How are you making services remotely accessible?

I need help figuring out where I am going wrong or being an idiot, if people could point out where...

I have a server running Debian 12 and various docker images (Jellyfin, Home Assistant, etc...) controlled by portainer.

A consumer router assigns static Ip addresses by MAC address. The router lets me define the IP address of a primary/secondary DNS. The router registers itself with DynDNS.

I want to make this remotely accessible.

From what I have read I need to setup a reverse proxy, I have tried to follow various guides to give my server a cert for the reverse proxy but it always fails.

I figure the server needs the dyndns address to point at it but I the scripts pick up the internal IP.

How are people solving this?

impure9435,

I used to use Wireguard with Authelia, then I switched to Tailscale (with a self-hosted Headscale server), and now I'm trying out Netbird (which is open source btw)

Presi300,
@Presi300@lemmy.world avatar

Wireguard, simply connect to it whenever I’m out somewhere and boom, instant access to everything on my local network

fruitycoder,

Wireguard for network access, istio gateway for exposing services, and keycloak for SSO. I want to experiment with Teleport for more fine grained access to my services.

If I had more exposed services I would mess with crowdsec for some another firewall rule set and maybe even exposing it through a TOR service proxy.

v3ritas,
@v3ritas@infosec.pub avatar

Another response for “VPN”. I don’t have any of my self-hosted services exposed publicly & use WireGuard with the on-demand settings so that whenever I’m not at my house, I am automatically connected.

Some users did mention that things like TV’s, etc outside your network wouldn’t be able to connect, but that hasn’t been an issue for me, since I don’t use my services like that.

PieMePlenty,

I use nginx as a reverse proxy and assign each service either a subdomain or a specific url. SSL is configured once so all services get https. Its not the best though, some services don’t like being behind a reverse proxy or don’t play nice with the url, subdomain management can get cumbersome and if the service doesn’t have a login page, it is open to bad actors… i was thinking of making a website with login and exposing other web services through an iframe but i don’t know how viable that may be.

A vpn would probably be the best way to go from a security standpoint but accessing services may be a pain on remote devices where a vpn isn’t supported - like how would a TV on a remote network access tour jellyfin server if the service is only accessible through a vpn tunnel and the tv has no way of connecting to it? Not sure.

Reddfugee42,

OpenVPN to internal network

umbrella,
@umbrella@lemmy.ml avatar

wireguard and dynamicdns

kevincox,
@kevincox@lemmy.ml avatar

I do it the simple way. I just stick nginx in front of everything. If I don’t want it to be publicly accessible I stick nginx basic auth in front of it.

The advantages is that I can easily access the services from anywhere on any device with just the password. I only need to trust nginx’s basic auth to keep me protected, not various different service’s authentication.

The downside is that some services don’t work great when you have basic auth in the front. This is often due to things like public links or APIs that need to be accessed with other auth.

I just use nginx because I’ve always used it. I’ve heard that there are newer reverse proxies that are a bit easier to configure.

Mir,

How safe/secure is that approach

kevincox,
@kevincox@lemmy.ml avatar

It depends on how much you trust nginx. A HTTP server is probably a bit more complex that your average VPN solution so probably more likely to have vulnerabilities, but it is also the most popular web server on the planet, so if there is a zero day I’m probably not the first target. If you stay up to date you are probably fine.

Opisek,

I do that, but only allow access to private services from local IP addresses, rather than putting auth in front of them. Then I use IPsec to access my local-only things.

d_k_bo,

If you are going for a reverse proxy, I highly recommend using Caddy. Issuing TLS certificates is all done automatically and reverse proxy headers are all automatically set.

In many cases, this simple config is enough:


<span style="color:#323232;">example.org {
</span><span style="color:#323232;">    reverse_proxy localhost:1234
</span><span style="color:#323232;">}
</span>
dataprolet,
@dataprolet@lemmy.dbzer0.com avatar

VPS with public IPv4, Wireguard/Tailscale/Headscale and my own Domain.

impure9435,

What has your experience with Headscale been like? Also, have you tried NetBird?

dataprolet,
@dataprolet@lemmy.dbzer0.com avatar

Headscale is pretty straight forward to set up and easy to use. And there are multiple WebGUIs available to choose from, if you need. If you have any questions, let me know.

redcalcium,

By “remotely accessible”, do you mean remotely accessible to everyone or just you? If it’s just you, then you don’t need to setup a reverse proxy. You can use your router as a vpn gateway (assuming you have a static ip address) or you can use tailscale or zerotier.

