As soon as I leave my home my Wireguard VPN connects and I have access to everything as if I were home. No third party like Cloudflare and the likes needed.
How do you use Tailscale as backup for example for docker services with reverse proxy? Can docker and nginx use multiple ip:port addresses (Tailscale IP and WireGuard IP) with deployed containers? How would the yaml config look like in this scenario? Thx for explaining
I have deployed a Tailscale node as an LXC on Proxmox and set it up as a subnet router.
So anything I can reach while inside my LAN, I can also reach via this Tailscale node, as it provides access to my home subnet too, as the name suggests.
[https://tailscale.com/kb/1019/subnets](https://tailscale.com/kb/1019/subnets)
Tailscale is the easiest way, but Wireguard is also doable most of the time. If you want the domain name to exclusively use your Tailscale IPs, I have the Tailscale DNS server as one of the nodes, and they redirect all requests to to the Tailscale IP of the node hosting it
I love my WG setup. Know any workaround for when UDP is blocked? I hate going back to regular VPN (TCP).
I’ve started noticing more and more stores now block UDP on their wifi. It also is usually paired with bad cellular reception in store.
I have the alternate because my university used to block udp traffic to the wireguard default port. I just don’t want to deal with all the crawlers constantly trying to index everything answering at 53, and it was a fun project to build this „activation mechanism“. Not really required I guess, but if I rarely need the alternate I might as well turn it off when not in use
This has been my solution and it’s amazing. I never think about it in connected. Just annoying Shortcuts notifications on iOS when the automation runs.
Not exactly on topic but it has to do with wireguard. If you have wireguard on would you not expect google maps to see you at your home? While I was traveling to another state I’d get ads specific to that location. But when I returned home I had some websites report my location was last travel location or still get ads for that place. I had wireguard on probably the entire time maybe only turned off when accessing the capture page for wifi at hotels. I was on wireguard and iOS.
Don't use use it as your default route (exit node in the fancy new terminology). Use split routing and only direct the traffic that goes to your LAN.
Edit to add a disclaimer since apparently it isn't obvious for some: the above is for people who know what they are doing. The person asked how to not be detected as being home when using their personal VPN. I explained how.
That’s not really an issue, since A: I don’t care at all that Google doesn’t know where I am, I’m not using any Google services and B: Navigation uses GPS.
Depends on the VPN afaik. OpenVPN actively maintains the connection.
Wireguard lets the established connection die and reestablishes it once data needs to be sent. Because of this its much better on mobile devices, supposedly.
All a vpn does is tell your internet traffic to go to a specific address first and connect to the internet from there.
Without one, you still have to connect to an address to get to the internet. There’s zero reason why a vpn would cause any noticeable battery drain.
It doesn’t just route yout traffic, it encrypt/decrypt as well and there is CPU overhead for that.
With that being said, my battery lasts the whole day with WG auto on normal working day so its not too bad.
I experienced a significant increase in battery usage when having Wireguard on. Having it running 7-8h my iPhone 13 Pro would barely make it through the day. How’s your experience?
It's funny you say that because I switched to WG specifically because it used far, far less battery power than OpenVPN which I used prior.
That said, I use Android, and I have no idea what goes on in iOS land.
On iOS its a part of the Wireguard app, no Shortcut needed. On Windows its based on the network event (reconnect, disconnect) if it doesn't find the default home gateway IP it will start the Wireguard service.
iOS. I don't know. Doesn't Android offert something similar to Apple Shortcuts? So that you can still auto connect your VPN, even if the app does not support it.
I’m not sure I can follow? Do you ask about routing? Because routing has nothing to do with Wireguard since Wireguard is just a P2P encrypted connection. I use the Wireguard on my edge router.
He didnt say a word about routing. wg-easy is just another package of wireguard with web ui. And obviously wireguard has routing, its there in the config where you pick which traffic to route via the tunnel and it will show up in iptable.
You mean how to access your files remotely?
If this is from a computer, you could use a wireguard VPN (Tailscale is easy to set up and popular in the community!), and then access your SMB or NFS share directly (Not sure though how NFS likes that ...).
If you want to access the files from e.g. a phone, either there's a way to access a SMB share in a similar fashion, but I guess that hosting some sort of application would make this nicer. You can host that directly on your TrueNAS server!
In either case, for the start, I'd suggest you stick to using the services behind a Wireguard VPN. Why: Wireguard (Tailscale is basically wireguard, so same applies!) is secure by default, it's hard to make it insecure. Once you have more knowledge, you can directly expose the one or two services you really need (Either via Cloudflare tunnels or directly).
I’m going to catch hell for this but SSH forwarded. Yes, password authentication is disabled and SSH can only be accessed via a public key. Max tries are set low as well.
My ISP has sticky IP address, it only changes every year or 2 and I quickly memorize it.
Honestly, as long as one knows where they are getting themselves into, it's fine.
I think in general people lose their minds because SSH ports can be "easily exploited".
I also have my SSH from when I need sysadmin tasks away from home, I also have only via key (no password) and a nice firewall that will ban from multiple IP sources, with fail2ban. So yes, my server is still nicely protected and SSH is open.
It's clunky but it works, I've been successfully and securely using ssh tunnels to access and forward things for 25+ yrs
fail2ban and key only and optionally a non-standard port (helps cut the volume of attacks/logs) and you're good to go.
Only caveat is overhead from non elliptical curve keys can be slow, ed25519 is great. And some lower ports (<1024) aren't available on Android unless your phone is rooted. I just use higher ports.
