Hi, I moved this year to another city, because my internet provider didn’t give me a dedicated ipv4 address I can’t use a dyndns like duckdns. Another thing to mention is, that I have a dslite tunnel. So I can’t set up dyndns…
So my recent setup is a truenas server sitting under my desk. This is connected via cloudflared to the cloudflare tunnel. There I have my services like seafile or nextcloud configured. They are all pointing to a traefik instance that routes the traffic to the right container.
So to summarize what I have:
- Truenas server
- multiple services
- dslite tunnel
- own domain
- Cloudflare tunnel
- v-server
- Nginx
- docker
To visualize the route the traffic is going
Internet - cloudflare tunnel - cloudfared docker - traefik docker - service (nextcloud) docker
So I want to setup something on my v-server that routes the traffic to my homeserver (truenas)
Internet - DNS (cloudflare) - v-server - (magic docker service on truenas) - traefik docker - service (nextcloud) docker
Does someone have an idea how to solve this?
My suggestion would be to setup a VPN service in your publicly available v-server. The most suggested solution is wireguard.
Then you can connect your truenas to that VPN and make it accessible, maybe via nginx.
The traffic flow would be:
nginx on v-server --(wireguard)--> traefik --> Nextcloud
That’s a good point. But that’s also the point where my tinkering won’t help me… Do you have a writeup or a yt video where nginx points to the wireguard VPN? Another question. If I set up the wireguard tunnel, how can I just route the traffic from traefik?
I found this writeup and it looks correct, but I have not tested it.
The author posted a nice graphic that shows the idea:
I’m not sure I understand why they need two Caddy servers. The first one should be a simple port forward, no need for a proxy forward. Unless they want to do something with the connections at application level, but it sounds like they simply forward them as-is.
You need two caddy servers if there are other websites on the vserver that will use port 80/443. If not, port forwarding (eg. with iptables) will work.
Basically once you have WG set up, you will have an additional interface with it’s own IP in “ifconfig”. At that point all the ports are available and you can just point your reverse proxy to them (sorry I’m an NGINX user, I have no idea how Traefik works).
Additionally don’t forget to add keep-alive in your WG config so that the service doesn’t shut off once traffic stops going between both servers.
deleted by creator
The problem is with nextcloud on my end. Some files just can’t get synced and bigger files won’t even go through. Perhaps something is misconfigured, but I think I red something, that cloudflare tunnels only support x gb of traffic at once.
CF free tier specifies in their ToS it’s not for media so likely yeah, you’re getting some sort of rate limitation.
100mb is the max I think
Install Tailscale (1) on the VPS and (2) in a Docker container on TrueNAS. The Tailscale container #2 will replace the cloudflared container. Set the Tailscale #2 node as a subnet router exposing the Traefik container’s netmask (you probably already know how to get networking going between two Docker containers).
What you’ll end up with:
Internet -> DNS (your domain) -> VPS public IP (Tailscale node #1 ===> Tailscale node #2 in Docker on TrueNas) -> Traefik -> web apps on your TrueNAS
Tailscale is not bandwidth-limited like Cloudflare because the nodes only use Tailscale’s servers for the initial rendez-vous (to get out of NAT), then you will use the direct bandwidth between the VPS and your home connection.
You will also be able to use other DNS services if you want, because you won’t be forced to use Cloudflare’s anymore.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters CF CloudFlare CGNAT Carrier-Grade NAT DNS Domain Name Service/System HTTP Hypertext Transfer Protocol, the Web IP Internet Protocol NAT Network Address Translation SSH Secure Shell for remote terminal access VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting) nginx Popular HTTP server
10 acronyms in this thread; the most compressed thread commented on today has 8 acronyms.
[Thread #238 for this sub, first seen 24th Oct 2023, 16:55] [FAQ] [Full list] [Contact] [Source code]
Haven’t tried it myself, but I’ve heard others talk about tailscale
The easiest way I found to passthrough a cgnat is using a VPN.
I suggest using Tailscale, cause it does some tricks to bypass cgnat and you can access your truenas server.
Besides the great suggestions others have given, the OpenZiti project (openziti.io) looks interesting, though I haven’t found the need or time to try it out.
A linode vps is what I use
I’m in the same boat and looking at options. I’ve benchmarked several options tht provide their own relays, and am in the process of setting up my own relays to test out on oracle free tier vps, which will probably be the best option as all the bandwidth that vps can handle will be dedicated to you and not shared. That said I’ve found tailscale to perform the best and twingate to perform the worst. I’m looking at netbird and netmaker but they’re extremely buggy and difficult to get going. Netbird is just busted in so many ways. Netmaker’s relays can’t get past my cgnat. Self hosting both of these should work but I’ve not tried it yet. The absolute easiest to set up has been tailscale though, can’t go wrong with that. For most use cases except for handling massive amounts of data, tailscale should be more than sufficient. That said, I’m looking to try selfhosting netbird, netmaker and headscale to see how those perform compared to tailscale’s own relays.
You could proxy your Webservice though a reverse SSH tunnel to a vps (that’s basically what cloudflare tunnels do)