Two VPNs?
from jobbies@lemmy.zip to selfhosted@lemmy.world on 06 Aug 20:15
https://lemmy.zip/post/45680353

Am a bit new to all this so apologies if terminology etc isn’t correct.

I have my server with apps in docker containers. I have gluetun set-up and working, serving an internet connection to the rest of the containers.

I’m thinking about going down the Tailscale route so that I can use the apps when I’m away from home - haven’t needed to so far but its nice to have the option.

For that to work I think I’ll need two VPN connections - one to extend the LAN away from the house, the other to provide internet access.

If so, how the hell do I go about setting that up? Can I do this with Gluetun or do I need something else?

Any wise words or links to set-up guides would be much appreciated.

#selfhosted

threaded - newest

JoeKrogan@lemmy.world on 06 Aug 20:26 next collapse

I have the arr stack connected to gluetun doing its thing and then wireguard on the host. I only expose my reverse proxy to the host and can connect to the services through that.

Note the networks below, vpn_net allows it to talk to the gluetun network which has the other stuff. The gluetun and arr stuff are in a separate compose file that defines the network. Then the non vpn stuff connects to that network when it comes up

nginx: 
    image: nginx:1.25.4-alpine-slim
    container_name: nginx
    restart: always
    volumes:
       - /etc/letsencrypt/:/etc/letsencrypt/
       - ./nginx/nginx.conf:/etc/nginx/nginx
       - ./nginx/conf/:/etc/nginx/conf.d/:ro
       - ./nginx/htpasswd:/etc/apache2/.htpasswd:ro
       -  /var/log/nginx:/var/log/nginx/
       - ./www/html/:/var/www/html/:ro
       - ./content/Movies:/var/www/media/Movies:ro
       - ./content/Shows:/var/www/media/Shows:ro
    ports:
       - 443:443
    security_opt:
      - no-new-privileges
    networks:
      - reverse-proxy_service1
      - reverse-proxy_serviceN
      - vpn-stack_vpn-net
    depends_on:
      - service1
      - serviceN
jobbies@lemmy.zip on 06 Aug 20:50 collapse

wireguard on the host

Ahh. Of course. I don’t know why I hadn’t thought of that.

Should I consider deploying a reverse proxy? I hear that setting one up can be painful.

I notice you have multiple reverse-proxy services under ‘networks’ - do you set up a separate network for each service?

foggy@lemmy.world on 06 Aug 20:52 next collapse

I wouldn’t say setting up a reverse proxy (to your home LAN) is painful. Its just generally Ill advised. Its painful if compromised.

JoeKrogan@lemmy.world on 06 Aug 21:57 next collapse

Well i have the rp as i only want one port exposed. I have separate networks per service too to isolate things. Only the things that need to talk to each other can.

My stuff is only accessible on the lan and via the vpn and even then only certain ips have access to certain things.

In your case it might be different , but generally a reverse proxy is better as you can have a single point of access to secure and you are not exposing all of your ports to the host or the internet.

illusionist@lemmy.zip on 06 Aug 22:19 collapse

Nginx proxy manager is easy to use. It has a nice gui. Caddy is incredibly simple after installing. It just has no gui. It cam’t be simpler than caddy, just 3 lines.

frongt@lemmy.zip on 06 Aug 21:23 next collapse

If you’re using stuff like torrent clients, you can bind just those containers to gluetun. I recommend doing that instead of all of them. And then yeah the VPN server on the host.

It should work, but you may need to fiddle with routing.

null_dot@lemmy.dbzer0.com on 06 Aug 22:26 next collapse

I don’t use tailscale or gluetun. They’re probably good options I just wasn’t aware of them when I was setting up and what I’m doing now has worked great for years.

My home server has 4 containers you’re interested in:

wireguard_out

this is a wireguard instance which is connected to a mullvad server on a paid subscription.

For any containers I want to “use this vpn” I just attach them to this container’s stack. it’s one of the network options in docker. Notably these containers include qbittorrent and squid (below).