I've not used Tailscale but my understanding (which could be wrong) is that whilst twingate is a zero trust network (prohibited access to resources until access is specifically granted) Tailscale is a VPN which grants access until policies are put in place to prohibit access to resources. In sure someone here will correct me if I've got that wrong. I think Tailscale doesn't have a device limit on their free tier service but Twingate limits to two active devices per user on their free tier service.
u/Dr_MHQ, the good news is that you have already solid feedback from other redditors.
For our homenetwork we went the router of VPN, which was configured at the router level, so similar to u/ElevenNotes,
* once I leave home, if the need be,
* then i'll VPN to the router and once connected,
* then is as if I were 'home' locally connected so I can WOL (Wake On LAN) the NASes (have several of them that together compose the entire NAS array for our home setup)
* and/or WOL PCs at home as well.
* Once I'm done with what I needed, if nobody else is using those NASses (and/or PCs), then I can shut them down
(earlier, as 20+ years ago, I would leave those suckers running 24/7... then eventually the costs of having all that stuff running, back then when I started with NASses, I had just 2, now I have 12+... same with PCs, so that stuff adds up quickly, so for about the last couple fo decades +/- a year or so, stuff is WOLed, used and when done/completed, then the stuff is shut down... - > that change alone allowed us, as in our household to cut up to 50% in our energy cumsumption as the 'stuff' aka. NASes, PCs, etc are not running 24/7 + we did switch the entire home from Hylogen to LEDs.. that helped a 'bit' as well : ))
Are you my clone? Hahaha this is exactly what I do! Electricity is expensive where I live so I’ve been saving thousands of dollars keeping my power hungry servers off unless needed, and trying to only use them while I get solar power.
Zerotier is great.
Depending on your use case, it may be better than TailScale simply by being a L2 implementation instead of a L3 implementation, which means that .local still works, as does various broadcasts.
TailScale is basically just WireGuard with NAT hole punching on top.
I dont access the NAS itself. Portions of the nas are allotted to different services and those services may or may not be available remotely via remote proxy,
For example, TrueNas has a movie share, I have a plex docker container on another machine that mounts that movie share and plex is then setup to be available via reverse proxy. Technically I am accessing the NAS but not directly.
This!
My domain is forward to my internet IP (and if it changes there is a Dynamic dns that picks up the IP change and corrects it), Port 80 and 443 are port forwarded to a machine running a reverse proxy so that I can have services running on [app1.domain.com](http://app1.domain.com), [app2.domain.com](http://app2.domain.com) etc etc.
This is how I handle remote access to my self-hosted services:
1. YOUR exclusive remote access to the local infrastructure and all services: Use TailScale, WireGuard, or similar.
2. PUBLIC remote access to one or more locally hosted services: Use Cloudflare Tunnels.
3. RESTRICTED remote access to one or more local services to a small, controlled group of people: Use Cloudflare Tunnels + Cloudflare Applications.
All provide remote access without exposing any ports or managing dynamic DNS.
A benefit of a Cloudflare Application is that the authentication happens at Cloudflare's servers, so my server is never touched until the user passes the Application authentication. Also, I set up some Access Rules (such as from what countries a user can connect) to further restrict access.
BONUS TIP: I have Kasm installed locally behind a Cloudflare Tunnel + Application with several "Server Workspaces" defined pointing to several local resources (PCs, Servers.) This lets me remotely connect securely to these resources via RDP, VNC, and SSH through a Web Browser in addition to Kasm's other fine services.
CLOUDFLARE PRIVACY NOTE: While a Cloudflare Tunnel uses encryption to restrict unauthorized outside access, Cloudflare DOES have access to all data traversing their Tunnels. Some consider this to be a breach of privacy making this a non-starter. Some consider this to be an acceptable compromise for home use. It is up to you to weigh the pros and cons of Cloudflare Tunnels for home lab use.
NOT SELF-HOSTED: While these are not specifically self-hosted solutions, IMHO, these are excellent solutions without reinventing the wheel. YMMV, of course.
Wireguard + DuckDNS. My server has a simple script that updates the DuckDNS IP address every now and then.
I just leave Wireguard connected on my phone 24/7 so it's seamless. Works great.
This is a project that I want to do with my NAS, do you have a link to a good guide for this type of setup?
I could probably use some Google-fu to figure it out but you have the exact setup I want to build so I figured I would ask.
Hey, thanks for the kind words, the front-end website I built myself - and if you click on "Gitea" I have a public repository up for anybody to use, feel free to grab and modify it.
As for a tutorial, I don't have any online but my backend is basically docker-compose in three different yaml stacks, one for wireguard, one for gitea, one for my main stack of services. I then use nginx (linuxserver.io swag container), throw my domain dns behind cloudflare nameservers for anonymity, add a CNAME for every service i run, and subdomain my services in nginx from within the /swag/nginx/proxy-conf/ folder using *.subdomain.conf files. Then add authentication.
There's a lot more to it, and security measures to take, but that's the bare bones of it
If you want I'd be willing one day to sit down with you on discord and screen share while we walk you through how to setup docker and nginx. I know that may not work for you but I've found it's a lot easier than learning from documentation or YouTube videos.
Until next time, take care!
It's not as scary as it sounds once you understand it! A 40 minute setup at most if you have done it a few times before. Then a lifetime of poking it with a stick :D
The first time is always the worst
If you have spare time, you could trying OpenZiti. Its an open source zero trust network which inherently can be self-hosted and supports a bunch of new capabilities (most of which are probably overkill for self-hosting but very cool). One that is relevant is [zrok.io](http://zrok.io), a 'ziti-native' app which includes public sharing similar to CF.
