to be able to access local services running in a NUC at home. Currently it's Jellyfin and i plan to set up Immich too for backing up photos.

I currently use Xray/Shadowsocks on the same vos to bypass the censorship, but they are proxies not VPNs.

Never heard of meshcentral‌, will have a look at documentation. Thanks.

[–] emhl 4 points 1 year ago (1 children)

A ssh tunnel probably is your best option

[–] [email protected] 4 points 1 year ago

I think so as well and it is sad that that the OP has to be in a place where internet is so heavily censored.

[–] [email protected] 4 points 1 year ago (1 children)

My country also block VPN.

The solution that always worked for me is using OpenVPN with static key configuration. https://openvpn.net/community-resources/static-key-mini-howto/

[–] [email protected] 1 points 1 year ago

Never heard of this. Thanks.

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago) (1 children)

Try harder.

But no actually try a different vpn on a port like https or something up like a Skype call port

[–] [email protected] 6 points 1 year ago (2 children)

It's not about port numbers anymore. Their firewall even blocks normal https traffic when huge amount of data is being sent/received. They are getting smarter at guessing if the traffic is normal or it's a vpn.

[–] [email protected] 2 points 1 year ago

So they’re scanning destinations. If they look like a vpn then they squash you. Very ccp of them

[–] [email protected] 1 points 1 year ago (1 children)

I have no idea how to set it up but you’re looking for is v2ray and shadow socks

[–] [email protected] 1 points 1 year ago

They are what I use but they're proxies not VPNs. Not sure they work for tunneling traffic from vps to home.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

SSH is an obvious thing to try, but I suppose it may get cut off by the same DPI.

Possibly, ShadowSocks or obfs4proxy might be of some help? E.g. you can wrap Wireguard traffic in ShadowSocks (AFAIK it supports UDP).

[–] [email protected] 1 points 1 year ago

SSH still works but I need to learn to set up a persistent , resilient tunnel. Just found this guide in using Wireguard over shadowsocks: https://errande.com/2021/07/obfuscate-wireguard/

[–] [email protected] 2 points 1 year ago (1 children)

If you live in a country with the regular vpn protocols being blocked, you will need to be more specific with a vpn that obfuscates the network connection. Something like Astril or expressvpn will both have tunnel obfuscation. At that point it’s less about hiding your activity, and more about gaining access to other sites because I wouldn’t vouch for the privacy on those two vpns.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (2 children)

ExpressVPN used to work but it got blocked too. I need a personal VPN solution to host on my own server. Currently we use Xray/V2ray to access restricted websites but they're proxies, not proper VPNs.

[–] [email protected] 4 points 1 year ago

Express has been shit since forever.

I'm assuming you're in China? Astrill is using a proprietary vpn protocol and hardly ever has downtimes (use the stealth mode or install it on the router directly).

[–] [email protected] 2 points 1 year ago

As godless has stated, and I was also using astril when I was in China. For a personal option, I am not aware of a personal vpn that also includes obfuscation and is not using blocked vpn technologies/techniques.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Maybe you can give Outline a try. It is based on shadowsocks a proxy tunnel with enough obfuscation to fly even under the radar of the GFW of Communist China.

load more comments
view more: next ›