I need help figuring out where I am going wrong or being an idiot, if people could point out where…

I have a server running Debian 12 and various docker images (Jellyfin, Home Assistant, etc…) controlled by portainer.

A consumer router assigns static Ip addresses by MAC address. The router lets me define the IP address of a primary/secondary DNS. The router registers itself with DynDNS.

I want to make this remotely accessible.

From what I have read I need to setup a reverse proxy, I have tried to follow various guides to give my server a cert for the reverse proxy but it always fails.

I figure the server needs the dyndns address to point at it but I the scripts pick up the internal IP.

How are people solving this?

  • ѕєχυαℓ ρσℓутσρє
    link
    fedilink
    English
    8
    edit-2
    7 months ago

    I have a wireguard tunnel set up between my home server and the VPS, with persistent keepalive. The public domain name points to the VPS, then I have it set up (simply using iptables) so that any traffic there in port 80 and 443 is sent back to my honeserver and there it’s handled by caddy, and sent to the actual service.

    The only ports I need to open are 80 and 443 on my VPS to make this setup work. So, no open ports on my local machine. This does however require you to pay for VPS. Since you aren’t doing much on it though, you can get away with a cheap one. I have a $12/year VPS from Rack nerd that I use for this job.

    For completely free options, you can do one of three things. (That I can think of. There are probably more ways.)

    1. Either open up some ports on your machine. You’ll need to make sure that you aren’t behind a CGNat for this. I simply don’t like opening ports to the internet, though.
    2. You can use a VPN. Tailscale works great for this. I use it personally for sshing remotely into my machines.
    3. You can use cloudflare-tunnels. Potentially bad privacy-wise since they can technically access the data. So don’t use it for sensitive stuff. Also, their policy doesn’t allow traffic that’s not mostly HTML. So something like a Jellyfin server would violate this. But you do get to use their firewall which is great for protection against DDOS attacks.

    P.S. If you need help setting any of these up, lmk.

    • @betweenchaosandshape
      link
      English
      27 months ago

      Your setup sounds great! I hadn’t come across something like that and I’d love to try it out, myself. Do you have a guide or any other resources with more info? I’m currently using a reverse proxy, but I’m not excited about the open ports, even with firewall rules keeping them contained.

      • ѕєχυαℓ ρσℓутσρє
        link
        fedilink
        English
        2
        edit-2
        7 months ago

        I’m afraid that I don’t have any guides. But, you’re halfway there anyway. Which one of these methods do you prefer? I can maybe give you some pointers.

        • @betweenchaosandshape
          link
          English
          27 months ago

          I like the idea of using the VPS and forwarding requests via WireGuard. I’m about to switch my setup from using NPM to Traefik. The next step after that may be to put the VPS in front of it all.

          • ѕєχυαℓ ρσℓутσρє
            link
            fedilink
            English
            27 months ago

            My setup looks like the following:

            /etc/wireguard/wg-vps.conf on the VPS
            -----------------------------------------------------
            [Interface]
            Address = 10.8.0.2/24
            ListenPort = 51820
            PrivateKey = ********************************************
            
            # packet forwarding
            PreUp = sysctl -w net.ipv4.ip_forward=1
            
            # port forwarding 80 and 443
            PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.1:80
            PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.8.0.1:443
            PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.1:80
            PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.8.0.1:443
            
            # packet masquerading
            PreUp = iptables -t nat -A POSTROUTING -o wg-vps -j MASQUERADE
            PostDown = iptables -t nat -D POSTROUTING -o wg-vps -j MASQUERADE
            
            [Peer]
            PublicKey = ********************************************
            AllowedIPs = 10.8.0.1
            
            /etc/wireguard/wg-vps.conf on my home-server
            ---------------------------------------------------------------
            [Interface]
            Address = 10.8.0.1/24
            PrivateKey = ********************************************
            
            [Peer]
            PublicKey = ********************************************
            AllowedIPs = 10.8.0.2
            Endpoint = <VPS-DDNS>:51820
            PersistentKeepAlive = 25
            

            Now, just enable the tunnel using sudo systemctl enable --now wg-quick@wg-vps. Make sure that the port 51820, 80, and 443 are open on the VPS. Now, allow 80, 443 through the firewall on the home-server (not on the router, just allow it locally), and it should work.