Cloudflare tunnels can punch a hole through that. Get a reverse proxy setup for your apps and VMs, then create a cloudflare tunnel and you’re off to the races.
Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
Sorry, but I'm a bit lost with these specifics. I currently have a reverse proxy (nginx) publishing some of my apps running locally on my home server. Where should I put the reverse proxy? On the remote unreachable server, or? And how would the tunnel go?
On the server that’s behind CGNAT, install Cloudflare tunnel. The tunnel will create an out going connection to Cloudflare, with an open socket; when you try to hit your specified subdomain, Cloudflare will receive your request, send it through the tunnel, and thus allow you to connect to your service.
Cloudflare tunnels would be the easiest/cheapest way to go about it. But always be mindful that if you violate their terms and conditions, you could find yourself with a high bandwidth bill.
Yes, you can connect the device behind CGNAT to your existing VPN as a client. Then, from inside the VPN, you would use the its virtual address to connect to it. You can use a systemd service or similar to have the VPN connect at boot.
Oh wow, I'll have to try this! Can then the virtual IPs be pinged in Wireguard VPNs? (I mean, PiVPN is simplifying Wireguard anyway).
Yes. All devices connected to the VPN will have a private IP inside the virtual network. You can use these to communicate as though they were public IPs, except that they can't be used from outside the VPN.
That would be my problem right? In my understanding, if I get some remote device to dial into my home network through a PiVPN running in my home network, i believe the remote devices can access and ping home devices, but no home device other than the PiVPN can ping them back? Right?
You would need to set up routes on these other devices to tell them that VPN devices can be reached through the Pi. It’s possible, but I’ve never done it myself, so I don’t have any useful pointers.
you could use tailscale for that, it should be able to punch through the CGNAT
As someone else who uses Tailscale behind a CGNAT, this indeed works. I use it for accessing my home server from the office for a year now. You can't quite self host anything public facing but anything on your tailnet can talk to it just fine.
Theoretically a VPS proxy into the server over the VPN could work for devices not capable of running tailscale but your mileage may vary.
WireGuard as well.
Do you have IPv6? That usually isn’t behind any kind of NAT and you can just let machines through the firewall.