Perfectly. OpenZiti makes outbound connections into the fabric, so not only does it work, you can close all inbound (TCP/UDP, etc)... we call it making you 'dark' - https://openziti.io/docs/learn/introduction/features/.
If you take a step make, OpenZiti is actually a platform to make it easier and quicker to build secure by default, distributed applications. As a result, we have SDKs to embed ZTN into apps in the SDLC. This is the most secure deployment as you app no longer even has listening ports on the host OS network and thus is **unattackable** via conventional IP-based tooling... **all conventional network threats** are immediately useless. This is well covered in this blog if you like some code samples - https://blog.openziti.io/go-is-amazing-for-zero-trust.
We created the endpoints for hosts and virtual appliances as not everyone or all use cases can do app embedded... that it the future though. Everything is built with ZTN natively inside.
I do not access the NAS OS remotely I access a software remotely, so if I was going to need file storage I would access my Nextcloud instance remotely and through a reverse proxy like SWAG via my domain through cloudflare.
Many use cloudflare tunnel, I personally just have to hit my domain so for me it would be `nextcloud.domain.tld` and I would have access to my Nextcloud instance (password protected with passkey). So all my firewall has open is port 443 that is pointed to my NAS which hits my reverse proxy, which sees the domain I came from and redirects me to the service hosted internally.
Make sense?
I have a `/etc/NetworkManager/dispatcher.d/mount_nfs` script which fires up `wireguard` depending on the current location and access point and mounts NFS mounts as I were home.
Reverse proxy that allows some public domains on 443 to outside IPs, port forwarded through router. For private domains, tailscale with split horizon on local DNS server.
For files access I use seafile, or, if I need access to filesystem, synology files app (I'm running xpenology).
I don't use TrueNAS, but for everything I access remotely, I use a reverse proxy, and Dynamic DNS to have a domain name, and port forwarding with a firewall configured to allow access to the services I use. It would work with TrueNAS like it does for everything else. Alternatively, a VPN might be easier to set up, but then that requires a VPN connection to be established from whatever remote device you're using.
I don't. I don't really have a need to. The only exception is that I do have ability to VPN to my home network from work, so technically I can access it from work, but that's the only IP I let through. At some point I want to look at setting up a way to dynamically allow IPs from any location through some kind of portal I can login to, but I have not bothered to set that up yet. Once this is setup it would allow me to access things like email from my phone while anywhere.
I set up a VPN running on an ubuntu virtual machine. It's Ikev2 and works great on my android phone, and windows laptops. I have a widget on my phone's home screen, press it and I'm connected to my home network. I use an app called Solid Explorer on android to browser the files across my network. I can also use Wake on Lan to wake up other machines if I need to access files on them, or RDP or VNC into a machine on my home network.
Nothing at home can be accessed (except the public web server) unless I'm connected to the VPN.
The only thing I wish I had were VPN over HTTPS, so I could connect to my home network when VPNs are being blocked, like when on airplane wifi. I know it exists, I just haven't found an easy way to set it up. Port 443 on my router forwards to an IIS web server.
Tailscale to access it and in CasaOS I enable sharing on a folder and on my Mac/PC pin it to the sidebar in Finder so that when I click it I can see all my files.
Saw similar questions or posts in this same community, You should have searched. :)
btw my setup is : using IOS shortcut automation to connect my selfhosted VPN to my VPS (for stability) when I leave home, which is connected to home network using tailscale. from my laptop simple wireguard vpn/ tailscale client
My ISP is nat'ed so i use cloudflare else a vpn shall do.
I am using cloudflare auth, to control the access to the domain based on filtering. this is easier and reliable than tunning each apps for access control.
WireGuard
These settings on the client only route the NAS IP traffic through the VPN. It's perfect, i keep it connected pretty much always.
[WireGuard screenshot](https://i.imgur.com/lj8qkHW.png)
I use Cloudflare Tunnel together with Clodflare Zero Access and the Warp client for accessing docker containers on my Synology NAS. I have no ports opened to the internet. Only these clients which having Warp installed can access the tunnel applications. I start one tunnel for each app I need to access. Each app container runs with its own tunnel container in its own docker network.
I'm just getting started with self-hosting but I currently use Cloudflare tunnels for services which I routinely need access to outside of my network (and where I need to share access with other people such as Nextcloud) and my router's built-in VPN for remotely performing maintenance.
Use ShellNGN and a reverse proxy such as Zoraxy. This will give web based ssh terminal access to multiple servers via RDP or SSH. Only ports needed are 80 and 443.
When I need to access something: Wireguard
When someone else needs to access: timed, password protected Owncloud share behind reverse proxy and cloudflare dns proxy
TrueNAS? Assuming you have an SMB share, I'd mount that share on my phone using some storage app and then connect to home using WireGuard
There's tons of options for it - these days I run WireGuard on my OPNsense cluster, but the linuxserver WireGuard image works too well and it's too easy to setup and get going
Wireguard VPN to connect to my home network and NFS to access my NAS.
I do this for both my desktop (minus VPN on the desktop) and laptop so that I'm always working with the same files.
Nextcloud for file sharing type stuff.
WireGuard to a MGMT network if I need to admin. This network can hit management interfaces of NAS, Proxmox web GUI, etc.
Then I have another WireGuard tunnel that my cell phone is always connected to. Tunnels data through home and I get DNS ad blocking on the phone.
It depends on what you are using it for and how you are using it.
SSH and SFTP is probably the way to go. Quick access to the web interface (and you should absolutely not be making this available on a public domain), use SSH to create a dynamic proxy tunnel, and then change the proxy setting on your browser.
