Hello!
Sorry for the nth post on the same topic but let me explain myself:
TLDR: I have troubles understanding the guides that I’ve searched because a combination of English not being my native language and lacking the proper technical terms to look for. I don’t even know if networking work as I believe they do so I need an ELI5 on how to do things properly before messing it up BIG.
Now, to the post.
For the past 6 or 7 months I’ve been hosting some services at home. Up until now I didn’t need nor wanted to expose them out of my home network, mainly because I didn’t want to deal with the security problems associated with that. But here we are.
My question would be how can I expose my network the good way? Can I access my home network without messing with the ports in my router?
Let me elaborate on what I’m doing first to know how to continue and the things that I need to change or do.
I run my services trough Docker. Currently I have a Pihole container that runs just fine in my home network, but while researching how to expose my lab, I watched this video (in Spanish) about how to combine a container with Pihole and Wireguard to route the traffic from a device to the machine with the container.
I ended up with this docker-compose file
version: '3.7'
services:
wireguard:
image: linuxserver/wireguard
container_name: wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
- PUID=1000
- PGID=1000
- TZ=${TZ}
- SERVERPORT=51820 #optional
- PEERS=2 #optional
- PEERDNS=auto #optional
- INTERNAL_SUBNET=10.13.13.0 #optional
volumes:
- ./wireguard:/config
- /lib/modules:/lib/modules
- /usr/src:/usr/src
ports:
- 51820:51820/udp
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
dns:
- 172.21.0.7
restart: unless-stopped
networks:
containers:
ipv4_address: 172.21.0.6
pihole:
container_name: pihole
image: pihole/pihole:latest
expose:
- "53"
- "67"
- "80"
- "443"
environment:
TZ: ${TZ}
WEBPASSWORD: ${PW}
volumes:
- './etc-pihole/:/etc/pihole/'
- './etc-dnsmasq.d/:/etc/dnsmasq.d/'
cap_add:
- NET_ADMIN
#https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
restart: unless-stopped
networks:
containers:
ipv4_address: 172.21.0.7
networks:
containers:
ipam:
config:
- subnet: 172.21.0.0/24
The video basically explains that, in order to bind the traffic of wireguard to Pihole, you need to create a subnet and define the ip addresses of the containers. The video also defines the subnet as 172.20.0.0/24, but I changed it to 172.21… because Mealie was using said subnet before.
So I installed the wireguard client on my android device, turned off the WiFi, turned on the VPN tunnel and tried to open youtube and sonarr, both without success. The device was sending packages but I guess that, because my router is not properly configured, it didn’t allow any traffic in.
So, before I mess it up I wanted you guys to ask what would be the best approach and also what can be done.
First thing first, let’s rid of my fantasies ans misconceptions that I feel that I have.
Can a whitelist my device IP/Mac to surpass opening any port or do I need to concede here?
My ISP has IPv6 and so does my mobile. Can I somehow use this IPv6 to whitelist myself?
Now the more serious questions
Wireguard wants the 51820 udp port open in my router, Is this right?
If I have to open the port what would be the safest way to do it? I’ve read about Cloudflare tunneling, but also I’ve read that some people do not want to associate themselves with cloudflare. Why could that be?
I’ve also read that I could use ngix maybe? I’m not sure… Also I’ve read people here using self-signed certificates to validate themselves. Maybe from let’s encrypt. How would this work?
So with all of this said, how can I continue in the safest way possible?
Thank you for reading all of this.
Internal/managment staff - via WireGuard or other VPN
Services - via proxy and custome dns, like Ngnix proxy manager.
Its no surprise that connecting from the outside with Wireguard doesnt work if you have not opened the port for it.
That is required for Wireguard to work. Your phone needs to connect to your home IP:port for that.
Is it safe to open a port for Wireguard? Simply put, yes. Its a widely used software so atleast you can trust that the software itself is secure and shouldnt cause you any problems. However every software needs to be configured correctly to stay secure. So you need to learn how to set up your Wireguard correctly and secure. /r/Wireguard can probably help you with that. Once that is done you can open that single port in your router for forwarding it to your Wireguard container and connect with your phone from the outside to it. You also need to tell Wireguard to actually use the Pihole for its DNS, but that is also something /r/Wireguard can tell you.
I’ve read about Cloudflare tunneling
Cloudflare tunneling is sort of going the other way, instead of opening a port for incoming connections for Wireguard, you have a software running inside your home network which connects to Cloudflare on the outside (=the tunnel). And then from your phone you would not connect to your home network directly, but you connect to Cloudflare, and they redirect it to your home network through that tunnel. The advantage is that you dont need to open a port for this. The big disadvantage is that you need to trust Cloudflare, and its not a exactly selfhosted solution. With something like Wireguard you are in control, you host your Wireguard node, you connect directly to that, thats all. In the end its your choice how much security you are willing to sacrifice for some ease of setup and use. If you have specific Cloudflare questions, /r/Cloudflare exists.
So with all of this said, how can I continue in the safest way possible?
