Which route did you go for your homeland, a tunnel to your services or setting up tail scale/wireguard and access them on your trailer?
Temp stuff where I could care less about the free tier domain name or things that I just want to funnel to my existing devices: Tailscale
Widespread, prolonged services that will be more actively maintained for a longer amount of time and can just spin off of its own domain/subdomain: Cloudflare
Both are great.
I’m liking self hosted NetBird atm
Wildcard dns with port 80 & 443 port forwarded to traefik with tinyauth & fail2ban
Did you get a static public IP from your ISP?
I actually have Wireguard running on a pi zero 2, all it really does is provide me my pihole DNS.
Taking do one thing, but do it good to the next level, nice!
I thought about getting a pi zero also just for the pi-hole. But my pi3b holds up pretty good, still
Both.
I have a free vps providing me a public IPv4 address, connected to my opnsense router via tailscale, and use a simple port forward from the VPs to the router’s tailscale IP.
I have certain port/connections coming in either via the tailscale IP or my external IPv6 address all forwarded to my internal Caddy reverse proxy which itself is only running IPv4.
And I use cloudflare for my dynamic DNS resolution of my domain. A records are my public VPS IPv4 and AAAA are my own public IPv6 addresses respectively.
If/when I change to a service provider that doesn’t use CGnat for IPv4, I can stop doing the forwarding from my VPS.
That’s so we can stream music/video without needing to use the VPN.
But, I also run tailscale on my phone, so I can do admin stuff remotely from it, albeit painfully, on this small screen when things break. 🤣
I have wireguard, it’s supported by my router (Fritzbox).
Nice, I have to take a look if mine supports it, too!
same here, took me 7m to set this up on OPNsense with FritzBox
Pangolin on a vps.
isn’t it awesome? i am scared to update it too far for an unknown reason
It’s opensoursrso we should be able to roll back.
When I looked into it first, Pangolin seemed a bit overwhelming.
Is it hard to set up?
No, ridiculously easy with docker.
Then it follows the same principles as cloud flare. Create a site (vpn endpoint), get a docker snippet for a newt (what they call the vpn connector), paste it in the docker compose on your Homeserver and see it come up in the Webinterface.
Then you create a public resource and point it to said site and give it a url.
Done.
Ask me if you have questions
Cool, do you get any auth and/or ingress protection?
With cloudflare, you get some auth options, can block AI crawlers (that get recognized…) etc for free
Wireguard.
Dunno if Cloudflare does effective auth for the tunnel or if you have to set that up yourself, but I don’t bother trying to expose services to the internet in any way because some of this stuff was just never designed for proper web security (cough Jellyfin).
It’s still worth setting up a wildcard cert with ACME so you get nice https and a real domain.
Cloudflare has some opt-in auth. Mail-OTP is a nice balance imo: You can allowlist mail addresses per service/subdomain and set expiry for each. Then for access, you first have to enter the mail address, get the OTP and then access the service.
So, nobody without access to allowed mail addresses even gets to knock on you door.
But yeah, that’s why I think about going tail scale: why bother having something exposed when not needed?
I just think, some services might be nice to provide to friends, too - and having them connect to my tailnet for this is a bit too much friction, I guess
tailscale. works perfectly, the only problem is needing a google acc for login
Netbird allows email & TOTP 2FA.
the only problem is needing a google acc for login
You can use e-mail now.
is it possible to switch to email from my google acc tied account? or do i need to create a new one?
I haven’t looked into it yet, I’m in the same position of using Google to login.
I just noticed that the login page changed.
I believe registration is limited to a third party/OIDC. The login page is different to sign-up
third party/OIDC.
Ah, that makes sense
No, you cannot. Putting in your emails just redirects to the identity provider you used when signing up. If you try to create an account you’ll see that email’s not a option.
You can use GitHub.
That’s not really a solution.
And that years back they moved their servers from Canada to the US. That’s when I dropped TS and just did wireguard by hand.
I do run wireguard on my router, but the main reason is ad blocking, not hiding services. Most services are publicly exposed.
Nice, I thought about using wireguard as a private VPN, too. Having my pihole block my mobile data on the go would be neat
Zerotier. I found it easy to set up and use. Free tier gives you one network and ten hosts, I think.
Netbird via a free cloud VM. Works great.
This is the way
Who provides free cloud VM?
Wireguard
I used wireguard, then switched to Pangolin. Wireguard was simpler and worked better with mobile apps though. I’ll prob switch back for most apps.
Asked my ISP for a public IP, exposed all things that can handle that to the public. Custom Wireguard server for VPN