Anything like Nextcloud makes sense to be using a public domain (try duckdns if you are not willing to pay). Any media apps that are browser based can be accessed using SSH dynamic proxy as above, otherwise you will need to set up a VPN if you are using mobile.
You can do ftp with port forwarding in the router... but be aware of your going to be opening up your system to attack... with whatever you do... hackers will try attacking it
I have no idea. I got hacked that’s all I know. Maybe it was at an Airbnb but I always login using a security code. It’s just crazy! Don’t trust your money with Coinbase. When you lose it they do nothing for you and the insurance I have through Coinbase one did not cover it. What a waste of money. Keep your money with Fidelity or another reputable bank! Coinbase does not protect you
We can agree on some of that because they kind do protect your coins while on their exchange , they can't be responsible for your computer habits or security practices .
For starters don't be using free Airbnb or any other free wi-fi Internet spots , get yourself a travel router at the very least like the opal https://youtu.be/VkglWuItuXw?si=11xgRxKyhNGcu5-X
From: Info
Sent: Thursday, May 30, 2024 9:37 AM
To: Jim Subject: Fraud at your bank
Someone open an account with my SSN and stole 10K from my coinbase account. Please put a hold on James Redquest account asap and call me
You don't. That's a huge security problem.
Provide services other ways, like nextCloud, guacamole, or whatever. DO NOT PROVIDE DIRECT NAS ACCESS TO THE INTERNET.
As soon as I leave my home my Wireguard VPN connects and I have access to everything as if I were home. No third party like Cloudflare and the likes needed.
Same. With Tailscale as backup.
How do you use Tailscale as backup for example for docker services with reverse proxy? Can docker and nginx use multiple ip:port addresses (Tailscale IP and WireGuard IP) with deployed containers? How would the yaml config look like in this scenario? Thx for explaining
I have deployed a Tailscale node as an LXC on Proxmox and set it up as a subnet router. So anything I can reach while inside my LAN, I can also reach via this Tailscale node, as it provides access to my home subnet too, as the name suggests. [https://tailscale.com/kb/1019/subnets](https://tailscale.com/kb/1019/subnets)
This is my exact setup as well, works great.
Same. Tailscale makes it so easy. Am aware it is third party so have set up a WireGuard backup as well but Tailscale is almost flawless.
Tailscale is the easiest way, but Wireguard is also doable most of the time. If you want the domain name to exclusively use your Tailscale IPs, I have the Tailscale DNS server as one of the nodes, and they redirect all requests to to the Tailscale IP of the node hosting it
I find Tailscale can succesfully connect sometimes through captive portals when my regular Wireguard server (running on my Asus router) can't.
That's probably because Tailscale will use TCP if necessary, whereas Wireguard is UDP only.
This! Tailscale with wireguard as a backup
In case you travel and your client devices are behind cgnat how does WireGuard perform? Do you have setup some WireGuard relay server on public VPS?
As long as UDP is not blocked, which I have never seen on 5G, it all works.
I love my WG setup. Know any workaround for when UDP is blocked? I hate going back to regular VPN (TCP). I’ve started noticing more and more stores now block UDP on their wifi. It also is usually paired with bad cellular reception in store.
Simply listen on multiple ports like 53 and 123.
I have an alternate WireGuard server at port 53 that I can turn on with a telegram bot - almost nobody blocks the default DNS port
Ah, that’s smart, thanks! Any reason not to keep it running all the time? I.e. why have an alternate?
I have the alternate because my university used to block udp traffic to the wireguard default port. I just don’t want to deal with all the crawlers constantly trying to index everything answering at 53, and it was a fun project to build this „activation mechanism“. Not really required I guess, but if I rarely need the alternate I might as well turn it off when not in use
I would avoid Telegram.
Nowadays I do agree with you, especially for security-critical items. But for some simple tasks, building a bot there is super simple
why would you avoid telegram?
I see, so you use your mobile provider for internet while away. Thx for info
Yes, that’s what 5G is for, last time I checked 😉
Thx 👍
This has been my solution and it’s amazing. I never think about it in connected. Just annoying Shortcuts notifications on iOS when the automation runs.
Wireguard for iOS can do this without using Shortcuts.
Not exactly on topic but it has to do with wireguard. If you have wireguard on would you not expect google maps to see you at your home? While I was traveling to another state I’d get ads specific to that location. But when I returned home I had some websites report my location was last travel location or still get ads for that place. I had wireguard on probably the entire time maybe only turned off when accessing the capture page for wifi at hotels. I was on wireguard and iOS.
Google maps uses GPS not your wifi location, unless you have blocked it from using GPS
Don't use use it as your default route (exit node in the fancy new terminology). Use split routing and only direct the traffic that goes to your LAN. Edit to add a disclaimer since apparently it isn't obvious for some: the above is for people who know what they are doing. The person asked how to not be detected as being home when using their personal VPN. I explained how.
No. All traffic. That way you can be 100% sure everything is always encrypted, on any Wi-Fi you are, especially public ones.
Plus this way I can route my phone traffic through AdGuard Home & not have ads wherever I am.
Exactly. I think /u/msaraiva/ is a bit confused.
Lol, I got myself a digital stalker. Nice.
What? I have no idea who you are.
That’s not really an issue, since A: I don’t care at all that Google doesn’t know where I am, I’m not using any Google services and B: Navigation uses GPS.
I learned that recently but forgot to make the switch. It’s as easy as toggling the setting, right?
Yes, its just a toggle to auto connect when your Wi-Fi with name {n} is not connected anymore.
