Hi, you guys might know me from these three posts. After reading all of the comments, I’ve decided to purchase a Mini PC to host public instances of privacy-respecting services.

I’m here to bring some good news: I got it working perfectly! You can visit reallyaweso.me today and get a list of services that I’m hosting!

All services are deployed via Docker and proxied through Cloudflare. You might ask: “Why Cloudflare?”. It’s because I can’t port forward things on my home network. It really sucks that I’m depending on Cloudflare to do the port forwarding for me, but it is what it is.

If you want me to host a specific service that you want, feel free to comment on this post!

I would really appreciate it if you guys could checkout some services that I’m hosting, as I don’t know if everything went smoothly or not. Thank you guys so much for helping me on this journey!!

    • AlexPewMaster@lemmy.zipOP
      link
      fedilink
      English
      arrow-up
      5
      ·
      9 months ago

      Hey, thank you for your blog post. I’m definitely reconsidering my choices with Cloudflare tunnels. I will take a look at the VPS setup. Privacy is something that I really care about, so this would be pretty useful. I would definitely be ready to pay 3.29€ per month for the privacy aspects of this setup.

    • Lemmling@lemm.ee
      link
      fedilink
      English
      arrow-up
      3
      ·
      9 months ago

      Thanks for the nice writeup. Can you explain why you have these rules.

      PostUp = iptables -t nat -A PREROUTING -p tcp -i eth0 ‘!’ --dport 22 -j DNAT --to-destination 10.0.0.2; iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source SERVER-IP PostUp = iptables -t nat -A PREROUTING -p udp -i eth0 ‘!’ --dport 55107 -j DNAT --to-destination 10.0.0.2;

      What happens if you remove it ?

      • nutbutter
        link
        fedilink
        English
        arrow-up
        3
        ·
        9 months ago

        I am not sure, actually. Look at the sources, and you’ll find the original GitHub link from where I took it. I am not very well versed with iptables.

        • Lemmling@lemm.ee
          link
          fedilink
          English
          arrow-up
          2
          ·
          9 months ago

          I am behind CGNAT and I have been trying to set up a WireGuard mesh network to connect my local devices, such as a Raspberry Pi and Proxmox server, as well as my mobile devices, using a VPS as the central point. The goal is to expose locally running applications to the internet without relying on Cloudflare, as they do not allow video streaming and remote access to my local devices. I have looked at many tutorials on this topic, but they often left me confused due to the varying iptables rules and configurations. Some tutorials include specific device names like eth0 in the iptables rules, while others use variables like %i. Additionally, some examples have special rules for SSH access like this one. Apart from that, I am unsure about what additional steps I need to take when I want to run one of the peers as an internet gateway. Despite the confusion, I managed to achieve the basic mesh network setup without implementing any iptables rules for PostUp/Down. Each device in the network receives an IP address within the WireGuard subnet (10.0.0.x) and can ping one another. However, I believe that the iptables rules mentioned in the tutorials would allow accessing other subnets, such as my local LAN, through the WireGuard VPN. I am still uncertain about the exact mechanism behind how these rules work in that context and how to properly configure them for my specific use case, especially considering the CGNAT situation

          • nutbutter
            link
            fedilink
            English
            arrow-up
            1
            ·
            9 months ago

            If you are using the exact rules mentioned in my post, only the ports of your machine will be forwarded, not your entire local network. If you want to forward ports of more than one machine, look at the github link in the sources, it contains a detailed documentation of how to achieve that. Since, I do not know a lot about iptables, I may not be the best person to guide you, in this case. However, feel free to DM me, I’ll might be able to help.

    • SwissOS@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      2
      ·
      9 months ago

      The problem with such a situation is that you have no idea of the origin IP address, as all the requests look like they are coming from your VPS. Did you find a way to restore origin IP in your logs?

      • nutbutter
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        Yes, it is fairly easy. You just have to forward the http headers. I am using HAProxy, and you can look at my configuration file in the blog. If you’re using something like Nginx Proxy, look up how to forward http heards. Some applications, like Nextcloud, require extra steps, but they also provide their own documentation.

          • nutbutter
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            9 months ago

            All ports are forwarded. If your SMTP is running on, say, port 993, on your local machine, your-VPS-ip:993 will be your SMTP.

      • nutbutter
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        I am not sure what you mean.

        The issue is, when using Cloudflare, they will terminate your TLS, then encrypt the data again with their own certificate, which is send to the visitor. When visitor interacts, their data is decrypted on Cloudflare’s servers, which they encrypt again eith our original certificate and send it back to us.

        Sure, hackers or sniffers might not be able to look at the sensitive data, but Cloudflare can. But do they, or do they not, is upto you, if you trust them or not.

        • bitwolf@lemmy.one
          link
          fedilink
          English
          arrow-up
          2
          ·
          9 months ago

          Oh I understand.

          I was referring to the “strict” tls option which enforces that Cloudflare connect to your node via tls instead of http.