Welcome to Incremental Social! Learn more about this project here!
Check out lemmyverse to find more communities to join from here!

How are you making services remotely accessible?

I need help figuring out where I am going wrong or being an idiot, if people could point out where...

I have a server running Debian 12 and various docker images (Jellyfin, Home Assistant, etc...) controlled by portainer.

A consumer router assigns static Ip addresses by MAC address. The router lets me define the IP address of a primary/secondary DNS. The router registers itself with DynDNS.

I want to make this remotely accessible.

From what I have read I need to setup a reverse proxy, I have tried to follow various guides to give my server a cert for the reverse proxy but it always fails.

I figure the server needs the dyndns address to point at it but I the scripts pick up the internal IP.

How are people solving this?

Inktvip ,

If it's only you (or your household) that is accessing the services then something like hosting a tailscale VPN is a relatively user friendly and safe way to set-up remote access.

If not, then you'd probably want to either use the aforementioned Cloudflare tunnels, or set up a reverse proxy container (nginx proxy manager is quite nice for this as it also handles certs and stuff for you). Then port forward ports 80 and 443 to the server (or container if you give it a separate IP). This can be done in your router.

In terms of domain set-up. I've always found subdomains (homeassistant.domain.com) to be way less of a hassle compared to directories (domain.com/homeassistant) since the latter may need additional config on the application end.

Get a cheap domain at like Cloudflare and use CNAME records that point domain.com and *.domain.com to your dyndns host.
Iirc there's also some routers/containers that can do ddns with Cloudflare directly, so that might be worth a quick check too.

hsdkfr734r ,

I assume you want to access a self hosted service on your local server from the Internet.

To make the service accessible from the Internet multiple things are required:

  • the router can be accessed from the outside. Find your public IP in the router or use a find-my-ip website. Better: do both.
    This is the address you can use to access your router (or whatever service you choose to expose through it).
    Side note: If the Ip-adresses of your router and the one of the find- my- ip- site are different it could mean that your provider uses CG-NAT (because ipv4- addresses are scarce, the provider doesn't give you a real publicly accessible address). This means you can't access your router from the Internet. Try IPv6 or contact your provider to get a publicly accessible ipv4- address.
  • because the above mentioned IP- address of your router might change, dyndns is used. Configure it in your router and test it. Test if the DNS- name you have set up resolves to your ip- address (nslookup or ping it).
  • to make your service available to the Internet you need to configure port forwarding in your router (or add your server as exposed host - means all ports are forwarded to the Internet). This means the router passes request to itself on to your internal server.
    Careful: everybody can access whatever services you expose. Advice: it's a good idea to use a VPN. Setup a VPN-server in your Lan and only port-forward its port in the router. Connect to the VPN from the outside - Afterwards use the internal services through the vpn- connection.
  • scripts and the internal ip: the dyndns name needs to be used instead of the IP. Find a way to make the scripts use that name to resolve it to your external IP.
cmnybo ,

My IPv4 connection uses CGNAT, so I use a VPN to access my server. I also have IPv6, so I have a couple of things directly accessible over it in case the VPN drops for some reason. I do have dynamic DNS set up, although it's not really necessary. My IPv6 prefix doesn't seem to change unless I change the DUID on my firewall.

d3Xt3r ,

It's easiest to just register a domain name and use Couldflare Tunnels. No need to worry about dynamic DNS, port forwarding etc. Plus, you have the security advantages of DDoS protection and firewall (WAF). Finally, you get portability - you can change your ISP, router or even move your entire lab into the cloud if you wanted to, and you won't need to change a single thing.

I have a lab set up on my mini PC that I often take to work with me, and it works the same regardless of whether it's going thru my work's restricted proxy or the NAT at home. Zero config required on the network side.

OminousOrange ,
@OminousOrange@lemmy.ca avatar

I recently went this route after dabbling with other options. I had a wireguard VPN through my Unifi router, with rules to limit access to only the resources I wanted to share, but it can be a struggle for non savvy users, and even more so if they want to use Jellyfin on their TV. Tried Twingate too and would recommend if it fits your usecase, but Cloudflare Tunnels were more applicable to me.

___ ,

Just be careful as DNS and federated requests can leak your real ip even through the CF proxy.

KairuByte ,
@KairuByte@lemmy.dbzer0.com avatar

If you’re only exposing your services through a cloudflare tunnel, it doesn’t even matter if they get your real IP.

dipak ,

Just a reminder that even though the tunnel itself is encrypted, the whole connection is not E2E encrypted between your remote client and the server. Cloudflare as a CDN/PoP provider can see the traffic in plaintext.

In all other aspects, this is a great solution, as we even get to use the edge caching(over top of all others mentioned above) facility - which further reduces the requests to origin server.

kokesh ,
@kokesh@lemmy.world avatar

I used to open and NAT porte on my modem. Got put behind CG NAT, so now I run Wireguard tunnel to free VPS.

