this post was submitted on 20 Sep 2024
25 points (90.3% liked)

Selfhosted

40152 readers
605 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I'm setting up a self-hosted stack with a bunch of services running on a home device. I'm also tunneling all the traffic through a VPS in order to expose the services without exposing my home IP or opening ports on my local network. Currently all my traffic is HTTP, and its path looks like this:

  • Caddy proxy on remote VPS (HTTPS, :80 & :443)
  • Wireguard tunnel
  • Caddy proxy in Docker on homeserver (HTTP, :80)
  • app containers in separate isolated subnets, shared with Caddy

I want to set up qBittorrent and other torrent apps, and I want all their traffic to pass through the proxies. Proxying traffic to the WebUI is easy, there's plenty of tutorials; what I'm struggling with is proxying the torrent leeching and seeding traffic, which is the most important part since I live in a country that's not cool with piracy.

Unless I'm misunderstanding, BitTorrent traffic is TCP or UDP, so I'd need Caddy to act as a Layer 4 proxy. There's a community-maintained plugin that should support this. How would I configure it though? Do I need both instances to listen on a new port? Or can I open a new port on the VPS only, and forward traffic to the homeserver Caddy over the same port as the HTTP traffic (:80)? Are there nuances in proxying TCP traffic that I should be aware of?

you are viewing a single comment's thread
view the rest of the comments
[–] just_another_person@lemmy.world 1 points 1 month ago (1 children)

I think you're missing the point of what a proxy is. You don't need a proxy in this scenario if you're connected with Wireguard...

[–] andscape@feddit.it 1 points 1 month ago (1 children)

I'm guessing what you mean is setting up port forwarding in Wireguard...

The thing is ideally I would want all connections in and out of my homeserver's Docker network to go through the local Caddy proxy, so the app containers are isolated. That still means having at least the local Caddy acting as a TCP proxy, even if the VPS Caddy is bypassed. If that's too much of a hassle though I can instead just expose a port on the qBittorrent container directly to the homeserver's localhost, and forward that with wireguard to the VPS.

[–] just_another_person@lemmy.world 1 points 1 month ago (1 children)

Nooooo...that's not what I'm saying.

I'm seriously not trying to be rude here, but I went and read the rest of the thread just now. Your understanding of processes, networks and VPNs is wildly misinformed. I think you need to spend some time learning about each before you go and dismiss what everyone is telling you here, which is that you're trying to make an overcomplicated and very inefficient VPN right now.

Running a torrent client through a proxy doesn't isolated a process. Especially not when you're pushing the traffic through a local proxy. You also don't need to forward any ports.

Connect to the VPN, make sure your traffic is routing there properly, and you're done. OR, you really want a proxy, you setup a proxy. You don't need both, and neither gains you any security. If you're concerned about process isolation, that's a whole other thing you should read up on.

[–] andscape@feddit.it -1 points 1 month ago (1 children)

Resetting the "time since last being told I don't know shit on the internet" back to 0 once again...

I already have an existing and working setup used for other apps, it's close to the one described in this blogpost. Yes, it's complicated and inefficient, but it has reasons to be. I want to keep my qBittorrent configuration as close to this setup as reasonably possible for consistency. If your point is that it's counterproductive to follow this setup then... fair enough. I can just route traffic from the VPS to an exposed port on the local qBittorrent container over Wireguard, but that wasn't my preferred solution.

Running a torrent client through a proxy doesn’t isolated a process.

I was talking about network isolation, not process isolation.

make sure your traffic is routing there properly

That was pretty much what I was asking for help with.

[–] just_another_person@lemmy.world 0 points 1 month ago

Well everyone here is telling you what the problem is. If you're trying to go by every step in that blog post you linked, that's wrong for what you're trying to do. That's a reverse proxy for HTTP requests.