If you want to make your services remotely accessible to everyone without using a vpn, then you’ll need to expose them to the world somehow. How to do that depends on whether you have a static ip address, or behind a CGNAT. If you have a static ip, you can route port 80 and 443 to your load balancer (e.g. nginx proxy manager), which works best if you have your own domain name so you can map each service to their own subdomain in the load balancer. If you’re behind a GCNAT, you’re going to need an external server/vps to route traffics to its port 80 and 443 into your home network, essentially granting you a static ip address.

lud,

You don’t need a static IP to host a VPN. You can do it using a dynamic DNS which updates the DNS records to match your IP when/if it changes. You do need a public IP though, so CGNAT goes straight out.

jeena, (edited )
@jeena@jemmy.jeena.net avatar

I am using duckdns.org and let my router ping it when it’s public IP changes. Then I use nginx as a reverse proxy with help of nginxproxymanager.com so I don’t need to write config files and it also runs certbot for my so I don’t need to deal with https manually.

Actually I also have my own domain so I use a subdomain pointing via CNAME to the duckdns subdomain. This way I can easily change the provider of dyndns.

mothar,

The easiest and quickest way thats still safe is to just use tailscale.

Its a zero config VPN that you can install on all your devices. I’ve been using it for quite some time now and I’m still fascinated by how easy to use it is.

BearOfaTime,

Enable Funnel and the Tailscale client isn’t required.

tudor,

Or Twingate. It works very well for me

xinayder,

I found Tailscale/Headacale way more difficult to setup than Wireguard.

Mir,

I would want to go that appros but it feels very inconvenient having to connect to VPN every time I want to check something, also the battery drain if I stayed connected all the time

BearOfaTime,

No significant battery drain for me, and I use it a lot, almost all the time.

Yea, it’s a little drain, just nothing to worry about.

WASTECH,
@WASTECH@lemmy.world avatar

I’ve been using Tailscale for about 2 months now. It has a VPN-on-demand setting that I keep enabled. That way, anytime I am not on my local WiFi, it automatically connects the VPN. According to my battery health settings, Tailscale has used 5% of my battery in the last 10 days. And I am even using a Mullvad exit node, which would use even more battery.

Mir,

Where is VPN in demand setting?

WASTECH,
@WASTECH@lemmy.world avatar

On iOS, I tap on my profile in the upper right, and the VPN-on-demand setting is right below my account.

rambos,

Not sure is it same, I don’t use tailscale, but using pure wireguard. In my experience battery drain is not even noticable, but staying connected is not smooth as I’d like. I tried to keep active VPN all the time, but then sometimes I just notice my internet is not working ( I have disable or restart VPN connection). It could be issue with my phone (Android), missconfig or something else, but I switched to manually enabling VPN every time I need it. Not amazing, but few clicks every now and then is more than acceptable for my use case

dumnezo,

I have two servers (and different other machines) on two different LANs joined by a wireguard tunnel between the routers, with DynDNS running on both, and wireguard on all mobile devices that need access to the LAN.

If your router can natively run wireguard, I’d highly recommended. It just works. Or just use tailscale, it’s wireguard for lazy people

traches, (edited )

My advice is to just use Tailscale. It’s a 5 minute setup and you get access to your stuff from anywhere, securely, without opening ports to the public internet. It will give your server a second IP address, which you will be able to access from any other device which is also registered to your Tailscale account.

My personal setup:

  • Tailscale installed on all devices that need access to my home lab
  • Custom domain with root A record set to server’s Tailscale IP
  • caddyserver reverse proxy on server, with DNS https authentication configured (regular http with won’t work because it’s not on the public internet)
  • services all on subdomains
impure9435,

Btw you can self host an open source Tailscale server called Headscale. And there's NetBird which is a fully open source alternative to Tailscale.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • selfhosted@lemmy.world
  • thenastyranch
  • magazineikmin
  • osvaldo12
  • tacticalgear
  • InstantRegret
  • Youngstown
  • slotface
  • rosin
  • love
  • kavyap
  • ngwrru68w68
  • mdbf
  • modclub
  • DreamBathrooms
  • Leos
  • khanakhh
  • GTA5RPClips
  • cisconetworking
  • everett
  • Durango
  • cubers
  • tester
  • provamag3
  • anitta
  • ethstaker
  • normalnudes
  • megavids
  • JUstTest
  • All magazines
    •