Wireguard configurations look unapproachable at first but it’s one of those things where messing around with it for an hour or so will serve you well for a lifetime. There’s not heaps more to learn. LLMs are great at writing wireguard configurations.

squid

This is a http proxy attached to the wireguard_out stack. You didn’t ask about this and may not need it but I’ve found it super useful.

One of the private torrent trackers I use will only let your torrent client connect to the tracker from the same IP address you used to download the torrent file - so when browsing their website you need to use the vpn connection. Using squid makes this really easy.

In firefox (librewolf) I have foxyproxy addon which allows you to specify a proxy to use for specific urls. So when I navigate to mytracker.com firefox automatically routes the connection through squid > wireguard > mullvad on my server.

wireguard_in

This handles my “road warrior” set up so I can access services on my home server while I’m away.

This container has a separate docker network to most of my other containers, in the ip subnet 10.0.2.0/24.

traefik

this is a reverse proxy

it’s on the same network as wireguard_in with the ip address 10.0.2.2

I’ve configured a public dns “A” record *.home.mydomain.com to point to 10.0.2.2, the private ip address.

The configurations I use for the wireguard connections on my phone or other devices only route requests for this subnet through the wireguard connection. so if I’m away from home and my phone requests lemmy.world that goes through the public network, but if I request photon.home.mydomain.com that goes through my vpn. This way you don’t need to turn off / on the wireguard connection.

I use file based configurations for traefik. It can do docker label configurations but they’re just awful IMO. The yaml configurations are much more readable and manageable.

As an aside, you can replicate this structure many times on one host. I have several incoming wireguard networks for different purposes. You configure the traefik container to sit across all the networks, like a spider at the centre of a web.

CAG_Gonzo@lemmy.world on 07 Aug 06:13 collapse

Is your setup such that when you are not at home, traffic routed to your wireguard_in network reaches out to the Internet through wireguard_out? Idea being your mobile devices effectively use the same mullvad connection they would if you were at home.

cantankerous_cashew@lemmy.world on 06 Aug 23:51 next collapse

It’s definitely doable. I run both gluetun & tailscale in separate docker containers on Ubuntu. The trick here is that gluetun should get /dev/net/tun device (basically the default example in the project readme) and tailscale should he configured (via env vars) to run in userspace mode

MysteriousSophon21@lemmy.world on 09 Aug 02:55 collapse

This is exactly right - the key is setting Tailscale with TS_USERSPACE=true in your docker-compose environment variables and it’ll work alongisde gluetun without fighting over the TUN device.

TMP_NKcYUEoM7kXg4qYe@lemmy.world on 07 Aug 11:13 next collapse

I used to do this (before my server died). You can for example use this to bypass Proton’s free tier one user per account limit.

Basically it’s about correctly setting the wireguard’s AllowedIPs and DisallowedIPs. Your laptop wants to send everything through wireguard. Your home server wants to send everything through Proton (or Mullvad or aVPN) except the communication with your laptop.

(I did that by marking the packets from one VPN with fwmark and sending marked packets to the other but that is a dumb solution for such a simple problem.)

DreamlandLividity@lemmy.world on 08 Aug 10:42 next collapse

Tailscale now supports buying Mullvad subscription through them and using it with their app. So it solves this issue, although the control you have over your Mullvad tunnel is less and it misses some advanced Mullvad features. Still probably good enough for most people.

I ended up going a different route by buying a VPS and hosting Caddy as reverse proxy. Then I only have my VPS and NAS on tailscale and other devices use the reverse proxy. This allows me to also share links to cloud files or other stuff I host with friends that are not on tailscale.

jobbies@lemmy.zip on 08 Aug 17:35 collapse

Yeah this is the plan eventually. I’m already paying for two VPNs so I can’t justify a third until one of those subscriptions are up 🤣

dieTasse@feddit.org on 08 Aug 12:08 collapse

This is what you need: github.com/…/tailscale-protonvpn-exitnode

jobbies@lemmy.zip on 08 Aug 13:47 collapse

Omg. That is absolutely what I need!! Thank you so much!!