Cloudflare is bad. Youre right.

Centralization is bad for everyone everywhere.

That bring said... I just moved my homeserver to another city... and I plugged in the power, then I plugged in the ethernet, and that was the whole shebang.

Tunnels made it very easy. No port forwarding no dns configuration no firewall fiddling no nothing.

Why do they have to make it so so easy...

maiskanzler ,

Sure it's easy to set up, but the same behaviour is what I get with my handrolled solution. I rent a cheap VPS with a fixed IP solely for forwarding all traffic through wireguard. My DNS entries all point to the VPS and my servers connect to the VPS to be reachable. It is absolutely network agnostic and does not require any port shenanigans on the local network nor does it require a fixed IP for the internet connection of my home server.

Data security wise the HTTPS terminates on my own hardware (homeserver with reverse proxy) and the wireguard connection is additionally encrypted. There are no secrets or certificates on the rented VPS beyond the bare minimum for the wireguard tunnel and my public key for SSH access.

Shuttling the packets on the VPS (inet to wireguard) is done by socat because I haven't had the will or need to get in the weeds with nftables/iptables. I am just happy that it works reliably and am happy to loose some potential bandwidth to the kernelspace/userspace hoops.

asceticism ,

What VPS do you use for this?

TurdMongler ,

If you want something cheap check out RackNerd yearly deals. Last I checked they still have listings for black Friday and other old deals once you've made an account. I got a server for like $12 a year with 5tb monthly bandwidth. I have 3 servers total with them and haven't had a problem for the 3 years I've been using them.

Nibodhika ,

That would be awesome, currently it's 500GB for their cheaper option which starts at 23/year. I didn't find an option to increase the bandwidth before completing the order. Also it needs to be deployed in NY (which would be possibly slow for me in Europe). Finally their isos are somewhat old, the latest Ubuntu they have is 20.04 (which has an EoL next year).

All that being said, 23/year is very cheap for a VPS, and for people in the US that use less than 500GB/month that's the best deal I've ever seen.

TurdMongler ,

There should be more deals when you click add services.

https://lemmy.world/pictrs/image/54f8466e-1f28-42d5-bd32-979ee6c15872.png

https://lemmy.world/pictrs/image/4a1e606e-0cec-4984-9268-c4e79f5f0945.png

Understand on the latency possibly being an issue. I did see they have servers in France now. Maybe you could do some ping tests.

Nibodhika ,

Thanks, I'm checking that out, but can't find any "add services" button. Alsp someone mentioned IONOS, which is local to me and doesn't seem to have bandwidth limits... I was trying to find the poop and they require lots of personal info just to get the account setup, still a bit torn there.

maiskanzler ,

I am using the smallest tier VPS from IONOS for 1€/month. Good, reliable and trustworthy as it is a subsidiary of 1&1 telecommunications.

madasi ,

Does this cause all traffic at the reverse proxy to appear to come from the source IP of your VPS or does it preserve the original source IP?

I've been working on setting up a similar setup myself and am trying to figure out specifically how to handle the forwarding on the VPS.

EncryptKeeper ,

I have a similar setup and I just have the reverse proxy on the VPS. It then proxies back to the home server on whatever port the service is on. And yes you can forward the original client IP if you wish.

maiskanzler ,

Yes, I do loose the origin IP and I'm a little bugged by it. It also means that ALL traffic incoming on a specific port of that VPS can only go to exactly ONE private wireguard peer. You could avoid both of these issues by having the reverse proxy on the VPS (which is why cloudflare works the way it does), but I prefer my https endpoint to be on my own trusted hardware. That's totally my personal preference though.

I trust my VPS provider to not be interested enough in my data to setup special surveillance tooling for each and every possible software combination their customers might have. Cloudflare on the other hand only has their own software stack to monitor and all customers must adhere to it. It's by design much easier for them to do statistics or snooping.

Perhyte , (edited )

It also means that ALL traffic incoming on a specific port of that VPS can only go to exactly ONE private wireguard peer. You could avoid both of these issues by having the reverse proxy on the VPS (which is why cloudflare works the way it does), but I prefer my https endpoint to be on my own trusted hardware.

For TLS-based protocols like HTTPS you can run a reverse proxy on the VPS that only looks at the SNI (server name indication) which does not require the private key to be present on the VPS. That way you can run all your HTTPS endpoints on the same port without issue even if the backend server depends on the host name.

This StackOverflow thread shows how to set that up for a few different reverse proxies.

maiskanzler ,

Nice, thank you!

towerful ,

You can do reverse proxy on the VPS and use SNI routing (because the requested domain is in clear text over HTTPS), then use Proxy Protocol to attach the real source IP to the TCP packets.
This way, you don't have to terminate HTTPS on the VPS, and you can load balance between a couple wireguard peers so you have redundancy (or direct them to different reverse proxies or whatever).
On your home servers, you will need an additional frontend(s) that accepts Proxy Protocol from the VPS (as Proxy Protocol packets aren't standard HTTP/S packets, so standard HTTPS reverse proxies will drop them as unknown/broken/etc).
This way, your home reverse proxy knows the original IP and can attach it to the decrypted http requests as x-forward-for. Or you can do ACLs based on original client IP. Or whatever.

