this post was submitted on 19 Jul 2023
75 points (98.7% liked)

Selfhosted

39939 readers
441 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
75
Setting up your own VPN (lemmy.fmhy.ml)
submitted 1 year ago by Coldus12@lemmy.fmhy.ml to c/selfhosted@lemmy.world
64 comments fedilink hide all child comments
 

What do you guys use / recommend to set up your own VPN to access your LAN services remotely?

you are viewing a single comment's thread
view the rest of the comments
[–] appel@whiskers.bim.boats 5 points 1 year ago* (last edited 1 year ago) (1 children)

You can run tailscale client on the host, not in a container. Then for the domain names, create a DNS record either in the public DNS (or I think you can do it in the internal tailscale DNS) that points a wildcard for your subdomains (*.domain.com) to the IP of the container host within the tailnet. Do "tailscale --status" on any device joined to the tailnet to see the IP addresses inside the tailnet. Then all of the devices will make their DNS request to either your upstream DNS or the internal one, they get the response back that they need to send their http request to the container host within the tailnet, it sends on the default 80 or 443 ports for http and https respectively, and then your reverse proxy handles the rest.

[–] goodhunter@lemm.ee 1 points 1 year ago* (last edited 1 year ago) (1 children)

hi, i finally found some time to dig into this. Oddly, I think I got a functioning setup, although it did a bit differently in the end. If you may, please advise if I indeed reached completion, or I have it set suboptimal.

  1. I installed Tailscale gui natively on my mac mini, and ios devices.
  2. I tried following up on your advise of creating DNS records. First in Cloudflare, but since I already set a wildcard entry as type CNAME/*/mydomain.com/DNSonly/TTLauto I wasn't allowed to add type A record with a similar wildcard entry. I need this existing CNAME line for Traefik to work my SSL certificates (as far i understood). Then I tried setting it up through the DNS>custom Namespaces within Tailscale admin console instead. An entry would look like service.mydomain.com and for ipv4 the local ip of the mac mini. But I wasn't sure about the config as it wasn't working. Then i tried the Tailscale ip 100.xx.xx.xx, to no avail.
  3. I thought I needed to advertise routes for my local network, so I did. As similar to --advertise-routes=192.168.68.0/24. And later instead the docker network 172.23.0.0/16. Still didn't do it.
  4. As I am a NextDNS user I set the ID number in Tailscale>DNS>Nameservers as the Global nameserver and checked Override local DNS.
  5. In the NextDNS config I defined a Rewrite function as *.mydomain.com to the Tailscale IP of the local machine 100.xx.xx.xx . And boom, I can access the servers from my idevices over the Tailscale vpn tunnel.
  6. I then tried to tear down the setup again. It seems the advertise routes from (3) doesn't do anything, so I removed it again.

Open for any suggestions on this hacked attempt.

Update: yes found an issue. I can only access the services with tailscale enabled. I suspect the rewrite is causing an inproper pass through without the tunnel, as that the tailscale ip cannot be reached.

Update 2: I changed to rewrite to the local ip address instead, similar to 192.168.68.110. I think it works now when accessing within the local network without tunnel and externally with the tunnel.

[–] appel@whiskers.bim.boats 1 points 1 year ago

Seems like you got it to work, I'm not sure about traefik requiring that cname for ssl, our setup does not. But yes the way we've done it does require that tailscale is always enabled. Even when on lan. If you've managed to setup both LAN and tailscale connections for one thing that's pretty cool.