I need help figuring out where I am going wrong or being an idiot, if people could point out where…

I have a server running Debian 12 and various docker images (Jellyfin, Home Assistant, etc…) controlled by portainer.

A consumer router assigns static Ip addresses by MAC address. The router lets me define the IP address of a primary/secondary DNS. The router registers itself with DynDNS.

I want to make this remotely accessible.

From what I have read I need to setup a reverse proxy, I have tried to follow various guides to give my server a cert for the reverse proxy but it always fails.

I figure the server needs the dyndns address to point at it but I the scripts pick up the internal IP.

How are people solving this?

  • @betweenchaosandshape
    link
    English
    27 months ago

    I like the idea of using the VPS and forwarding requests via WireGuard. I’m about to switch my setup from using NPM to Traefik. The next step after that may be to put the VPS in front of it all.

    • ѕєχυαℓ ρσℓутσρє
      link
      fedilink
      English
      27 months ago

      My setup looks like the following:

      /etc/wireguard/wg-vps.conf on the VPS
      -----------------------------------------------------
      [Interface]
      Address = 10.8.0.2/24
      ListenPort = 51820
      PrivateKey = ********************************************
      
      # packet forwarding
      PreUp = sysctl -w net.ipv4.ip_forward=1
      
      # port forwarding 80 and 443
      PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.1:80
      PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.8.0.1:443
      PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.1:80
      PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.8.0.1:443
      
      # packet masquerading
      PreUp = iptables -t nat -A POSTROUTING -o wg-vps -j MASQUERADE
      PostDown = iptables -t nat -D POSTROUTING -o wg-vps -j MASQUERADE
      
      [Peer]
      PublicKey = ********************************************
      AllowedIPs = 10.8.0.1
      
      /etc/wireguard/wg-vps.conf on my home-server
      ---------------------------------------------------------------
      [Interface]
      Address = 10.8.0.1/24
      PrivateKey = ********************************************
      
      [Peer]
      PublicKey = ********************************************
      AllowedIPs = 10.8.0.2
      Endpoint = <VPS-DDNS>:51820
      PersistentKeepAlive = 25
      

      Now, just enable the tunnel using sudo systemctl enable --now wg-quick@wg-vps. Make sure that the port 51820, 80, and 443 are open on the VPS. Now, allow 80, 443 through the firewall on the home-server (not on the router, just allow it locally), and it should work.