Centralization is bad for everyone everywhere.
That bring said… I just moved my homeserver to another city… and I plugged in the power, then I plugged in the ethernet, and that was the whole shebang.
Tunnels made it very easy. No port forwarding no dns configuration no firewall fiddling no nothing.
Why do they have to make it so so easy…
Sure it’s easy to set up, but the same behaviour is what I get with my handrolled solution. I rent a cheap VPS with a fixed IP solely for forwarding all traffic through wireguard. My DNS entries all point to the VPS and my servers connect to the VPS to be reachable. It is absolutely network agnostic and does not require any port shenanigans on the local network nor does it require a fixed IP for the internet connection of my home server.
Data security wise the HTTPS terminates on my own hardware (homeserver with reverse proxy) and the wireguard connection is additionally encrypted. There are no secrets or certificates on the rented VPS beyond the bare minimum for the wireguard tunnel and my public key for SSH access.
Shuttling the packets on the VPS (inet to wireguard) is done by socat because I haven’t had the will or need to get in the weeds with nftables/iptables. I am just happy that it works reliably and am happy to loose some potential bandwidth to the kernelspace/userspace hoops.
Does this cause all traffic at the reverse proxy to appear to come from the source IP of your VPS or does it preserve the original source IP?
I’ve been working on setting up a similar setup myself and am trying to figure out specifically how to handle the forwarding on the VPS.
Yes, I do loose the origin IP and I’m a little bugged by it. It also means that ALL traffic incoming on a specific port of that VPS can only go to exactly ONE private wireguard peer. You could avoid both of these issues by having the reverse proxy on the VPS (which is why cloudflare works the way it does), but I prefer my https endpoint to be on my own trusted hardware. That’s totally my personal preference though.
I trust my VPS provider to not be interested enough in my data to setup special surveillance tooling for each and every possible software combination their customers might have. Cloudflare on the other hand only has their own software stack to monitor and all customers must adhere to it. It’s by design much easier for them to do statistics or snooping.
I also have a similar setup to maiskanzler. But I use iptables to forward the traffic over wireguard and I am able to preserve the original client IP by not snat the packets. I then have to use policy based routing to make sure that traffick goes back out through the wg tunnel.
I’m happy to share info on how to get this working.
I’d like a blog please
I’d certainly be interested in full details. This sounds like the best of all worlds of not needing to double reverse proxy, not hardcoding internal IPs in the config of a single reverse proxy on the VPS, and not losing the source IP.
I have a similar setup and I just have the reverse proxy on the VPS. It then proxies back to the home server on whatever port the service is on. And yes you can forward the original client IP if you wish.
It depends on how you set it up
That’s a good setup.
What VPS do you use for this?
If you want something cheap check out RackNerd yearly deals. Last I checked they still have listings for black Friday and other old deals once you’ve made an account. I got a server for like $12 a year with 5tb monthly bandwidth. I have 3 servers total with them and haven’t had a problem for the 3 years I’ve been using them.
I am using the smallest tier VPS from IONOS for 1€/month. Good, reliable and trustworthy as it is a subsidiary of 1&1 telecommunications.
This is the right answer