this post was submitted on 18 Jun 2023
50 points (98.1% liked)

Selfhosted

41281 readers
559 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

I have Plex, Radarr, Sonarr, Overseerr etc running in Docker containers, but have never found a good guide on how to access these (safely) from outside. I resort to connecting to a server running VNC. I've tried nginx but didn't understand it, also tried Cloudflare (ditto). Is there a good, easy to understand guide on how to do this?

top 31 comments
sorted by: hot top controversial new old
[–] [email protected] 20 points 2 years ago (3 children)

The best way is to have a small server with wireguard installed, which is a VPN. This runs on virtually anything, including a raspberry pi or even a router with open-wrt.

Anyways, your wireguard server will only accept connections from devices that have its certificate (secure passwordless authentication).

Once you're connected to that VPN, it's effectively as being in your home network.

You might want to Google for guides on how to setup wireguard on a raspberry pi. Even if you don't have a PI you'll surely find the tutorial you need.

[–] AbidanYre 5 points 2 years ago (1 children)
[–] [email protected] 2 points 2 years ago (1 children)

PiVPN is great. Works on just as well on a standard server with Ubuntu.

[–] Andrew71 1 points 2 years ago

Yep, using PiVPN on an Ubuntu server too, works like a charm :D

[–] GrimSleeper 1 points 2 years ago

I've seen more and more ISPs switching to carrier-grade NAT. That makes it really difficult to reach your VPN from anywhere on the internet.

If you don't have that problem, then yes, a small Wireguard instance on a Raspberry Pi works beautifully

[–] [email protected] 1 points 2 years ago

Huh, great idea about client certs! I think I’ll implement mine that way!

[–] [email protected] 15 points 2 years ago (1 children)

You’re probably looking for Tailscale. Simple to use, free plan, extensible and powerful.

[–] [email protected] 8 points 2 years ago* (last edited 2 years ago)

In addition to the server and desktop clients, there are mobile apps for both Android and iOS.

Can be used to connect offsite server for backups or hosting but seen as part of your local network. No need for open ports on your home router.

Easy way to access you Plex server when away from home.

[–] FreebooterAmazing 10 points 2 years ago (1 children)

Look at Tailscale docker mod. Adds tailscale inside each arr container and treats them each like a tailscale machine, so on app level you can choose if you expose only in your tailnet or expose to internet.

[–] flunky 1 points 2 years ago

First time I'm hearing of this. Thanks for the heads up.

https://tailscale.dev/blog/docker-mod-tailscale

Up until now I've been using Traefik and a pihole with Local DNS records so I can remotely access my services when connected to Tailscale. It'd be nice to be able to point to http://jellyfin rather than http://jellyfin.server.home, for example

[–] root 9 points 2 years ago

The safest (but not as convenient) way is to run a VPN, so that the services are only exposed to the VPN interface and not the whole world.

In pfsense I specify which services my OpenVPN connections can access (just an internal facing NGINX for the most part) and then I can just go to jellyfin.homelab, etc when connected.

Not as smooth as just having NGINX outward facing, but gives me piece of mind knowing my network is locked down

[–] [email protected] 9 points 2 years ago

Assuming you don't want to expose these services directly to the internet (I don't recommend it) then you want to set up a VPN to connect back to your home network. Wireguard or OpenVPN are the most commonly used. As far as guides that will depend where/how you want to run it.

[–] joshthetechie 8 points 2 years ago (1 children)

I would look into Tailscale. This would probably be the easiest to setup.

[–] SurvivaLlama 2 points 2 years ago
[–] SheeEttin 8 points 2 years ago

You've been given a the usual variety of suggestions, but I suggest also gaining an understanding of networking principles, including RFC 1918 addressing and NAT.

[–] [email protected] 7 points 2 years ago (1 children)

Another option that might work for you is zerotier.

And you can use sunshine/moonlight to remotely control it.