Decronym Bot , (edited )

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
CF CloudFlare
CGNAT Carrier-Grade NAT
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
IP Internet Protocol
NAT Network Address Translation
SSL Secure Sockets Layer, for transparent encryption
SSO Single Sign-On
TLS Transport Layer Security, supersedes SSL
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)
nginx Popular HTTP server

[Thread for this sub, first seen 21st Apr 2024, 07:55]
[FAQ] [Full list] [Contact] [Source code]

nehal3m ,

Good bot

SexualPolytope , (edited )
@SexualPolytope@lemmy.sdf.org avatar

I have a wireguard tunnel set up between my home server and the VPS, with persistent keepalive. The public domain name points to the VPS, then I have it set up (simply using iptables) so that any traffic there in port 80 and 443 is sent back to my honeserver and there it’s handled by caddy, and sent to the actual service.

The only ports I need to open are 80 and 443 on my VPS to make this setup work. So, no open ports on my local machine. This does however require you to pay for VPS. Since you aren't doing much on it though, you can get away with a cheap one. I have a $12/year VPS from Rack nerd that I use for this job.

For completely free options, you can do one of three things. (That I can think of. There are probably more ways.)

  1. Either open up some ports on your machine. You'll need to make sure that you aren't behind a CGNat for this. I simply don't like opening ports to the internet, though.
  2. You can use a VPN. Tailscale works great for this. I use it personally for sshing remotely into my machines.
  3. You can use cloudflare-tunnels. Potentially bad privacy-wise since they can technically access the data. So don't use it for sensitive stuff. Also, their policy doesn't allow traffic that's not mostly HTML. So something like a Jellyfin server would violate this. But you do get to use their firewall which is great for protection against DDOS attacks.

P.S. If you need help setting any of these up, lmk.

betweenchaosandshape ,

Your setup sounds great! I hadn’t come across something like that and I’d love to try it out, myself. Do you have a guide or any other resources with more info? I’m currently using a reverse proxy, but I’m not excited about the open ports, even with firewall rules keeping them contained.

SexualPolytope ,
@SexualPolytope@lemmy.sdf.org avatar

I'm afraid that I don't have any guides. But, you're halfway there anyway. Which one of these methods do you prefer? I can maybe give you some pointers.

betweenchaosandshape ,

I like the idea of using the VPS and forwarding requests via WireGuard. I’m about to switch my setup from using NPM to Traefik. The next step after that may be to put the VPS in front of it all.

SexualPolytope ,
@SexualPolytope@lemmy.sdf.org avatar

My setup looks like the following:

/etc/wireguard/wg-vps.conf on the VPS
-----------------------------------------------------
[Interface]
Address = 10.8.0.2/24
ListenPort = 51820
PrivateKey = ********************************************

# packet forwarding
PreUp = sysctl -w net.ipv4.ip_forward=1

# port forwarding 80 and 443
PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.1:80
PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.8.0.1:443
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.1:80
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.8.0.1:443

# packet masquerading
PreUp = iptables -t nat -A POSTROUTING -o wg-vps -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o wg-vps -j MASQUERADE

[Peer]
PublicKey = ********************************************
AllowedIPs = 10.8.0.1

/etc/wireguard/wg-vps.conf on my home-server
---------------------------------------------------------------
[Interface]
Address = 10.8.0.1/24
PrivateKey = ********************************************

[Peer]
PublicKey = ********************************************
AllowedIPs = 10.8.0.2
Endpoint = <VPS-DDNS>:51820
PersistentKeepAlive = 25

Now, just enable the tunnel using sudo systemctl enable --now wg-quick@wg-vps. Make sure that the port 51820, 80, and 443 are open on the VPS. Now, allow 80, 443 through the firewall on the home-server (not on the router, just allow it locally), and it should work.

betweenchaosandshape ,

Thanks so much! Hopefully I’ll be giving this a try soon.

rambos ,

Im using wireguard VPN. You have to setup VPN server (using your DynDNS address, but duckdns in my case), open wireguard port in your router and configure each device that needs access. Reverse proxy is not needed, but I have it so I can use jellyfin.example.com instead of 192.168.100.40:8096. I use NPM (nginx proxy manager) with awesome GUI that can create lets encrypt certificates. I also use piHole for local DNS server

odious ,

If you are the only one using the services, then go for a VPN instead of port forwarding or sth. This way, your stuff isn't openly accessible from the internet to anyone poking around

anamethatisnt ,

I agree with this, protecting everything behind a VPN is the way to go. I help friends setup their vpn client to my stuff if I want them to access an internal service.

dumnezo ,

Set up VPN = scan QR code. Love how easy everything has gotten

Stitch0815 ,

Mhh I don't know if I can help you too much.
I initially followed spaceinvader ones tutorials for my unraid machine. But with time I changed from swag to nginx proxy manager. And I changed from using a duckdns docker to a router based dyndns tracker.
But honestly I don't remember too much from the process I currently try to switch domain but just can't get them to work :D so I am in a smilar spot like you.

slazer2au ,

Try to scout opening ports on your modem. CloudFlare tunnel plus traefik reverse proxy is an option you can go.

There are many how-to guides like Jim's Garage that walk you through setting it up.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • selfhosted@lemmy.world
  • incremental_games
  • meta
  • All magazines
    •