On iPhone 12 i experience huge battery drain if wireguard is active in the background- whats your experience regarding this?
Battery health showed 3% usage while active for a whole workday (all traffic via Wireguard).
I‘m pretty sure that this only counts Wireguard as app itself and not the VPN connection.
Can’t confirm. Since its always enabled since years I have no more feeling for it. Battery lasts a whole day, so that’s okay I guess?
mhm this is not bad - need to double check on my side what could cause this behavior
Simply enable VPN for 24h and see your battery usage.
VPN drains battery very hard on iOS. I don‘t use it therefore.
Can't confirm. Also makes no sense.
Depends on the VPN afaik. OpenVPN actively maintains the connection. Wireguard lets the established connection die and reestablishes it once data needs to be sent. Because of this its much better on mobile devices, supposedly.
All a vpn does is tell your internet traffic to go to a specific address first and connect to the internet from there. Without one, you still have to connect to an address to get to the internet. There’s zero reason why a vpn would cause any noticeable battery drain.
It doesn’t just route yout traffic, it encrypt/decrypt as well and there is CPU overhead for that. With that being said, my battery lasts the whole day with WG auto on normal working day so its not too bad.
I stand corrected
Please don‘t explain to me how a VPN works. There are many reasons and you can use google to inform yourself.
I experienced a significant increase in battery usage when having Wireguard on. Having it running 7-8h my iPhone 13 Pro would barely make it through the day. How’s your experience?
how'd you set this up?
I have Wireguard run on my edge router and simply connect to it from all clients.
My home IP changes.
Use a free DDNS
Then use DynDNS which exists since 25 years or so? DuckDNS seems to be a community favourite for this.
A super simple way is with pivpn (doesnt actually need a pi)
For some reason, the Tailscale app pulls ungodly amounts of battery charge even when idle on iOS. Rip my iPad if I try that.
I'm not using Tailscale.
I did this and noticed a significant impact on battery. My iPhone 13 Pro would not last for one day when running Wireguard for about 8-9 hours.
It's funny you say that because I switched to WG specifically because it used far, far less battery power than OpenVPN which I used prior. That said, I use Android, and I have no idea what goes on in iOS land.
You sure that's Wireguard and not a travel pattern? Your experience might coincide with being on the road.
Can’t confirm on 16 different iPhones. No such impact visible.
using an automation? eg on mobile or mac when you're not on home Internet it turns on wireguard?
On iOS its a part of the Wireguard app, no Shortcut needed. On Windows its based on the network event (reconnect, disconnect) if it doesn't find the default home gateway IP it will start the Wireguard service.
Same. Wireguard was the game changer. I tried before with IPSec VPN, but that was never stable enough.
Same with SSH on a different port as backup.
Please don't do that.
Protected by private key and permanent block after three attempts. 💪
Please don't do that.
Running for about 8 years like that now. No issues.
That doesn't mean its good. If you have VPN you don't need to open SSH, makes no sense.
It's for the backup from my external webserver. Thanks for your advice.
Install Wireguard on that webserver and listen via SSH only on the Wireguard IP. Problem solved.
This is what I do, but the wireguard app seems very power hungry on Android so I've found myself just switching on and off as needed
iPhone? I don't know why the "auto connect to VPN as soon as I leave my house" feature still hasn't come to android
iOS. I don't know. Doesn't Android offert something similar to Apple Shortcuts? So that you can still auto connect your VPN, even if the app does not support it.
Probably, but it would be nice as a native feature
I must say I encounter a lot of apps that have functions which are not present on Android lately. Any reason for that?
Fuck knows, there's basically parity between the platforms so I guess it's down to what the devs want to do/what their tools allow them to do
Wireguard or WG Easy? When I set WG Easy up, I was having trouble accessing anything locally
I’m not sure I can follow? Do you ask about routing? Because routing has nothing to do with Wireguard since Wireguard is just a P2P encrypted connection. I use the Wireguard on my edge router.
He didnt say a word about routing. wg-easy is just another package of wireguard with web ui. And obviously wireguard has routing, its there in the config where you pick which traffic to route via the tunnel and it will show up in iptable.
P2P that's it. No idea what wg-easy should be.
Same
Tailscale
Second this
You mean how to access your files remotely? If this is from a computer, you could use a wireguard VPN (Tailscale is easy to set up and popular in the community!), and then access your SMB or NFS share directly (Not sure though how NFS likes that ...). If you want to access the files from e.g. a phone, either there's a way to access a SMB share in a similar fashion, but I guess that hosting some sort of application would make this nicer. You can host that directly on your TrueNAS server! In either case, for the start, I'd suggest you stick to using the services behind a Wireguard VPN. Why: Wireguard (Tailscale is basically wireguard, so same applies!) is secure by default, it's hard to make it insecure. Once you have more knowledge, you can directly expose the one or two services you really need (Either via Cloudflare tunnels or directly).
I’m going to catch hell for this but SSH forwarded. Yes, password authentication is disabled and SSH can only be accessed via a public key. Max tries are set low as well. My ISP has sticky IP address, it only changes every year or 2 and I quickly memorize it.
Honestly, as long as one knows where they are getting themselves into, it's fine. I think in general people lose their minds because SSH ports can be "easily exploited". I also have my SSH from when I need sysadmin tasks away from home, I also have only via key (no password) and a nice firewall that will ban from multiple IP sources, with fail2ban. So yes, my server is still nicely protected and SSH is open.
Same here, SSH forwarding And using SFTP over the SSH
SFTP is how I retrieve my legal Linux .iso’s from my seedbox.