Get Wireguard properly set up, open the Wireguard port, connect from the outside. Then make Wireguard use your Pihole. Once that is all working, pick a new goal.
I’ve also read that I could use ngix maybe? I’m not sure… Also I’ve read people here using self-signed certificates to validate themselves. Maybe from let’s encrypt. How would this work?
Thats a bit different to what youre trying to do with your Wireguard and Pihole. With your WG+P setup you would be able to connect from the outside into your home network and use Pihole for adblocking for example, so you have secure internet with adblocking while youre away using Wifi at Starbucks. But you can also access any services you are hosting in your home network through the Wireguard connection, if you want.
A reverse proxy like nginx, Traefik, Caddy and many more are typically only taking care of web services. Pihole (DNS) is not one. So you cannot use your Pihole through nginx for example. But if you have a web service in your home network, for example Portainer to manage your Docker containers, you can open the reverse proxy port to the internet, and the proxy is then listening there for incoming connections. If you connect from the outside to your public IP(*) of your home network then the proxy could detect what service you are trying to reach on the inside and redirect it to your internal Portainer for example. *Note that a reverse proxy expects a hostname (on the public internet, a domain or subdomain) when accessing it. Just a IP doesnt work. So for using that you need to have a domain. But it doesnt need to be a paid domain, you can easily use a free subdomain from a service like Duckdns.org or dedyn.io for example.
Tons of threads and tutorials exist already about these things. But now you should know a few phrases you can search for and learn more.
I would suggest you take one step at a time, dont try to set up everything at once. If your current goal is to use your Pihole while youre away, focus on that. Get your Wireguard working. And it doesnt conflict at all once you later add nginx for example to that. In this case they serve different purposes.
Simply put, yes. Its a widely used software so atleast you can trust that the software itself is secure and shouldnt cause you any problems
Windows is also widely used software an has vulnerabilites all the time. Because a software is used widely doesn’t mean it’s safe and secure.
Oh is Windows open-source now? Because Wireguard is and thats what i was talking about.
Thank you very much! I’ll read your answer a dozen times these next few days. I’ll keep going for the wireguard+pihole setup then.
I thought that somehow I could just magically connect to my node without opening any port because… Reasons, I guess.
Now I feel like I know what I need to do.
Warning: Deep Dive.
Wireguard is device-to-device connection (broadly speaking). Start looking into Overlay VPNS.
Tailscale is the most famous one and can be self hosted.
I’ve read about tailscale. As far as I know, it’s built on top of wireguard, so I guess it has extra functionalities.
If this is correct, What would be in your opinion the main points to go for Tailscale instead of a pure wireguard deploy?
TS is based on the technology of WG, but they are not the same really. TS you can very easily connect multiple devices into one private network, regardless where they actually are.
WG only connects one point to another. For example your phone from the outside to your homenetwork WG container. If the phone can also reach other computers in your network then is up to you. But WG stops there, basically.
However TS is not fully selfhosted, just like i mentioned about Cloudflare. Because TS requires a outside node to be reachable (that is a control server provided by that company) and through that TS can start tunnels from your homenetwork to that public server, similar to what a Cloudflare tunnel would do. The advantage is you dont need to open any ports for that, TS can connect as outgoing connection. The downside is, you need the TS software running in order to connect to any of your hosted services, so it also differs there from a reverse proxy for web services.
But you can selfhost the TS controlserver with the opensource project Headscale. But it still needs to run on a public facing node in order to make connections possible.
u/Pvaleriano: See above. u/thekrautboy has explained it very clearly!
tl;dr: Tailscale is more scalable to add more devices to it. Headscale is the selfhost option.
Enjoy your selfhosting journey :)
I am not sure if you are free for other solutions, but a good way to expose your homelab to the internet without issues is a zero trust concept which you can realise with cloudflare for example. There are some youtube videos on it. Pretty neat. Just as a thought, I cant tell if it would be the better solution.
Personally i use wireguard protocol but using PiVPN installed directly on the Raspberry (not a container) that i use for Docker services. Yes, it required an open port on router and (for me) a DDNS that update my dynamic ip.
You can try Cloudflare tunneling, i read an article some days ago that explain how is more reliable than DuckDNS (a DDNS service) in maintaining the connection to the VPN BUT you will need to buy a domain for it.
My 2 cent, try Tailscale:
- is free (at least for the first 100 devices that you connect)
- you DON’T need to open any port on the router
- the configuration is simple enough
- if you have concern on the privacy of tunneling your data on someone else server, you can try to self-host it (the self-hosted version is called HeadScale and all the app of Tailscale are compatible with it, you had to change only the pointer to your server)
I just set up Tailscale and wow that was easy.
I’ll research Headscale because I don’t know yet if I like that Tailscale can see my services or if I’m just being paranoid.
Thank you again!
Try PiVPN and Pi-Hole. This is what I’ve got, simple to setup, just open 1 port. From my android ph I can start the VPN and it is just like being at home.
The starting guide for pivpn also contains a section on how to run it with DDNS so it looks promising. Thanks!