I haven't found a way to get a firewall that pays attention to Proxy Protocol TCP headers, but I haven't found that to really be an issue. I don't really have a use case

maiskanzler ,

Oh neat! That looks like a perfect fit for me! I saved your post and will come back to it once the biyearly "just f*ing fo it again" motivation hits me once more :D

lucky18391 ,

I also have a similar setup to maiskanzler. But I use iptables to forward the traffic over wireguard and I am able to preserve the original client IP by not snat the packets. I then have to use policy based routing to make sure that traffick goes back out through the wg tunnel.

I'm happy to share info on how to get this working.

MigratingtoLemmy ,

I'd like a blog please

madasi ,

I'd certainly be interested in full details. This sounds like the best of all worlds of not needing to double reverse proxy, not hardcoding internal IPs in the config of a single reverse proxy on the VPS, and not losing the source IP.

sntx ,

Please tell ^^

lucky18391 ,

I'm not sure what the best way to share this info is. I'd love to write up a blog but not sure how long that would take. I suppose I could just share the wireguard configs here as they include the iptable commands. Will do that tonight when I get a chance.

possiblylinux127 ,
@possiblylinux127@lemmy.zip avatar

It depends on how you set it up

SeeJayEmm ,
@SeeJayEmm@lemmy.procrastinati.org avatar

Enough people have already commented on the "proxy at the vps solution". Another option is to configure routing and nat on the VPS and have it route over the wg tunnel.

Requires you to have postup/predown scripts that modify your routing tables on the wg endpoint.

HaleHirsute ,

That’s a good setup.

possiblylinux127 ,
@possiblylinux127@lemmy.zip avatar

This is the right answer

scrchngwsl ,

Same here. Works great, incredibly cheap too.

KingThrillgore ,
@KingThrillgore@lemmy.ml avatar

I mean, I used to think Google Public DNS was great until I switched to 1.1.1.1...

Kuvwert OP ,

What benefits are you having from switching?

Sunny ,
@Sunny@slrpnk.net avatar

Commenting as I am curious about this too!

KingThrillgore ,
@KingThrillgore@lemmy.ml avatar

1.1.1.1 responds crazy fast compared to anything else i've used. I really just wanted off Google (and before them OpenDNS). That's about it.

Fuzzypyro ,

If you like 1.1.1.1 the. You should try 9.9.9.9. Or better yet host unbound pihole if you’re up to the challenge. Best dns experience I’ve had.

Andromxda ,
@Andromxda@lemmy.dbzer0.com avatar

If you use 9.9.9.9, you should try Mullvad DNS (with adblocking) or AdGuard Public DNS

Manalith ,

Since we're all throwing out DNS options, I'll toss in NextDNS

KingThrillgore ,
@KingThrillgore@lemmy.ml avatar

I already use pihole, but with cloudflared as the upstream. What benefits does unbound offer besides improved security?

MigratingtoLemmy ,

It's actually better privacy since it talks directly to the root servers instead of cloudflare knowing all of your DNS traffic. Quad9 is a good alternative with better data policies

IHawkMike ,

So now your ISP sees all of your queries instead of CF. (Assuming the cloudflared option is using DoH)

I'll trust Cloudflare over Comcast/AT&T/etc. any day of the week.

MigratingtoLemmy ,

You can run a VPN and tunnel your outbound DNS queries over that. Heck, you could tunnel your DNS queries over TOR

girsaysdoom ,

It looks like Quad9 supports DoH: quad9

maxwellfire ,

Your ISP knows where you're going anyway. They don't need DNS for that. They see all the traffic.

MigratingtoLemmy ,

You might want to study more about SNI. Your ISP knows anyway

IHawkMike ,

I know plenty account SNI already, but thanks. You might want to study more yourself, since we're being condescending.

https://blog.cloudflare.com/encrypted-sni/

MigratingtoLemmy ,

Well, running your own DNS server will also give you eSNI. And Cloudflare still doesn't know anything

possiblylinux127 ,
@possiblylinux127@lemmy.zip avatar

9.9.9.9

Andromxda ,
@Andromxda@lemmy.dbzer0.com avatar

I prefer Tailscale Funnel for these kinds of things. NetBird and ZeroTier also work just fine if you don't want to expose your services to the public.

Kuvwert OP ,

Tailscale is so cool too. I'll definitely be switching if I can ever use my own domains

sorter_plainview ,

Actually you can.... I do that with my setup. Just point your domain to the new ip assigned by tailscale to your server. Thats all. Recently they started supporting the https certificate also.. Even though it's not needed, for internal only communication.

PlexSheep ,

You can set A DNS entries without wildcard in the configs (with head scale at least), just use their magic DNS thing that works with hostnames or just self host DNS and tell your tailnet to use that.

kylian0087 ,

I looked at headscale but as far as I can tell their is no active directory or SSO integration. Which is very unfortunate.

tux7350 ,

Good news, they support OIDC! Haven't tested it myself so your mileage may vary.

https://headscale.net/oidc/#basic-configuration

Mio ,

Just stop supporting the biggest actor in the market.

matcha_addict ,

That's just a bandaid on capitalism's issues. Urging people not to support the biggest actor will never work in the grand scheme of things, when said actor provides their best immediate interests.

possiblylinux127 ,
@possiblylinux127@lemmy.zip avatar

DIY your own Cloudflare

nutbutter ,

I have written a small blog post about how to Bypass CGNAT, and have also mentioned why you should not use Cloudflare if you are hosting for privacy.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • selfhosted@lemmy.world
  • test
  • worldmews
  • mews
  • All magazines
    •