this post was submitted on 18 Jan 2024
37 points (93.0% liked)

Selfhosted

40296 readers
383 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
37
submitted 10 months ago* (last edited 10 months ago) by [email protected] to c/[email protected]
 

TLDR: VPN-newbie wants to learn how to set up and use VPN.

What I have:

Currently, many of my selfhosted services are publicly available via my domain name. I am aware that it is safer to keep things closed, and use VPN to access -- but I don't know how that works.

  • domain name mapped via Cloudflare > static WAN IP > ISP modem > Ubiquity USG3 gateway > Linux server and Raspberry Pi.
  • 80,443 fowarded to Nginx Proxy Manager; everything else closed.
  • Linux server running Docker and several containers: NPM, Portainer, Paperless, Gitea, Mattermost, Immich, etc.
  • Raspberry Pi running Pi-hole as DNS server for LAN clients.
  • Synology NAS as network storage.

What I want:

  • access services from WAN via Android phone.
  • access services from WAN via laptop.
  • maybe still keep some things public?
  • noob-friendly solution: needs to be easy to "grok" and easy to maintain when services change.
all 35 comments
sorted by: hot top controversial new old
[–] [email protected] 9 points 10 months ago* (last edited 10 months ago) (1 children)

Tailscale can meet each of your bullet points.

Don't bother with VPN just use Tailscale, and install the client on your other devices (they have clients for every OS).

This creates an encrypted virtual network between your devices. It can even enable access to hardware, like printers (or anything with an IP address) by enabling Subnet Routing.

To provide access to specific resources for other people, you can use the Funnel feature, which provides an entrance into your Tailscale Network for the specified resources, fully encrypted, from anywhere. No Tailscale client required.

And if you have friends who use Tailscale, using the Serve option, you can invite them to connect to your Tailscale network (again, for specified resources) from their Tailscale network.

[–] [email protected] 1 points 10 months ago

I second this. Wireguard, openvpn, various docker containers offering these, I've been through with them.

The regular openvpn or wireguard tools are good if you only need a dumb von, but if you want some kind of special routing or overlay network, tailscale has just been so easy.

I selfhost it completely too, using a headscale control server.

[–] [email protected] 9 points 10 months ago (2 children)

I chose wireguard implemented by pivpn (i like pi's)

Wireguard app on phone and a quick duckduck will find you a script or app for your laptop. Connected to your home in seconds.

[–] [email protected] 5 points 10 months ago (2 children)

PiVPN is elegant. Easy install, and I am impressed with the ascii QR code it generates.

But I could not make it work. I am guessing that my Android setup is faulty, orrrr maybe something with the Pi? This is incredibly difficult to troubleshoot.

[–] [email protected] 3 points 10 months ago

What didn’t work?

[–] [email protected] 1 points 10 months ago (1 children)

As a side note i had to portforward in my router to make this work.

[–] [email protected] 1 points 10 months ago

Obviously :) and make sure to forward to the correct LAN IP address, and make sure that machine has a static IP (or DHCP reservation).

[–] [email protected] 4 points 10 months ago

Here is a script to easily install WireGuard and generate client config files for any server: https://github.com/Nyr/wireguard-install

[–] [email protected] 5 points 10 months ago* (last edited 10 months ago) (2 children)

I use WireGuard to access my home services and for net-forwarding when I'm outside.
To set it up, I followed this simple guide.

[–] [email protected] 1 points 10 months ago

I've heard very good things about wireguard-easy to simplify the config and management, too

[–] sidgames5 1 points 10 months ago

Wireguard was really easy to setup on my ubuntu server. It took less than 15 minutes to get it up and running.

[–] [email protected] 3 points 10 months ago (1 children)

Personally I would have gone for OpenVPN access server on Debian. Fairly simple and well documented for those starting out.

I have used and worked with OpenVPN connect on android, PC and Mac.

[–] [email protected] 1 points 10 months ago (1 children)

PiVPN offers both services, Wireguard and OpenVPN.

What app do you use on Android? And on Windows?

