Pvaleriano

joined 1 year ago
[–] Pvaleriano@alien.top 1 points 1 year ago

I just set up Tailscale and wow that was easy.

I'll research Headscale because I don't know yet if I like that Tailscale can see my services or if I'm just being paranoid.

Thank you again!

[–] Pvaleriano@alien.top 1 points 1 year ago

The starting guide for pivpn also contains a section on how to run it with DDNS so it looks promising. Thanks!

[–] Pvaleriano@alien.top 1 points 1 year ago (2 children)

I've read about tailscale. As far as I know, it's built on top of wireguard, so I guess it has extra functionalities.

If this is correct, What would be in your opinion the main points to go for Tailscale instead of a pure wireguard deploy?

[–] Pvaleriano@alien.top 1 points 1 year ago (5 children)

Thank you very much! I'll read your answer a dozen times these next few days. I'll keep going for the wireguard+pihole setup then.

I thought that somehow I could just magically connect to my node without opening any port because... Reasons, I guess.

Now I feel like I know what I need to do.

 

Hello!

Sorry for the nth post on the same topic but let me explain myself:

TLDR: I have troubles understanding the guides that I've searched because a combination of English not being my native language and lacking the proper technical terms to look for. I don't even know if networking work as I believe they do so I need an ELI5 on how to do things properly before messing it up BIG.

Now, to the post.

For the past 6 or 7 months I've been hosting some services at home. Up until now I didn't need nor wanted to expose them out of my home network, mainly because I didn't want to deal with the security problems associated with that. But here we are.

My question would be how can I expose my network the good way? Can I access my home network without messing with the ports in my router?

Let me elaborate on what I'm doing first to know how to continue and the things that I need to change or do.

I run my services trough Docker. Currently I have a Pihole container that runs just fine in my home network, but while researching how to expose my lab, I watched this video (in Spanish) about how to combine a container with Pihole and Wireguard to route the traffic from a device to the machine with the container.

I ended up with this docker-compose file

version: '3.7'
services:
  wireguard:
    image: linuxserver/wireguard
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=${TZ}
      - SERVERPORT=51820 #optional
      - PEERS=2 #optional
      - PEERDNS=auto #optional
      - INTERNAL_SUBNET=10.13.13.0 #optional
    volumes:
      - ./wireguard:/config
      - /lib/modules:/lib/modules
      - /usr/src:/usr/src
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    dns:
      - 172.21.0.7
    restart: unless-stopped
    networks:
      containers:
        ipv4_address: 172.21.0.6
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    expose:
      - "53"
      - "67"
      - "80"
      - "443"
    environment:
      TZ: ${TZ}
      WEBPASSWORD: ${PW}
    volumes:
      - './etc-pihole/:/etc/pihole/'
      - './etc-dnsmasq.d/:/etc/dnsmasq.d/'
    cap_add:
      - NET_ADMIN
     #https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
    restart: unless-stopped
    networks:
      containers:
        ipv4_address: 172.21.0.7

networks:
  containers:
    ipam:
      config:
        - subnet: 172.21.0.0/24

The video basically explains that, in order to bind the traffic of wireguard to Pihole, you need to create a subnet and define the ip addresses of the containers. The video also defines the subnet as 172.20.0.0/24, but I changed it to 172.21... because Mealie was using said subnet before.

So I installed the wireguard client on my android device, turned off the WiFi, turned on the VPN tunnel and tried to open youtube and sonarr, both without success. The device was sending packages but I guess that, because my router is not properly configured, it didn't allow any traffic in.

So, before I mess it up I wanted you guys to ask what would be the best approach and also what can be done.

First thing first, let's rid of my fantasies ans misconceptions that I feel that I have.

Can a whitelist my device IP/Mac to surpass opening any port or do I need to concede here?

My ISP has IPv6 and so does my mobile. Can I somehow use this IPv6 to whitelist myself?

Now the more serious questions

Wireguard wants the 51820 udp port open in my router, Is this right?

If I have to open the port what would be the safest way to do it? I've read about Cloudflare tunneling, but also I've read that some people do not want to associate themselves with cloudflare. Why could that be?

I've also read that I could use ngix maybe? I'm not sure.. Also I've read people here using self-signed certificates to validate themselves. Maybe from let's encrypt. How would this work?

So with all of this said, how can I continue in the safest way possible?

Thank you for reading all of this.