Hello,
Some time ago, I started self-hosting applications, but only on my local network. So far, it’s working fine, but I can’t access them as soon as I go outside (which is completely normal).
For the past few days I’ve been looking for a relatively secure way of accessing my applications from outside.
I don’t need anyone but myself to have access to my applications, so from what I’ve understood, it’s not necessarily useful to set up a reverse-proxy in that case and it would be simpler to set up a VPN.
From what I’ve seen, Wireguard seems to be a good option. At first glance, I’d have to install it on the machine containing my applications, port-forward the Wireguard listening port and configure my other devices to access this machine through Wireguard
However, I don’t have enough hindsight to know whether this is a sufficient layer of security to at least prevent bots from accessing my data or compromising my machine.
I’ve also seen Wireguard-based solutions like Tailscale or Netbird that seem to make configuration easier, but I have a hard time knowing if it would really be useful in my case (and I don’t really get what else they are doing despite simplifying the setup).
Do you have any opinions on this? Are there any obvious security holes in what I’ve said? Is setting up a VPN really the solution in my case?
Thanks in advance for your answers!
https://github.com/wg-easy/wg-easy
WG-Easy to run Wireguard
Tailscale is easier than Wireguard but if you’re running OPNsense or OpenWRT it’s not hard to do a wireguard infra of your own and avoid having to use an outside service. I ended up having to revert to wireguard anyway because Tailscale’s android app wasn’t reliable on my new phone, it would drop out every few hours which messed up my monitor/alert system.
But Tailscale is still the easier of the two solutions.
If your traffic is pretty low, rent a VPS for $5/month or whatever and set up a Wireguard server on it, have your devices maintain a connection to it (search keepalive for Wireguard), and set up HAProxy to do SNI-based routing for your various subdomains to the appropriate device.
Benefits:
- you control everything, so switching to a new provider is as simple as copying configs instead of reconfiguring everything
- most VPN companies only route traffic going out, not in; you can probably find one that does, but it probably costs more than the DIY option
- easy to share with others, just give a URL
Downsides:
- more complicated to configure
- bandwidth limitations
If you only need access on devices you control, something like Tailscale could work.
Benefits:
- very simple setup - Tailscale supports a ton of things
- potentially free, depending on your needs
Downsides:
- no public access, so you’d need to configure every device that wants to access it
- you don’t control it, so if Tailscale goes evil, you’d need to change everything
I did the first and it works well.
Run WireGuard on some home machine. (Does not need to be the machine the app you want to access is hosted on.)
Run WireGuard on your road warrior system.
There is no step 3.
I’m doing this right now from halfway around the world from my house and it’s been great. Been using iPhone, iPad, and macOS clients connected to linuxserver/WireGuard docker container. Been doing this on many WiFi networks and 5G, no difference.
I use Wireguard via PiVPN and it’s pretty much foolproof. I don’t bother with Dynamic DNS but have in the past
Is wire guard a service you pay for? Otherwise how does wire guard in your home machine not need your router to forward ports to it? And then the remote client need to be pointed at your home’s external IP?
WireGuard is free. Obviously my instructions didn’t go into detail about specifically how to set everything up. Port forwarding is required. Knowing your servers external IP address is required. You also need electricity, an ISP subscription, a home server (preferably running Linux), so on and so forth. This is /c/selfhosted after all.
Apologies for the dumb noob question, but if your iOS device is VPNed to your home server, how does it access the open internet? Does it do this via the VPN?
Depends on the client configuration. If you route all the traffic through vpn (so, simplyfied, 0.0.0.0/0) then all their client device network traffic would go through their vpn server at home and is seen as coming from there; otherwise, if you only route specific addressess (like your home network private addressess only) then only those go to their home network and everything else works like it would without a vpn.
1 pangolin 2 whatever is already on your router 3 wireguard
Pangolin also does RP with traefik so it’s a win win
Tailscale. You don’t need to open up ports + you can set up exit nodes, which are useful if you’re sailing the seven seas.
