I have a home server running nextcloud and jellyfin which I want to access from outside my home network. My home network is behind CG NAT, so no public IP.
I have tried reading a lot on the internet regarding this. Options I got are - Cloudflare tunnels, Tailscale, VPN.
I’m going the VPN way. I have a VPS with a static IP and I want to setup a wireguard tunnel to forward traffic to my home server.
I did a lot of googling but could not find any easy to follow guide. Can you people please help me or point me to some useful guide for this purpose?
One more question I have - I currently run two services(I plan to add more) running in containers, from different ports of the host machine. Is this suitable for the VPN tunnel setup that I want ? Or should I have containers with separate IPs on my home network?
Thanks in advance. Sorry I know this is a repetitive post.
If you’re already running docker, just use wg-easy. You need to open just one UDP port from outside, then install the wireguard client in your operating system of choice, and create a user in the web interface. It will give you the option of exporting the conf file, or generate a QR code for mobile clients. Easy peasy. If you want to run more than one service on the same port, you should google about reverse proxies. IMHO, the easiest to understand an deploy is nginx proxy manager. Then, you would expose all your containers through SSL on 443. For example, https://plex.local would go to your plex, https://sonarr.local would go to your sonarr instance, and so on.
I’m cgnatted too, and access my lan jellyfin service from public ip internet address space using a free Twingate account, that’s it. It’s a peer-to-peer tls encrypted zero-trust platform, and costs nothing for a permanent trial for up to two clients.
I leave my garage laptop running with Ubuntu 2310 all the time and have a twingate connector installed on it. And a second connector running on my living room Ubuntu media server.
I just fire up the twin gate client on my Ubuntu laptop or Android phone, then access resources like the jellyfin IP address and port on my local network as if I were directly connected to my lan.
You can fine-tune it so that specific clients can be configured to have access to only certain IP addresses and ports, amongst many other client criteria and resources restrictions available.
I set mine for now so I can access any resources on the local subnet. Like RDPing into my media server laptop to troubleshoot it for my wife at home. It always freaks her out that I can connect from anywhere…
If the service is something only for your use (don’t want to expose publically on the internet) then VPN or Tailscale makes sense.
Curious why you choose VPN over Tailscale, I understand you have a VPS with static IP, but you can use Tailscale without all that (what I am doing right now)
If you want to use the VPS, you can also look into the option of hosting Headscale[1] which is self-hosted Tailscale control server.
[1]: GitHub - juanfont/headscale: An open source, self-hosted implementation of the Tailscale control server
Really long thread of me guiding someone through the process that might be of help https://www.reddit.com/r/HomeNetworking/s/MiDbXU9q1e
Same or different should both work, but separate is more likely to be more secure. I do separate IPs with macvlan.
Do you have correct link? Website is down
Hey ! Thank you so much. Your guide looks super useful and I’m definitely going try it.
But I have one issue(may be silly). Could you please help me out ?
My VPS is hosted on Oracle Cloud and it has a Private IP 10.0.0.125 and not 192.168.x.x like in your guide. It’s connected to a virtual cloud network i guess. What do I do about it ?
Hi. Thanks for the reply. But I’m using lxd.
I am more comfortable in my mind with lxc because I feel the different services are better isolated compared to docker(I don’t even know if this is right).
I’m not going to run different services on the same port.
I’m asking which option is better among:
- Different services on different ports of the host
- Different IPs for each container hosting one service.
I want to know which option is more suitable for VPN tunnel setup.
Hi. Thanks for the reply. Looks like something very similar to Tailscale. I will do something like this if I can’t get the VPN setup right.
Hi. Thanks for the reply.
I chose VPN because it doesn’t reply on a third party service like Tailscale. At this point I don’t even know if relying on Tailscale is a disadvantage. But I’m kinda of more comfortable with the VPN idea.
Doesn’t wireguard offer better performance than headscale?
Hi. Thank you so much. That seems really detailed.
But with separate IPs I should have something like a reverse proxy right ?
That should be fine. Just update your client’s config to point to the public IP instead. I haven’t used Oracle Cloud but I’m guessing your VPS has a public IP as well.
In my example 192.168.x.x was the IP range inside my home network (not in the VPS)
Those are both private IP ranges, I too use 10.x.x.x at home
Both will be equally fine. You’re not gonna have address starvation issues on a private network. At this point, it’s more “what is easy to remember for you?”
You only need reverse proxies if you’re trying to host 2 websites on the same public ipv4 address and they both run on the same port (probably 443). If they are on different ports on the public ipv4 address, then you can just port forward them both to the correct destination. With nextcloud and jellyfin, I could see it making sense to run them both on port 443.
With IPv6 you typically get at least a /64 routed to you so you just allow both services since they both would have public addresses, you wouldn’t have just the one public IP you’re trying to share like with ipv4.
There could be other nice uses for a reverse proxy like handling tls and certs, but that may or may not be helpful depending on your circumstances.
Well, this is the first time I’m trying to expose my services to the internet. So I’m trying to keep it as simple as possible. I will improve it as I learn more about networking. So I’ll just skip the reverse proxy thing for now.