I need help figuring out where I am going wrong or being an idiot, if people could point out where…
I have a server running Debian 12 and various docker images (Jellyfin, Home Assistant, etc…) controlled by portainer.
A consumer router assigns static Ip addresses by MAC address. The router lets me define the IP address of a primary/secondary DNS. The router registers itself with DynDNS.
I want to make this remotely accessible.
From what I have read I need to setup a reverse proxy, I have tried to follow various guides to give my server a cert for the reverse proxy but it always fails.
I figure the server needs the dyndns address to point at it but I the scripts pick up the internal IP.
How are people solving this?
The easiest and quickest way thats still safe is to just use tailscale.
Its a zero config VPN that you can install on all your devices. I’ve been using it for quite some time now and I’m still fascinated by how easy to use it is.
I would want to go that appros but it feels very inconvenient having to connect to VPN every time I want to check something, also the battery drain if I stayed connected all the time
I’ve been using Tailscale for about 2 months now. It has a VPN-on-demand setting that I keep enabled. That way, anytime I am not on my local WiFi, it automatically connects the VPN. According to my battery health settings, Tailscale has used 5% of my battery in the last 10 days. And I am even using a Mullvad exit node, which would use even more battery.
Not sure is it same, I don’t use tailscale, but using pure wireguard. In my experience battery drain is not even noticable, but staying connected is not smooth as I’d like. I tried to keep active VPN all the time, but then sometimes I just notice my internet is not working ( I have disable or restart VPN connection). It could be issue with my phone (Android), missconfig or something else, but I switched to manually enabling VPN every time I need it. Not amazing, but few clicks every now and then is more than acceptable for my use case
It’s easiest to just register a domain name and use Couldflare Tunnels. No need to worry about dynamic DNS, port forwarding etc. Plus, you have the security advantages of DDoS protection and firewall (WAF). Finally, you get portability - you can change your ISP, router or even move your entire lab into the cloud if you wanted to, and you won’t need to change a single thing.
I have a lab set up on my mini PC that I often take to work with me, and it works the same regardless of whether it’s going thru my work’s restricted proxy or the NAT at home. Zero config required on the network side.
Just a reminder that even though the tunnel itself is encrypted, the whole connection is not E2E encrypted between your remote client and the server. Cloudflare as a CDN/PoP provider can see the traffic in plaintext.
In all other aspects, this is a great solution, as we even get to use the edge caching(over top of all others mentioned above) facility - which further reduces the requests to origin server.
I recently went this route after dabbling with other options. I had a wireguard VPN through my Unifi router, with rules to limit access to only the resources I wanted to share, but it can be a struggle for non savvy users, and even more so if they want to use Jellyfin on their TV. Tried Twingate too and would recommend if it fits your usecase, but Cloudflare Tunnels were more applicable to me.
Just be careful as DNS and federated requests can leak your real ip even through the CF proxy.
By “remotely accessible”, do you mean remotely accessible to everyone or just you? If it’s just you, then you don’t need to setup a reverse proxy. You can use your router as a vpn gateway (assuming you have a static ip address) or you can use tailscale or zerotier.
If you want to make your services remotely accessible to everyone without using a vpn, then you’ll need to expose them to the world somehow. How to do that depends on whether you have a static ip address, or behind a CGNAT. If you have a static ip, you can route port 80 and 443 to your load balancer (e.g. nginx proxy manager), which works best if you have your own domain name so you can map each service to their own subdomain in the load balancer. If you’re behind a GCNAT, you’re going to need an external server/vps to route traffics to its port 80 and 443 into your home network, essentially granting you a static ip address.
Im using wireguard VPN. You have to setup VPN server (using your DynDNS address, but duckdns in my case), open wireguard port in your router and configure each device that needs access. Reverse proxy is not needed, but I have it so I can use jellyfin.example.com instead of 192.168.100.40:8096. I use NPM (nginx proxy manager) with awesome GUI that can create lets encrypt certificates. I also use piHole for local DNS server
If you are the only one using the services, then go for a VPN instead of port forwarding or sth. This way, your stuff isn’t openly accessible from the internet to anyone poking around
I agree with this, protecting everything behind a VPN is the way to go. I help friends setup their vpn client to my stuff if I want them to access an internal service.