Wireguard is the way to go. I like using wg-easy to use wireguard because its easy to set up in a docker container.
Agree, highly recommend this and/or Tailscale.
Double-pro. Running wireguard on docker assures that a native wireguard install won’t conflict with docker. Keep those iptables in the same place.
I thought I would be the only one to try this. Would you share more details on your setup? I am interested because to me Wireguard is in the kernel so how could it be in a container.
Oh yeah. https://hub.docker.com/r/linuxserver/wireguard
Basically, docker can and does create network devices. It’s as easy for it to create wg0’s as it is to create networks for your docker containers. If you’re going to run wireguard and docker, you’re better off to let docker handle the network routing and just run one of the various containers out there, that one is more general. You can run it client or server. Wg-easy I believe is server-only, or even hide it inside other containers like docker-qbittorrent-wireguard, where it just hangs out and connects to whatever .conf you give it.
Zero tier. I went tailscale originally, and they’re good, but their mdns support doesn’t exist and several services rely on it. (For me, the showstopper was time machine backups)
I like zerotier over wireguard because it’s one layer lower. So anything that uses Ethernet frames can be routed over it like it was a network switch plugged into your computer. This is probably why mdns works.
To you test public WiFi with ZeroTier at all?
I ask because there’s a few public networks where WG won’t connect and I’m trying to find ways around it. I could always use cell data but this is more fun to me.
-
Mullvad
-
Mullvad
-
Mullvad.
I’m guessing you are talking about port forwarding with Mullvad but they no longer support it https://mullvad.net/en/blog/removing-the-support-for-forwarded-ports
No I am talking about creating a secure tunnel.
How?
Secure tunneling.
-
Simple and fast solution is tailscale. tailscale is a business, but it works well
Personally i use opnsense and wireguard
My Asus router has a a few nice ones
This is a pointless comment. You don’t even tell us what model router you’re running…
You got two options which I’ve tried -
- A solution like tailscale or zerotier. Simple setup, easy to turn on and just go. Tailscale is newer and has a nicer interface and features like using an actual VPN like Mullvad as an “endpoint” (or whatever they call it). Their Mullvad connection also basically gives you a discount as they charge only $5 for the vpn instead of €5. The catch is that Mullvad charges you that price for 5 devices. So if a sixth device connects to the VPN through tailscale, you get charged $10 for that month.
- A cloudflare tunnel with zero trust on top. More work to setup. But makes it easy to access your apps without any vpn. They’re basically exposed to the internet at that point, but locked in behind cloudflare’s authentication. You can literally set it up for one or two email IDs. Yours and a family member’s. Much simpler for others to wrap their heads around. But some people dislike cloudflare for some reason or the other.
Also a beginner here, I use Tailscale, and it’s been a very easy setup!
Tailscale is very tempting, on one hand it should provide a pretty good layer of security without too much thinking and it is “free”, and on another hand, it’s a business solution, so it is probably not really free…
Thanks for the answer anyway confirming that Tailscale is pretty easy to setup !
The tailscale clients are, I believe, open source. It’s just the server that’s not, and you can run the unofficial but well supported “headscale” as a server if you want. But this requires you to run this somewhere publicly accessible, like a VPS, for coordination and NAT-punching purposes.
But! I’m pretty sure as the business operates right now, that tailscale doesn’t have access to the actual data connections or anything, it’s all encrypted, they’re basically just there for simplicity and coordination. And their business model is to offer simple things for free, like small numbers of devices, with the hope that you like the service and convince your business to pay for the fancy version for money. So I don’t think it’s quite as bad as the typical “free because I’m harvesting your data” models.
That all having been said, I run headscale 😛
Headscale is an open source implementation of the Tailscale control server.
https://github.com/juanfont/headscale
Not an endorsement as I haven’t used it (I do use Tailscale), but just thought I’d point it out.
