this post was submitted on 14 Jun 2023
2 points (100.0% liked)

Selfhosted

40018 readers
575 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

(I asked this on r*ddit a long while ago, but I don't think I explained myself properly)

Basically, I would like to host a few services on my own metal (and not anywhere else in the world!) to play around with and learn, like my personal site, lemmy instance, vpn, fdroid, image host, etc etc.

I would also like to hide my public IP address because I don't want people who connect to me to know my location (even if it's rather coarse).

I know that this isn't possible without at least another server in a different physical location, but I really have no idea how to approach this. What software do I run? What is this action called? What do any of these AWS/Azure service names mean? How much would I realistically need to pay? Etc etc.

Anyone have any pointers?

top 19 comments
sorted by: hot top controversial new old
[–] dap@lemmy.onlylans.io 4 points 1 year ago (1 children)

Cloudflare free tier + a reverse proxy will set you straight. You can add subdomains for your services as A records in Cloudflare off of your root domain, i.e. lemmy.yourdomain.tld, personalsite.yourdomain.tld, images.yourdomain.tld.

When doing this, enable the Cloudflare DNS proxy which will route DNS requests to your origin service through Cloudflares's CDN. This essentially "hides" your public IP as anyone doing a nslookup lemmy.yourdomain.tld will get Cloudflares's IPs back as a response.

Once you've done this, you can break everything back out to it's respective backend via a reverse proxy. For example, lemmy.yourdomain.tld gets passed to 192.168.0.10, personalsite.yourdomain.tld gets passed to 192.168.0.20, etc.

[–] augentism@thaumatur.ge 2 points 1 year ago* (last edited 1 year ago) (2 children)

That's sounds so much simpler than what I am doing right now. Right now I have a digital ocean droplet server running openvpn and I have any servers I want open to the internet connecting to that openvpn server as a client. I then NAT all incoming traffic to the servers I have with iptables as if the droplet is a router. Is it much easier to setup a cloudflare tunnel? Or am I basically accomplishing the same thing? Will I be able to run all the other services I have because I'm not just web hosting? I also do not have a static IP.

[–] death916@lemmy.death916.xyz 1 points 1 year ago* (last edited 1 year ago)

Since I didn't want to use cloudflare I use a free oracle vps with tailscale and a reverse proxy on it. Then thru tailscale all services from home can go to the proxy without forwarding any ports and services can be accessible

[–] dap@lemmy.onlylans.io 1 points 1 year ago

Cloudflare tunnels or a reverse proxy with Cloudflare DNS would be much easier to manage IMO. What you're doing will work but it seems like you have a lot of moving parts in your setup which can lead to errors creeping in.

With both proposed setups you should be able to pass non web-based traffic to their respective backends. In nginx that would look something like the following:

server {
        listen 443 ssl http2;
        server_name service.yoursite.tld;

        location / {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Host $host:$proxy_port;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass http://<IP of your service>:<port>;
        }
}

With Cloudflare tunnels you can setup a VM as your tunnel termination point and configure ingress rules to pass traffic where it needs to go, similar to this:

tunnel: <Tunnel UUID>
credentials-file: /root/.cloudflared/<Tunnel credentials>.json

ingress:
  - hostname: service1.yourdomain.tld
    service: http://192.168.0.10:80
  - hostname: service2.yourdomain.tld
    service: ssh://192.168.0.20:22
  - service: http_status:404 # This is a catch-all rule to handle unmatched ingress traffic

One thing you can do for your public IP is use something like inadyn to update cloudflare with your public IP when it changes. Inadyn is super lightweight and will make sure, +/- 5 minutes, that your public IP is up-to-date with Cloudflare.

[–] ThorrJo@lemmy.sdf.org 3 points 1 year ago* (last edited 1 year ago)

As others have pointed out,

  1. a VPN (so that your outbound traffic comes from your VPN endpoint, not your bare IP address)
  2. a reverse proxy server

I use a router from GL-iNet to run the always-on VPN, and rathole for a reverse proxy. Both the VPN and the reverse proxy terminate at $4/mo VPSes.

[–] TheButtonJustSpins@infosec.pub 3 points 1 year ago (2 children)

Was going to suggest CloudFlare as well. At the very least just setup your DNS with there nameservers and benefit from CloudFlare proxies on the IP addresses.

But tunnels is pretty sweet.

[–] dap@lemmy.onlylans.io 1 points 1 year ago (1 children)

Cloudflare tunnels are great but OP may not want to have to authenticate each user to their services.

Agreed, but they could always setup a bypass rule.

[–] fox@lemmy.fakecake.org 2 points 1 year ago

ingress traffic to lemmy is obvious (CF -> reverse proxy, for example) but what about egress traffic i.e. federation requests? I kind of poked around lemmy backend / issue tracker but didn't find any way to setup a HTTP proxy for backend requests, so your real IP would be visible to any instance you contact, I think.

[–] arya@kbin.projectsegfau.lt 1 points 1 year ago

Look into getting a VPS to proxy things through using either wireguard+DNAT, rathole or SSH tunneling.

Cloudflare DNS Proxy sounds like exactly what you're looking for, where cloudflare acts as the DNS middleman and responds with their own IPs, while forwarding all traffic for the site(s) to your public IP space

[–] joe@lemmy.knocknet.net 0 points 1 year ago* (last edited 1 year ago) (1 children)

It's not a perfect solution but, and requires some sort of VPS, but you could run a reverse proxy on a VPS, site-to-site vpn from the VPS to your Homelab, and point your reverse proxy to the services over said VPN.

I do something like this. However, it doesn't completely hide your IP.

So the software you're looking for is a Reverse Proxy (nginx, traefik, caddy... etc. there are tons), a VPN (Wireguard, OpenVPN, StrongSwan (IPsec)), and more than likely some sort of VPS. My Linode VPS costs me $5 a month. They constantly have sponsor deals that will get new users free time though.

Hope that gets you started.

[–] homelabber@lemmy.one 1 points 1 year ago (1 children)

I thought that solution completely ideas the homelab IP. Why/How is it visible?

[–] joe@lemmy.knocknet.net 3 points 1 year ago (1 children)

Well the VPN connection depending on what technology you use will still need to connect to the Public home IP, which is probably dynamic, which means that you'd probably need to use Dyanmic DNS to keep it connecting properly.

As far as someone just connecting to the reverse proxy the Home IP shouldn't be visible at all. I just mean it wouldn't hide well were someone really trying to find it.

I'm not sure I'm explaining this well. I haven't had coffee yet.

[–] homelabber@lemmy.one 2 points 1 year ago (1 children)

I see, thanks for the explanation.

If I understand correctly, with a service like Tailscale that doesn't require Dynamic DNS even if your IP changes, there wouldn't be a risk of revealing the IP, right?

[–] joe@lemmy.knocknet.net 2 points 1 year ago (1 children)

Well in that case, tailscale is running as a daemon, so it effectively is doing it's own little Dynamic DNS.

I suppose the point I'm trying to make is SOMEONE has to know your public Home IP. In the case of using tailscale, it would be the tailscale servers. But you would be correct that I don't believe it would be published to any public DNS servers.

In my case, I'm using cloudflare for DDNS.

The solution I describe comes with a bit of risk acceptance (just like anything else really).

[–] homelabber@lemmy.one 1 points 1 year ago

Got It! Thank you very much.

load more comments
view more: next ›