[–] ozillator 2 points 2 years ago

This is my favorite method. It doesn't require you to open any ports and minimizes your potential attack surface. You can either install zerotier on each host you want remote access to, or run an instance of zerotier in bridge mode which is essentially acting as a VPN.

[–] techgearwhips 7 points 2 years ago (1 children)

Use cloudflare tunnels. I can access all my localhosts from outside with just one main domain (they are each attached to subdomain of the main domain).

[–] [email protected] 6 points 2 years ago (1 children)

I've found CloudFlare tunnels to be really useful. You can restrict who can have access to your apps outside your nextwork. You can also leave it completely open if you want.

[–] techgearwhips 1 points 2 years ago

Yes I luv cloudflare tunnels. They are a stroke of genius.

[–] ramblechat 3 points 2 years ago

Thanks for all the suggestions - I think Tailscale is the way to go, it didn't take me long to set up and there is a client for all my devices.

[–] CaptThax 3 points 2 years ago* (last edited 2 years ago)

If you are already messaging around with Dockers, check out NGINX Proxy Manager. It simples the NGINX stuff and gives you a nice interface. So if your make that docker with 8080 and 8443 exposed, in your router port forward 80 to 8080 and 443 to 8443. Then when you go to ramble.chat or plex.ramble.chat it will point to the proper service.

point plex.ramble.chat (cname) to ramble.chat in your registrar. Point ramble.chat (A record) to your public ip (dyndns if you don't have a static)

In NGINX you make a host, plex.ramble.chat and point that to where it lives in your network 10.0.10.5 port 32400 for example.

On the ssl tab, request new cert for plex.ramble.chat with let's encrypt.

Check all the boxes. Now when you go to https://Plex.ramble.chat it will take you to your Plex instance! I would do the same with overseer but not the *arrs. I do req.ramble.chat

Personally I use wireguard. A bit more involved to set up but slimmer IMO. When I put the app on my Android I barely noticed a battery hit with my always on VPN but I can hit my network anywhere from my phone.

Hope this helps!

[–] [email protected] 3 points 2 years ago

ssh -D 8080 your.machine and then add localhost:8080 as a proxy to your browser

[–] [email protected] 2 points 2 years ago (1 children)

I use caddy. Previously used traefik, but it's more complicated than I needed.

Caddy can be set to use a single file with all your hosted subdomain listed.

[–] [email protected] 1 points 2 years ago

Ditto with Caddy. Been using it for a couple of years now and it's made life a lot simpler. Config format isn't always obvious, but for most of the cases I've needed, a standard 3 line snippet gives you a reverse proxy with automatic working HTTPS with valid certificates.

[–] FreebooterAmazing 2 points 2 years ago

Look at Tailscale docker mod. Adds tailscale inside each arr container and treats them each like a tailscale machine, so on app level you can choose if you expose only in your tailnet or expose to internet.

[–] KeepFlying 2 points 2 years ago

Personally I run a VPN server on the same network and just VPN through that to access my services. It's simple, but that's by design so I can focus on securing only one entry point.

[–] [email protected] 1 points 2 years ago

You could have a look at NginxProxyManager

[–] FreebooterAmazing 1 points 2 years ago

Look at Tailscale docker mod. Adds tailscale inside each arr container and treats them each like a tailscale machine, so on app level you can choose if you expose only in your tailnet or expose to internet.

[–] [email protected] 1 points 2 years ago

@[email protected] Caddy is a good, and can be a easy to use reverse proxy. But imo, now days tailscale or cloudflare tunnels are super easy to setup and work very well.

VPN is a more oldschool approach but can still work very well, wireguard or OpenVPN are two options to look at.

[–] [email protected] 1 points 2 years ago

I setup a traefik instance and route everything through authelia 2fa. Not sure it's the perfect way to do it, but I feel it's doing ok. Haven't seen anything really alarming in the logs yet.

load more comments
view more: next ›