this post was submitted on 12 Nov 2023
6 points (75.0% liked)

Selfhosted

40041 readers
764 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hello SelfHosters! After getting myself a wonderfully large NAS and spending a couple days thinking about how to link up the different services, I turn to you for advice. This is my situation:

I've been operating a cheap VPS for a while now, which runs a bunch of services that require neither lots of storage nor compute (webserver, vaultwarden, gitea and so on). But I refuse to pay the price for a large capacity / powerful remote machine for stuff like Jellyfin or Immich, especially because I want these things to be available to me in the local network no matter the network state (internet drops frequently here). Therefor, I've setup a ~50TB NAS, on which I want to both store and backup larger data packets, as well as operate some storage/traffic heavy applications (Jellyfin, Immich, Nextcloud, ...).

What I'm struggling with is the networking of things. My VPS sits behind a Cloudflare Proxy, and I like it that way. All services are managed via domains and accessible from anywhere via that. I neither want nor need isolation of these services by a VPN. I want to continue this way with the new homelab, but am unable to directly expose ports on my home connection, or to get a static IP. For additional complication, traffic from these data-heavy applications cannot run through Cloudflare due to their limitations on the free plan. Finally, in a perfect world, I would be able to manage the domain names for services on the Homelab in the Nginx Container on the VPS, so that everything is centralized and I don't have separate management interfaces.

My first idea was to connect the VPS and the Homelab with a Wireguard tunnel, but since this would route traffic through Cloudflare, it wouldn't work.

network layout with a tunnel

I then read about Tailscale, and that I could link up the Homelab and VPS in a tailnet, setting up the node on the VPS as subnet router for the docker network on the homelab, which would bring me to something along these lines:

network layout with a direct connection

In a perfect world, the Nginx container on the VPS would be able to seemlessly direct traffic to both services running on the VPS and the Homelab, and data coming from the homelab would be routed directly to the client, while VPS data would continue running through Cloudflare. This would work without the client having to connect to any VPNs or mesh networks, the domain name would have to be enough.

Maybe I'm overcomplicating things. Please don't feel obligated to copy-paste guides, I'll happily read external ressources that you can recommend. I'll also provide clarifications in the comments as needed. Any pointers how you people solve this would be much appreciated.

top 8 comments
sorted by: hot top controversial new old
[–] ck_@discuss.tchncs.de 7 points 1 year ago (1 children)

With Tailscale, you would typically cut out the VPS, the connection would be client <-> homelab. No intermediary required. You COULD of course do it how you describe with the subnet router and everything, but the point of tailscale is really to have end to end connectivity.

[–] 7Sea_Sailor@lemmy.dbzer0.com 1 points 1 year ago* (last edited 1 year ago)

Yesnt. I know that I can run the apps I want on the homelab, have them expose their port in the local network, connect to my tailnet whenever I need access and use the homelabs local address plus port to access it. But that implies needing to connect to my tailnet whenever I want to access my service. Which is not something I can easily tell my larger family to do if I wanted to provide them with movies or a photo backup solution. So I'm trying to find a method that doesn't require a tailnet connection, which is why I was thinking of the VPS.

[–] dr_robot@kbin.social 2 points 1 year ago (1 children)

What benefit do you get from running a Cloudflare proxy if you're directing it to a VPS? I used to run with a Cloudflare proxy when my reverse proxy was hosted at home. Since then, I've moved it to a VPS and I no longer use the Cloudflare proxy, because I only expose the IP address of the VPS which is fine. Arguably Cloudflare provides you with DDoS protection, but that's so far never been a problem for me.

[–] 7Sea_Sailor@lemmy.dbzer0.com 1 points 11 months ago (1 children)

Caching, DDOS and other protections, centralized DNS management of all my domains scattered around different registrars, zero trust for sensible dashboards, and most important of all: it makes me feel good that the server IP is just a tad more secret.

[–] dr_robot@kbin.social 1 points 11 months ago

For caching, are you sure you're generating enough traffic to benefit from it? Plus, CDN caching's strength only really comes into play when the users are geographically distributed which isn't really the case for most self hosters.

For DDoS check if your VPS host does DDoS protection. Some do and include it for free. I've been monitoring my server traffic lately. Since I've ditched Cloudflare, I haven't needed DDoS protection.

You can still use Cloudflare DNS without redirecting traffic via their CDN. I do that.

The point about not revealing the IP address is a personal one it seems. I think it indeed does matter if that IP address is if your home, but not so much of it's of a VPS in some data center. But anyway, this point seems personal.

However, everything is a trade off and everybody has a personal take on which trade off they want to take. When I was in a similar situation, I ditched CDN proxying via Cloudflare though I still kept them for DNS.

[–] thefactremains@lemmy.world 1 points 1 year ago (1 children)

You can use cloudflare tunnels to do the same. No need for tailscale

[–] 7Sea_Sailor@lemmy.dbzer0.com 1 points 1 year ago

I'm pretty sure that cloudflare has a certain traffic limit on their tunnels. Nothing that's specific or disclosed, but if I were to stream from jellyfin through a tunnel, they will take down the tunnel or even the account after a while - or so I've heard.

[–] Decronym@lemmy.decronym.xyz 0 points 11 months ago* (last edited 11 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
IP Internet Protocol
VPS Virtual Private Server (opposed to shared hosting)

3 acronyms in this thread; the most compressed thread commented on today has 11 acronyms.

[Thread #290 for this sub, first seen 19th Nov 2023, 03:15] [FAQ] [Full list] [Contact] [Source code]