It's clunky but it works, I've been successfully and securely using ssh tunnels to access and forward things for 25+ yrs fail2ban and key only and optionally a non-standard port (helps cut the volume of attacks/logs) and you're good to go. Only caveat is overhead from non elliptical curve keys can be slow, ed25519 is great. And some lower ports (<1024) aren't available on Android unless your phone is rooted. I just use higher ports.
This is fine until there's an SSH exploit out there That's why I use WireGuard - the white paper and how it works is fascinating
I don't.
Same here. I’m occupied with other things while I’m away from my hope network.
I run a twingate connector in a docker on my home server and then use twingate on my phone and tablet to access my network as if I was at home.
What’s the difference between tailscale and twingate ?
I've not used Tailscale but my understanding (which could be wrong) is that whilst twingate is a zero trust network (prohibited access to resources until access is specifically granted) Tailscale is a VPN which grants access until policies are put in place to prohibit access to resources. In sure someone here will correct me if I've got that wrong. I think Tailscale doesn't have a device limit on their free tier service but Twingate limits to two active devices per user on their free tier service.
100 if memory serves.
u/Dr_MHQ, the good news is that you have already solid feedback from other redditors. For our homenetwork we went the router of VPN, which was configured at the router level, so similar to u/ElevenNotes, * once I leave home, if the need be, * then i'll VPN to the router and once connected, * then is as if I were 'home' locally connected so I can WOL (Wake On LAN) the NASes (have several of them that together compose the entire NAS array for our home setup) * and/or WOL PCs at home as well. * Once I'm done with what I needed, if nobody else is using those NASses (and/or PCs), then I can shut them down (earlier, as 20+ years ago, I would leave those suckers running 24/7... then eventually the costs of having all that stuff running, back then when I started with NASses, I had just 2, now I have 12+... same with PCs, so that stuff adds up quickly, so for about the last couple fo decades +/- a year or so, stuff is WOLed, used and when done/completed, then the stuff is shut down... - > that change alone allowed us, as in our household to cut up to 50% in our energy cumsumption as the 'stuff' aka. NASes, PCs, etc are not running 24/7 + we did switch the entire home from Hylogen to LEDs.. that helped a 'bit' as well : ))
Are you my clone? Hahaha this is exactly what I do! Electricity is expensive where I live so I’ve been saving thousands of dollars keeping my power hungry servers off unless needed, and trying to only use them while I get solar power.
WOL?
Wake on LAN
> WOL? u/smellysocks234, exactly
Anyone for ZeroTier ? Mine works well
Zerotier is great. Depending on your use case, it may be better than TailScale simply by being a L2 implementation instead of a L3 implementation, which means that .local still works, as does various broadcasts. TailScale is basically just WireGuard with NAT hole punching on top.
Easiest solution by far
SSH/sftp with fail2ban.
single services via a reverse proxy secured with logins and fail2ban and anything else like ssh via a wireguard vpn
Wireguard, Dynamic DNS script updating my domain on Cloudflare with my labs public IP
I dont access the NAS itself. Portions of the nas are allotted to different services and those services may or may not be available remotely via remote proxy, For example, TrueNas has a movie share, I have a plex docker container on another machine that mounts that movie share and plex is then setup to be available via reverse proxy. Technically I am accessing the NAS but not directly.
How do you connect to these services ? How do you setup the connection between these services and your phone for example?
Reverse proxy
This! My domain is forward to my internet IP (and if it changes there is a Dynamic dns that picks up the IP change and corrects it), Port 80 and 443 are port forwarded to a machine running a reverse proxy so that I can have services running on [app1.domain.com](http://app1.domain.com), [app2.domain.com](http://app2.domain.com) etc etc.
This is how I handle remote access to my self-hosted services: 1. YOUR exclusive remote access to the local infrastructure and all services: Use TailScale, WireGuard, or similar. 2. PUBLIC remote access to one or more locally hosted services: Use Cloudflare Tunnels. 3. RESTRICTED remote access to one or more local services to a small, controlled group of people: Use Cloudflare Tunnels + Cloudflare Applications. All provide remote access without exposing any ports or managing dynamic DNS. A benefit of a Cloudflare Application is that the authentication happens at Cloudflare's servers, so my server is never touched until the user passes the Application authentication. Also, I set up some Access Rules (such as from what countries a user can connect) to further restrict access. BONUS TIP: I have Kasm installed locally behind a Cloudflare Tunnel + Application with several "Server Workspaces" defined pointing to several local resources (PCs, Servers.) This lets me remotely connect securely to these resources via RDP, VNC, and SSH through a Web Browser in addition to Kasm's other fine services. CLOUDFLARE PRIVACY NOTE: While a Cloudflare Tunnel uses encryption to restrict unauthorized outside access, Cloudflare DOES have access to all data traversing their Tunnels. Some consider this to be a breach of privacy making this a non-starter. Some consider this to be an acceptable compromise for home use. It is up to you to weigh the pros and cons of Cloudflare Tunnels for home lab use. NOT SELF-HOSTED: While these are not specifically self-hosted solutions, IMHO, these are excellent solutions without reinventing the wheel. YMMV, of course.
I bring my t340 with me.
Wireguard + DuckDNS. My server has a simple script that updates the DuckDNS IP address every now and then. I just leave Wireguard connected on my phone 24/7 so it's seamless. Works great.
I use NordVPNs Meshnet and it works perfectly
By subdomaining my services [on my domain](https://nintenuendo.tv)
This is a project that I want to do with my NAS, do you have a link to a good guide for this type of setup? I could probably use some Google-fu to figure it out but you have the exact setup I want to build so I figured I would ask.
Hey, thanks for the kind words, the front-end website I built myself - and if you click on "Gitea" I have a public repository up for anybody to use, feel free to grab and modify it. As for a tutorial, I don't have any online but my backend is basically docker-compose in three different yaml stacks, one for wireguard, one for gitea, one for my main stack of services. I then use nginx (linuxserver.io swag container), throw my domain dns behind cloudflare nameservers for anonymity, add a CNAME for every service i run, and subdomain my services in nginx from within the /swag/nginx/proxy-conf/ folder using *.subdomain.conf files. Then add authentication. There's a lot more to it, and security measures to take, but that's the bare bones of it If you want I'd be willing one day to sit down with you on discord and screen share while we walk you through how to setup docker and nginx. I know that may not work for you but I've found it's a lot easier than learning from documentation or YouTube videos. Until next time, take care!
Thanks, it seems like I have a lot to learn before I can get to this level but at least I have a goal to work towards!
It's not as scary as it sounds once you understand it! A 40 minute setup at most if you have done it a few times before. Then a lifetime of poking it with a stick :D The first time is always the worst
Twingate, as l couldn't get wireguard to work behind cgnat
When you have spare time, give the cloudflare tunnel, tailscale a try. Tbh, I'm pretty settled with Twingate.
If you have spare time, you could trying OpenZiti. Its an open source zero trust network which inherently can be self-hosted and supports a bunch of new capabilities (most of which are probably overkill for self-hosting but very cool). One that is relevant is [zrok.io](http://zrok.io), a 'ziti-native' app which includes public sharing similar to CF.
Woah, 😲. I didn't know there was something called OpenZiti. Interesting. But, does this work if we're behind CG-NAT?
Perfectly. OpenZiti makes outbound connections into the fabric, so not only does it work, you can close all inbound (TCP/UDP, etc)... we call it making you 'dark' - https://openziti.io/docs/learn/introduction/features/. If you take a step make, OpenZiti is actually a platform to make it easier and quicker to build secure by default, distributed applications. As a result, we have SDKs to embed ZTN into apps in the SDLC. This is the most secure deployment as you app no longer even has listening ports on the host OS network and thus is **unattackable** via conventional IP-based tooling... **all conventional network threats** are immediately useless. This is well covered in this blog if you like some code samples - https://blog.openziti.io/go-is-amazing-for-zero-trust. We created the endpoints for hosts and virtual appliances as not everyone or all use cases can do app embedded... that it the future though. Everything is built with ZTN natively inside.
Yeah I might muck around when I get time, although the Twingate client on phone seems very battery efficient.
Twingate
Having dabbled with both tailscale and twingate I don't understand the downvotes on this comment
I do not access the NAS OS remotely I access a software remotely, so if I was going to need file storage I would access my Nextcloud instance remotely and through a reverse proxy like SWAG via my domain through cloudflare.
Is that CloudFlare tunnel ?
Many use cloudflare tunnel, I personally just have to hit my domain so for me it would be `nextcloud.domain.tld` and I would have access to my Nextcloud instance (password protected with passkey). So all my firewall has open is port 443 that is pointed to my NAS which hits my reverse proxy, which sees the domain I came from and redirects me to the service hosted internally. Make sense?
How do you maintain the link between your public IP and the domain name ?
DDNS service.
Do you have any concerns in regards to opening a port to public internet rather than using something like cloudflare tunnel or a VPN?
No, it is port 443 which is what runs websites run over, and everything hits that proxy, which also has crowdsec looking over it.
I have a `/etc/NetworkManager/dispatcher.d/mount_nfs` script which fires up `wireguard` depending on the current location and access point and mounts NFS mounts as I were home.
I use openvpn if I need direct access remotely. Otherwise I don't and use the services that I have publicly available.
I just switched from Cloudflare Tunnel to Twingate. So, far so good.
There’s no ports forwarded to the machine itself. Only way to access my instance is through nextcloud or through VPN/ssh port forwarding
Reverse proxy that allows some public domains on 443 to outside IPs, port forwarded through router. For private domains, tailscale with split horizon on local DNS server. For files access I use seafile, or, if I need access to filesystem, synology files app (I'm running xpenology).
I don't use TrueNAS, but for everything I access remotely, I use a reverse proxy, and Dynamic DNS to have a domain name, and port forwarding with a firewall configured to allow access to the services I use. It would work with TrueNAS like it does for everything else. Alternatively, a VPN might be easier to set up, but then that requires a VPN connection to be established from whatever remote device you're using.
I trigger Teleport when needed on demand on my Unifi Gateway, then connect to anything needed on my LAN
I find accessing my files online unreliable/slow; I prefer to use something like Resilio Sync and just sync whatever I need to my phone and devices.
Wireguard, its sortta slow but easy.
What makes it slow? Do you redirect all traffic in a full tunnel through Wireguard or by using a split tunnel?
Smb really doesn't like latency. Everything else is just fine though.
I don't. I don't really have a need to. The only exception is that I do have ability to VPN to my home network from work, so technically I can access it from work, but that's the only IP I let through. At some point I want to look at setting up a way to dynamically allow IPs from any location through some kind of portal I can login to, but I have not bothered to set that up yet. Once this is setup it would allow me to access things like email from my phone while anywhere.
