Two VPNs?
from jobbies@lemmy.zip to selfhosted@lemmy.world on 06 Aug 20:15
https://lemmy.zip/post/45680353
from jobbies@lemmy.zip to selfhosted@lemmy.world on 06 Aug 20:15
https://lemmy.zip/post/45680353
Am a bit new to all this so apologies if terminology etc isn’t correct.
I have my server with apps in docker containers. I have gluetun set-up and working, serving an internet connection to the rest of the containers.
I’m thinking about going down the Tailscale route so that I can use the apps when I’m away from home - haven’t needed to so far but its nice to have the option.
For that to work I think I’ll need two VPN connections - one to extend the LAN away from the house, the other to provide internet access.
If so, how the hell do I go about setting that up? Can I do this with Gluetun or do I need something else?
Any wise words or links to set-up guides would be much appreciated.
threaded - newest
I have the arr stack connected to gluetun doing its thing and then wireguard on the host. I only expose my reverse proxy to the host and can connect to the services through that.
Note the networks below, vpn_net allows it to talk to the gluetun network which has the other stuff. The gluetun and arr stuff are in a separate compose file that defines the network. Then the non vpn stuff connects to that network when it comes up
nginx: image: nginx:1.25.4-alpine-slim container_name: nginx restart: always volumes: - /etc/letsencrypt/:/etc/letsencrypt/ - ./nginx/nginx.conf:/etc/nginx/nginx - ./nginx/conf/:/etc/nginx/conf.d/:ro - ./nginx/htpasswd:/etc/apache2/.htpasswd:ro - /var/log/nginx:/var/log/nginx/ - ./www/html/:/var/www/html/:ro - ./content/Movies:/var/www/media/Movies:ro - ./content/Shows:/var/www/media/Shows:ro ports: - 443:443 security_opt: - no-new-privileges networks: - reverse-proxy_service1 - reverse-proxy_serviceN - vpn-stack_vpn-net depends_on: - service1 - serviceNAhh. Of course. I don’t know why I hadn’t thought of that.
Should I consider deploying a reverse proxy? I hear that setting one up can be painful.
I notice you have multiple reverse-proxy services under ‘networks’ - do you set up a separate network for each service?
I wouldn’t say setting up a reverse proxy (to your home LAN) is painful. Its just generally Ill advised. Its painful if compromised.
Well i have the rp as i only want one port exposed. I have separate networks per service too to isolate things. Only the things that need to talk to each other can.
My stuff is only accessible on the lan and via the vpn and even then only certain ips have access to certain things.
In your case it might be different , but generally a reverse proxy is better as you can have a single point of access to secure and you are not exposing all of your ports to the host or the internet.
Nginx proxy manager is easy to use. It has a nice gui. Caddy is incredibly simple after installing. It just has no gui. It cam’t be simpler than caddy, just 3 lines.
If you’re using stuff like torrent clients, you can bind just those containers to gluetun. I recommend doing that instead of all of them. And then yeah the VPN server on the host.
It should work, but you may need to fiddle with routing.
I don’t use tailscale or gluetun. They’re probably good options I just wasn’t aware of them when I was setting up and what I’m doing now has worked great for years.
My home server has 4 containers you’re interested in:
wireguard_out
this is a wireguard instance which is connected to a mullvad server on a paid subscription.
For any containers I want to “use this vpn” I just attach them to this container’s stack. it’s one of the
networkoptions in docker. Notably these containers include qbittorrent and squid (below).Wireguard configurations look unapproachable at first but it’s one of those things where messing around with it for an hour or so will serve you well for a lifetime. There’s not heaps more to learn. LLMs are great at writing wireguard configurations.
squid
This is a http proxy attached to the wireguard_out stack. You didn’t ask about this and may not need it but I’ve found it super useful.
One of the private torrent trackers I use will only let your torrent client connect to the tracker from the same IP address you used to download the torrent file - so when browsing their website you need to use the vpn connection. Using squid makes this really easy.
In firefox (librewolf) I have foxyproxy addon which allows you to specify a proxy to use for specific urls. So when I navigate to mytracker.com firefox automatically routes the connection through squid > wireguard > mullvad on my server.
wireguard_in
This handles my “road warrior” set up so I can access services on my home server while I’m away.
This container has a separate docker network to most of my other containers, in the ip subnet 10.0.2.0/24.
traefik
this is a reverse proxy
it’s on the same network as wireguard_in with the ip address 10.0.2.2
I’ve configured a public dns “A” record *.home.mydomain.com to point to 10.0.2.2, the private ip address.
The configurations I use for the wireguard connections on my phone or other devices only route requests for this subnet through the wireguard connection. so if I’m away from home and my phone requests lemmy.world that goes through the public network, but if I request photon.home.mydomain.com that goes through my vpn. This way you don’t need to turn off / on the wireguard connection.
I use file based configurations for traefik. It can do docker label configurations but they’re just awful IMO. The yaml configurations are much more readable and manageable.
As an aside, you can replicate this structure many times on one host. I have several incoming wireguard networks for different purposes. You configure the traefik container to sit across all the networks, like a spider at the centre of a web.
Is your setup such that when you are not at home, traffic routed to your wireguard_in network reaches out to the Internet through wireguard_out? Idea being your mobile devices effectively use the same mullvad connection they would if you were at home.
It’s definitely doable. I run both gluetun & tailscale in separate docker containers on Ubuntu. The trick here is that gluetun should get /dev/net/tun device (basically the default example in the project readme) and tailscale should he configured (via env vars) to run in userspace mode
This is exactly right - the key is setting Tailscale with TS_USERSPACE=true in your docker-compose environment variables and it’ll work alongisde gluetun without fighting over the TUN device.
I used to do this (before my server died). You can for example use this to bypass Proton’s free tier one user per account limit.
Basically it’s about correctly setting the wireguard’s AllowedIPs and DisallowedIPs. Your laptop wants to send everything through wireguard. Your home server wants to send everything through Proton (or Mullvad or aVPN) except the communication with your laptop.
(I did that by marking the packets from one VPN with fwmark and sending marked packets to the other but that is a dumb solution for such a simple problem.)
Tailscale now supports buying Mullvad subscription through them and using it with their app. So it solves this issue, although the control you have over your Mullvad tunnel is less and it misses some advanced Mullvad features. Still probably good enough for most people.
I ended up going a different route by buying a VPS and hosting Caddy as reverse proxy. Then I only have my VPS and NAS on tailscale and other devices use the reverse proxy. This allows me to also share links to cloud files or other stuff I host with friends that are not on tailscale.
Yeah this is the plan eventually. I’m already paying for two VPNs so I can’t justify a third until one of those subscriptions are up 🤣
This is what you need: github.com/…/tailscale-protonvpn-exitnode
Omg. That is absolutely what I need!! Thank you so much!!