[–] [email protected] 1 points 10 months ago

OpenVPN connect on both. I load the .ovpn-file that is exported from the server and that's it.

[–] [email protected] 3 points 10 months ago (1 children)

Not expert, but basically you should port forward wireguard port 51820 to your server, install wireguard server, create client(s) and load QR code (or config) on android/laptop and you are set. Pi hole DNS and everything else should work just like when you are on home wifi.

You can leave your CF for public access, but do you really need PF 80 and 443 if you are using CF tunnels? (I thought you dont, but I never used CF. Feels like its more safe to hve CF tunnels if you dont need to PF, but you have a middle man you have to trust)

[–] [email protected] 2 points 10 months ago

Thank you for providing specific steps that I can take! I will look into this.

No I do not use cloudflare tunnels, just regular cloudflare to publish my services to the whole world - which is a concern of course.

Going with a connection from my device via wireguard sounds like just the right thing to do.

[–] [email protected] 2 points 10 months ago

You would want to setup a VPN server on your linux server and vpn clients on android and laptop. I'm not knowledgeable enough to help, but you can look into wireguard

[–] [email protected] 2 points 10 months ago (1 children)

I wanted to do something similar for a long time but somehow all my atempts failed. I tried the build in into a Fritzbox but my laptop never could connect. Later I tried the wireguard addon in homeassistant but same there.

[–] [email protected] 2 points 10 months ago (2 children)

But does port forwarding work for you, can you access your servers from outside your network?

If not, it's probably carrier-grade NAT. There are several ways to fix this:

  1. Call your ISP and ask them to give you your own dynamic IPv4 address.
  2. Use a service like tailscale (also available in Home Assistant)
[–] [email protected] 2 points 10 months ago (1 children)

Yes port forwarding with everything else works well, I have no problem with port forwarding, running a lot of services from home.

[–] [email protected] 1 points 10 months ago

Then I don't know, I've set up several Wireguard VPNs on several Fritzboxes and everything works fine.

[–] [email protected] 2 points 10 months ago (1 children)

Dynamic IP is one that changes. I think you meant static IP.

[–] [email protected] 2 points 10 months ago (1 children)

No, I specifically meant dynamic, because most ISPs only give static IPv4 for business plans, and a dynamic IP is fine if you use a dynamic DNS service (the Fritzbox has one).

[–] [email protected] 1 points 10 months ago (1 children)

If you don't have a static IP then you will automatically have a dynamic one. You don't need to ask for a dynamic IP as that is the default. And I'm no idiot, I've used dynamic DNS services for for over 20 years.

[–] [email protected] 1 points 10 months ago

There is also Carrier Grade NAT, which basically means that you share an IP with other customers, so if you try to access your network from the outside, you will only end up at your ISP's router, where the network is divided up for a group of customers.

[–] [email protected] 2 points 10 months ago* (last edited 10 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
CF CloudFlare
DNS Domain Name Service/System
IP Internet Protocol
NAT Network Address Translation
VPN Virtual Private Network

5 acronyms in this thread; the most compressed thread commented on today has 8 acronyms.

[Thread #437 for this sub, first seen 18th Jan 2024, 10:55] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] 1 points 10 months ago

Check out Twingate. It’s super easy and with granular controls.

[–] [email protected] 1 points 10 months ago* (last edited 10 months ago) (1 children)

Recently commented on a different post about setting up a VPN. Check out firezone

I don't recommend using Tailscale or anything that relies on a third party.

[–] [email protected] 1 points 10 months ago (1 children)

You can self-host Headscale to cut the third party out of the Tailscale equation.

[–] [email protected] 1 points 10 months ago (1 children)

If you're going to do that you may as well cut out the extra server/service and run regular wireguard.

[–] [email protected] 1 points 10 months ago (1 children)

Not quite, it's still much more useful because you can connect multiple devices, have users, and relay when some devices can't see each other, among other features.

[–] [email protected] 1 points 10 months ago

You can do all of those things with wireguard as well... I'm not seeing any benefit to running Tailscale/headscale.