24
submitted 2 weeks ago by M600@lemmy.world to c/selfhosted@lemmy.world

I have a small homelab that is not open to the internet. I am considering the following setup. Please let me know if there are any glaring issues or if I am over complicating things.

  • I want to setup a reverse proxy in the cloud that will also act as a certificate authority. (I want to limit who can access the server to a small group of people.)

  • I will setup a vpn from a raspberry pi in my home to the reverse proxy in the cloud.

  • The traffic will pass from the raspberry pi vpn to my homelab.

I am not sure if I need the raspberry pi. I like the cloud as the reverse proxy as I do not have a static IP. I would just get a cheap vps from hetzner or something like that.

top 22 comments
sorted by: hot top controversial new old
[-] jbloggs777@discuss.tchncs.de 10 points 2 weeks ago

How will running a CA limit access? eg. Do you want to do client side cert validation? That sounds like an overcomplication. Also not ideal to run a CA (have signing keys) on the proxy server.

[-] M600@lemmy.world 1 points 2 weeks ago

Essentially? I don’t want people to share passwords or login at a friends house and forget to logout.

[-] curbstickle@lemmy.dbzer0.com 5 points 2 weeks ago

You could use Authelia with MFA, avoid the CA.

[-] M600@lemmy.world 2 points 2 weeks ago
[-] curbstickle@lemmy.dbzer0.com 2 points 2 weeks ago

No worries, hope it works out for you!

[-] grehund@lemmy.world 8 points 2 weeks ago

Have you considered other approaches, such as Tailscale or Cloudflare Tunnels? I think you’re complicating things.

[-] M600@lemmy.world 2 points 2 weeks ago

I’m not very familiar with either option. I’ll look into both of them. I think cloudflare tunnels have bandwidth limits though and I’ll be hosting jellyfin, so it might eat through the bandwidth quickly.

[-] harsh3466@lemmy.ml 5 points 2 weeks ago

You can deal with the non-static IP by using duckdns.org

[-] sugar_in_your_tea@sh.itjust.works 1 points 2 weeks ago

Doesn't work if you're behind CGNAT (which I am), unfortunately.

To tell, if your public IP matches what your router/modem reports as its WAN IP, you might be golden. If that's the case, try messing w/ port forwards on your router to see what the ISP lets through. If it's not the case, you're behind CGNAT and either need to pay your ISP ($5-10 usually) or use a VPS. I'm behind CGNAT, so I went for the VPS because it's the same price and I find more value in that vs a publicly routable address.

[-] harsh3466@lemmy.ml 1 points 2 weeks ago

Ah. Yeah. I think then you'll want to look into cloudflare tunnels. I believe that should get you through the cgnt and deal with the dynamic IP ll in one go.

[-] sugar_in_your_tea@sh.itjust.works 3 points 2 weeks ago

Yup, cloudflare should work.

I personally set up a VPS w/ a WireGuard tunnel, with a reverse proxy at the VPS that sends traffic to connected WireGuard clients. My exact setup is something like this:

  1. VPS w/ HAProxy and WireGuard - routing happens based on SNI
  2. Caddy on homelab to handle TLS trunking
  3. router configured with static DNS routes so I can use public addresses w/o hitting the WAN on my LAN

This could easily be adjusted to only have HAProxy work over the WireGuard interface so there are no public addresses to worry about.

But I used Tailscale for a while to solve this problem, and cloudflare tunnels would work as well. Lots of options to work around stupid ISP policies...

[-] M600@lemmy.world 1 points 2 weeks ago

Thanks! I’ll look into duckdns.

[-] just_another_person@lemmy.world 3 points 2 weeks ago

Well if you don't have a static IP, then your reverse proxy is going to break when your lease changes anyway. Not sure what your intended goal is for access and to what, but this is certainly a more costly and complex setup than needed for whatever it is.

[-] avidamoeba@lemmy.ca 4 points 2 weeks ago* (last edited 2 weeks ago)

The VPN should keep access to the homelab even when the external IP changes. Assuming the VPN connects from the homelab to the cloud. The reverse proxy would use the VPN local IPs to connect to services.

[-] jlh@lemmy.jlh.name 2 points 2 weeks ago

it might be better to skip the cloud server and use cloudflare for dynamic dns. The standardized way to restrict access to websites is with client certificates or a basic authentication (user/pass) proxy. That would help avoid issues with internet traffic passing through the VPN accidentally.

[-] M600@lemmy.world 1 points 2 weeks ago

Thanks! Last time I checked cloudflare had bandwidth limits. My primary uses for it may use a decent amount of bandwidth as I’ll be hosting jellyfin as well as my backup solution.

[-] jlh@lemmy.jlh.name 4 points 2 weeks ago

Should work well for that!

If you use cloudflare for dns only and turn cloudflare proxying off, none of your data or traffic goes to cloudflare's servers. They just act as your dns server, telling your devices what IP to go to.

[-] mhzawadi@lemmy.horwood.cloud 2 points 2 weeks ago

That sounds like a great plan, and a great way to learn how this sort of thing works.

I have a similar setup. I use d.rymcg.tech (a configuration manager for Docker, as well as a collection of open source web services and config templates) and have Traefik (reverse proxy) on a Digital Ocean dropet connected to a VM in my home lab through wireguard. This framework allows me to put authentication and authoriation in front of any apps/services I'm hosting (HTTP basic auth, oauth2, mTLS). This setup allows me to control what is allowed access from outside of my home, without opening any ports.

I should add the d.rymcg.tech includes step-ca if you want to host your own CA server, but I agree with @joe@discuss.tchnic.de : it's not necessary for securely hosting services, and ir can be dangerous I'd not done carefully.

[-] bezoar@lemm.ee 1 points 2 weeks ago

If you use tailscale you can omit the raspberry pi and tunnel directly from the reverse proxy to each server (could do this with wireguard but requires a little more setup). Also you can configure your cloud server as an exit node so that all traffic from your device go through it, sort of as a vpn service. It's not as anonymous as a paid VPN service but at least you bypass the ISP or local wifi provider if you're out and about.

[-] bezoar@lemm.ee 1 points 2 weeks ago

Why downvoted? This is what i do and it works well.

this post was submitted on 17 Oct 2024
24 points (100.0% liked)

Selfhosted

39948 readers
263 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS