this post was submitted on 24 Oct 2023
41 points (93.6% liked)

Selfhosted

39937 readers
397 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hi, I moved this year to another city, because my internet provider didn't give me a dedicated ipv4 address I can't use a dyndns like duckdns. Another thing to mention is, that I have a dslite tunnel. So I can't set up dyndns...

So my recent setup is a truenas server sitting under my desk. This is connected via cloudflared to the cloudflare tunnel. There I have my services like seafile or nextcloud configured. They are all pointing to a traefik instance that routes the traffic to the right container.

So to summarize what I have:

  • Truenas server
    • multiple services
  • dslite tunnel
  • own domain
  • Cloudflare tunnel
  • v-server
    • Nginx
    • docker

To visualize the route the traffic is going

Internet - cloudflare tunnel - cloudfared docker - traefik docker - service (nextcloud) docker

So I want to setup something on my v-server that routes the traffic to my homeserver (truenas)

Internet - DNS (cloudflare) - v-server - (magic docker service on truenas) - traefik docker - service (nextcloud) docker

Does someone have an idea how to solve this?

all 28 comments
sorted by: hot top controversial new old
[–] [email protected] 12 points 1 year ago (1 children)

My suggestion would be to setup a VPN service in your publicly available v-server. The most suggested solution is wireguard.

Then you can connect your truenas to that VPN and make it accessible, maybe via nginx.

The traffic flow would be:

nginx on v-server --(wireguard)--> traefik --> Nextcloud
[–] [email protected] 1 points 1 year ago (2 children)

That's a good point. But that's also the point where my tinkering won't help me... Do you have a writeup or a yt video where nginx points to the wireguard VPN? Another question. If I set up the wireguard tunnel, how can I just route the traffic from traefik?

[–] [email protected] 4 points 1 year ago (1 children)

I found this writeup and it looks correct, but I have not tested it.

The author posted a nice graphic that shows the idea:

[–] [email protected] 0 points 1 year ago (1 children)

I'm not sure I understand why they need two Caddy servers. The first one should be a simple port forward, no need for a proxy forward. Unless they want to do something with the connections at application level, but it sounds like they simply forward them as-is.

[–] [email protected] 2 points 1 year ago

You need two caddy servers if there are other websites on the vserver that will use port 80/443. If not, port forwarding (eg. with iptables) will work.

[–] [email protected] 1 points 1 year ago

Basically once you have WG set up, you will have an additional interface with it's own IP in "ifconfig". At that point all the ports are available and you can just point your reverse proxy to them (sorry I'm an NGINX user, I have no idea how Traefik works).

Additionally don't forget to add keep-alive in your WG config so that the service doesn't shut off once traffic stops going between both servers.

[–] [email protected] 7 points 1 year ago* (last edited 1 year ago) (1 children)

Install Tailscale (1) on the VPS and (2) in a Docker container on TrueNAS. The Tailscale container #2 will replace the cloudflared container. Set the Tailscale #2 node as a subnet router exposing the Traefik container's netmask (you probably already know how to get networking going between two Docker containers).

What you'll end up with:

Internet -> DNS (your domain) -> VPS public IP (Tailscale node #1 ===> Tailscale node #2 in Docker on TrueNas) -> Traefik -> web apps on your TrueNAS

Tailscale is not bandwidth-limited like Cloudflare because the nodes only use Tailscale's servers for the initial rendez-vous (to get out of NAT), then you will use the direct bandwidth between the VPS and your home connection.

You will also be able to use other DNS services if you want, because you won't be forced to use Cloudflare's anymore.

[–] [email protected] 1 points 1 year ago (1 children)

This actually sounds insanely cool. Without having looked at their documentation, can you make a rough statement about the required hardware power for the VPS, especially if traffic may include bandwith heavy stuff like movie streaming or large data up/downloads?

[–] [email protected] 2 points 1 year ago

In that case you should probably give up using your own domain and take the one from Tailscale because they would intermediate direct connections whenever possible.

The main limitation on the VPS would be bandwidth as well as total transfer, not so much processing power because their just be moving stuff through. They all come with limits.

[–] [email protected] 5 points 1 year ago* (last edited 1 year ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
CF CloudFlare
CGNAT Carrier-Grade NAT
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
IP Internet Protocol
NAT Network Address Translation
SSH Secure Shell for remote terminal access
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)
nginx Popular HTTP server

10 acronyms in this thread; the most compressed thread commented on today has 8 acronyms.

[Thread #238 for this sub, first seen 24th Oct 2023, 16:55] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] 4 points 1 year ago

rathole aims to be somewhat of a replacement for CF tunnels. It was featured on noted some time ago: https://noted.lol/cgnat-and-rathole/

[–] [email protected] 2 points 1 year ago (1 children)

This question is not related to the question you ask but where did you learn to configure traefik? When I try it out I didn't understand how to route traffic through that.

[–] [email protected] 1 points 1 year ago (1 children)

So I use traefik on my truenas server from the truecharts catalogue. If you need help there I can send you the corresponding links from the truecharts website later, I am not at the computer right now.

[–] [email protected] 1 points 1 year ago (1 children)

I will really appreciate if you send me the links! The image is broken and not loading :(

[–] [email protected] 1 points 1 year ago

So here is the setup for truecharts with traefik and the things needed for proper truecharts setup: https://truecharts.org/manual/SCALE/guides/getting-started

Do you also use cloudflare tunnel?

[–] [email protected] 2 points 1 year ago

Besides the great suggestions others have given, the OpenZiti project (openziti.io) looks interesting, though I haven’t found the need or time to try it out.

[–] possiblylinux127 2 points 1 year ago

A linode vps is what I use

[–] [email protected] 2 points 1 year ago

Haven't tried it myself, but I've heard others talk about tailscale

[–] [email protected] 1 points 1 year ago

You could proxy your Webservice though a reverse SSH tunnel to a vps (that's basically what cloudflare tunnels do)

[–] [email protected] 1 points 1 year ago

I'm in the same boat and looking at options. I've benchmarked several options tht provide their own relays, and am in the process of setting up my own relays to test out on oracle free tier vps, which will probably be the best option as all the bandwidth that vps can handle will be dedicated to you and not shared. That said I've found tailscale to perform the best and twingate to perform the worst. I'm looking at netbird and netmaker but they're extremely buggy and difficult to get going. Netbird is just busted in so many ways. Netmaker's relays can't get past my cgnat. Self hosting both of these should work but I've not tried it yet. The absolute easiest to set up has been tailscale though, can't go wrong with that. For most use cases except for handling massive amounts of data, tailscale should be more than sufficient. That said, I'm looking to try selfhosting netbird, netmaker and headscale to see how those perform compared to tailscale's own relays.

[–] [email protected] 1 points 1 year ago

The easiest way I found to passthrough a cgnat is using a VPN.

I suggest using Tailscale, cause it does some tricks to bypass cgnat and you can access your truenas server.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Have you tried zerotier? Another option is to get a vps with unlimited bandwith and setup ovpn server on it. Then you need a router that can connect as a client to vpn. This way you will have a public ip and you dont need to mess with tunnel services. A vps with public ip is about 10 bucks a month.