I have an openwrt router at home which also acts as my home server. It’s running a bunch of services using docker (Jellyfin, Nextcloud, etc.)
I have set up an SSH tunnel between my openwrt router and VPS and can access jellyfin successfully.
I understand that I need to set up a reverse proxy to access multiple services and have https.
But I’m confused if I should set up this reverse proxy on the VPS or on the router itself. Is nginx the easiest option? Should i add subdomains in cloudflare for every service?
Pease don’t recommend vpns since they are all blocked where i live (wireguard, tailscale openVPN, etc.) I’m limited to using ssh tunneling only.
Thanks
Maybe look into https://nginxproxymanager.com/ it makes it quite easy to set up.
Thank you very much my question is should npm be installed on my VPS or my local server? What SSH command should I use to connect the two machines in a way that npm works?
Removed by mod
Caddy was exactly what i needed. It magically solved the problem…
Swag was my nginx introduction, and it was mildly confusing because I ran it on docker and didn’t understand how to edit configs at the time. I’d recommend following a guide instead of winging it like I did 😅
As someone who used caddy over years, I can’t completely agree.
Caddy has some downsides (nextcloud needs special setup for example) and not everyone is familiar with writing a Caddyfile. (Json)
For someone new I would recommend “nginx proxy manager”. Easy to install with docker and self explained through GUI.
Removed by mod
Completely agree. I haven’t used NPM since I started self hosting a few years ago, but I was never able to get it to work right. I ended up using apache2 as it was pretty well documented everywhere. Moved to caddy v1 when I found it as the config is so easy to write and understand. Moved to v2 when it was released and had no issues. Their forum is incredibly helpful if you run into any issues. At this point its a “relatively” mature platform and most projects I’ve setup have an example config (usually just 1 or 2 lines because that’s all you need).
I know this isn’t what you asked but I would move any hosted services outside of DNS to a separate device.
Check “boring proxy” On github easy to install and configure and does https for you
Either you run the RP in the VPS and point to the ips on your server or you run it on the server and access it like you are accessing Jellyfin.
Easiest option is a container with Nginx proxy manager (imo) with NPM you can get free let’s encrypt certs, but be aware, in case you want automated certificates, NPM will need to run on the machine pointed to by the DNS (in your case, your VPS I guess)
deleted by creator
How can something like Tailscale be blocked?
Unfortunately, Deep Packet Inspection does this as Tailscale/Wireguard does not encrypt trafficMy bad, it encrypts traffic, but I mean easily readable signature
Wireguard, like all VPNs, definitely does E2E encryption. What would be the point of an unencrypted VPN?
It definitely encrypts the traffic, the problem is that it encrypts the traffic in a recognizable way that DPI can recognize. It’s easy for someone snooping on your traffic to tell that you’re using Wireguard, but because it’s encrypted they can’t tell the content of the message.
https://www.wireguard.com/protocol/
Looks like wireguard encrypts traffic to me.
It’s easily detected by firewalls in China and Iran.
Interesting, because Tailacale doesn’t use any special ports. How would that be detected? And could you maybe use Headscale on a dynamic port to circumvent that?
Wireguard is blocked at protocol level no matter which port you use. Tailsclale uses wireguard. Haven’t tried headscale yet.
deleted by creator
It’s definitely encrypted they can just tell by signature that it is wireguard or whatever and block it.
They could do this with ssh if they felt like it.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters DNS Domain Name Service/System HTTP Hypertext Transfer Protocol, the Web HTTPS HTTP over SSL IP Internet Protocol SSH Secure Shell for remote terminal access SSL Secure Sockets Layer, for transparent encryption TLS Transport Layer Security, supersedes SSL VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting) nginx Popular HTTP server
10 acronyms in this thread; the most compressed thread commented on today has 6 acronyms.
[Thread #738 for this sub, first seen 5th May 2024, 12:15] [FAQ] [Full list] [Contact] [Source code]
Usually a reverse proxy runs behind the firewall/router. The idea you are pointing 80/443 at the proxy with port forwarding once traffic hits your router.
So if someone goes to service.domain.com
You would have dynamic DNS telling domain.com the router is the IP.
You would tell domain.com that service.domain.com exists as a cname or a record. You could also say *.domain.com is a cname. That would point any hosttname to your router.
From here in the proxy you would say service.domain.com points to your services IP and port. Usually that is would be on the lan but in your case it would be through a tunnel.
It is possible and probably more resource efficient to just put the proxy on the VPS and point your public domain traffic directly at the VPS IP.
So you could say on the domain service.domain.com points to the VPS IP as an a record. Service2.domain.com points to the VPS IP as another a record.
You would allow 80/443 on the VPS and create entries for the services
Those would look like the service.domain.com pointing to localhost:port
In your particular case I would just run the proxy on the public VPS the services are already on.
Don’t forget you can enable https certificates when you have them running. You can secure the management interface on its own service3.domain.com with the proxy if you need to.
And op consider some blocklists for your vps firewall like spamhaus. It wouldn’t hurt to setup fail2ban either.
It depends where you want the complexity.
Since ssh is a layer4 tunnel if you don’t run a proxy on your home box, you’ll need a new network connection for each service, if you are fine with that, I would set it up only on the VPS. This means if the tunnel goes down, you should at least get 502 error rather than a timeout or connection refused.
Alternatively you could forward 80, 443 to a proxy service on the home server. That would require two ports for the ssh.
You can drop it to a single ssh connection by having a proxy on both and just have the VPS proxy Http and https to the same port on the home server.
Firstly…why are you routing your home stuff through a VPS? I’m confused on what is happening here.
If you just want to access your things remotely, setup a VPN server on the router, and connect to it that way. You also dont need a reverse proxy or SSL if you’re already accessing things over a secured connection. Where did you get this info from?
Please read the post man, all VPNs are blocked on the protocol level
That’s not how VPNs work, you can’t just “block all of them”. I think OP just needs to use a pure-TLS VPN solution (like SoftEther) or an obfuscated one like shadowsocks/obfs from a not-super-well-known provider (or self-host it on a VPS/etc.) and they should be golden.
They sniffing the traffic with DPI and block vpn tech on protocol level, so easy detectable things like OpenVPN, Wireguard and Tailscale doesn’t work anymore
I understand, that’s why I suggested some non-easily-detectable solutions.
That was added later, obviously. Even still, you don’t need a VPS for this. This is overly complex .
If SSH works, just forward ports and be done with it.
I don’t want to remember port numbers. I’m trying to give each service its own subdomain.
Beggers CAN be choosers, apparently 🤦
VPS
You should if your ip is private, not public.