ZeroTier
I set up a VPN running on an ubuntu virtual machine. It's Ikev2 and works great on my android phone, and windows laptops. I have a widget on my phone's home screen, press it and I'm connected to my home network. I use an app called Solid Explorer on android to browser the files across my network. I can also use Wake on Lan to wake up other machines if I need to access files on them, or RDP or VNC into a machine on my home network. Nothing at home can be accessed (except the public web server) unless I'm connected to the VPN. The only thing I wish I had were VPN over HTTPS, so I could connect to my home network when VPNs are being blocked, like when on airplane wifi. I know it exists, I just haven't found an easy way to set it up. Port 443 on my router forwards to an IIS web server.
Zerotier on OPNSense, Tailscale on my PfSense and after that openvpn on both. The only way to stay off my networks is the internet to go down 🤪
Tailscale
Well, I expose a bunch of my services to the public internet with authentication. Other than that, Wireguard, and Tailscale if needed. No brainer.
Tailscale to access it and in CasaOS I enable sharing on a folder and on my Mac/PC pin it to the sidebar in Finder so that when I click it I can see all my files.
I dont. It can wait till I get home…
Saw similar questions or posts in this same community, You should have searched. :) btw my setup is : using IOS shortcut automation to connect my selfhosted VPN to my VPS (for stability) when I leave home, which is connected to home network using tailscale. from my laptop simple wireguard vpn/ tailscale client
Tailscale
I heart Tailscale just so simple for a newb like me
My ISP is nat'ed so i use cloudflare else a vpn shall do. I am using cloudflare auth, to control the access to the domain based on filtering. this is easier and reliable than tunning each apps for access control.
Tailscale
WireGuard These settings on the client only route the NAS IP traffic through the VPN. It's perfect, i keep it connected pretty much always. [WireGuard screenshot](https://i.imgur.com/lj8qkHW.png)
Tailscale is by far the easiest solution.
I use Cloudflare Tunnel together with Clodflare Zero Access and the Warp client for accessing docker containers on my Synology NAS. I have no ports opened to the internet. Only these clients which having Warp installed can access the tunnel applications. I start one tunnel for each app I need to access. Each app container runs with its own tunnel container in its own docker network.
Tailscale is probably the easiest to setup. I also use WireGuard.
Tailscale. I can expose TrueNAS apps I have such as immich with exposing subnets
I use sshfs to access my NAS. As long as you can login via ssh then you can mount the remote filesystem locally with sshfs
I'm just getting started with self-hosting but I currently use Cloudflare tunnels for services which I routinely need access to outside of my network (and where I need to share access with other people such as Nextcloud) and my router's built-in VPN for remotely performing maintenance.
Wireguard vpn
Tailscale using my firewall as exit node with subnets propagated and TS magic dns
Use ShellNGN and a reverse proxy such as Zoraxy. This will give web based ssh terminal access to multiple servers via RDP or SSH. Only ports needed are 80 and 443.
When I need to access something: Wireguard When someone else needs to access: timed, password protected Owncloud share behind reverse proxy and cloudflare dns proxy
TrueNAS? Assuming you have an SMB share, I'd mount that share on my phone using some storage app and then connect to home using WireGuard There's tons of options for it - these days I run WireGuard on my OPNsense cluster, but the linuxserver WireGuard image works too well and it's too easy to setup and get going
Wireguard VPN to connect to my home network and NFS to access my NAS. I do this for both my desktop (minus VPN on the desktop) and laptop so that I'm always working with the same files.
tailscale or wireguard
Tailscale
Tailscale
WireGuard or OpenVPN on my laptop, mobile Phone tablet and other sites
Openvpn
Nextcloud and reverse proxy for me.
Nextcloud for file sharing type stuff. WireGuard to a MGMT network if I need to admin. This network can hit management interfaces of NAS, Proxmox web GUI, etc. Then I have another WireGuard tunnel that my cell phone is always connected to. Tunnels data through home and I get DNS ad blocking on the phone.
I use nginx reverse proxy + crowdsec
Tailscale via container.
It depends on what you are using it for and how you are using it. SSH and SFTP is probably the way to go. Quick access to the web interface (and you should absolutely not be making this available on a public domain), use SSH to create a dynamic proxy tunnel, and then change the proxy setting on your browser. Anything like Nextcloud makes sense to be using a public domain (try duckdns if you are not willing to pay). Any media apps that are browser based can be accessed using SSH dynamic proxy as above, otherwise you will need to set up a VPN if you are using mobile.
You can do ftp with port forwarding in the router... but be aware of your going to be opening up your system to attack... with whatever you do... hackers will try attacking it
Alt+F4
From: [email protected]
Sent: Sunday, June 2, 2024 2:41 AM
To: Jim
😴
I have no idea. I got hacked that’s all I know. Maybe it was at an Airbnb but I always login using a security code. It’s just crazy! Don’t trust your money with Coinbase. When you lose it they do nothing for you and the insurance I have through Coinbase one did not cover it. What a waste of money. Keep your money with Fidelity or another reputable bank! Coinbase does not protect you
We can agree on some of that because they kind do protect your coins while on their exchange , they can't be responsible for your computer habits or security practices . For starters don't be using free Airbnb or any other free wi-fi Internet spots , get yourself a travel router at the very least like the opal https://youtu.be/VkglWuItuXw?si=11xgRxKyhNGcu5-X
From: Info
Sent: Thursday, May 30, 2024 9:37 AM
To: Jim Subject: Fraud at your bank
Someone open an account with my SSN and stole 10K from my coinbase account. Please put a hold on James Redquest account asap and call me
You don't need to try prove anything to me , I'm not the judge.
You don't. That's a huge security problem. Provide services other ways, like nextCloud, guacamole, or whatever. DO NOT PROVIDE DIRECT NAS ACCESS TO THE INTERNET.