this post was submitted on 03 Dec 2023
44 points (92.3% liked)

Selfhosted

39980 readers
726 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Someone here brought up that they were able to replace Cloudflare Tunnels with Tailscale - I can't seem to find the post, as it was a comment and deeply buried in a thread I've since forgotten the title of. :)

Can anyone explain the process for doing this? I assume it's through the use of their Funnel? I have three primary services I require to be accessible through Authentik (that's one of them) via my domain name.

EDIT

To answer the question of why I want to leave Cloudflare Tunnels - is basically that I have several services behind it (I forgot one so make that 4 I wish to have exposed). Two password managers, Psono for my special needs daughter which finds it easier than Bitwarden and Vaultwarden for myself and my work logins. So, I can't just set up a VPN or Tailscale at work to connect my work passwords to. :) I also have Authentik and Home Assistant tunneled at present. That doesn't explain the reason why though so let me start here:

My step-daughter is learning video production and editing, we don't want to share her videos on Youtube or other sites, but would like to keep it more local to home. With that said, Cloudflare may not notice it at first, bit it's against their TOS to stream videos, not to mention their just over 100mb cap for file xfers which leads me to the next reason. Early in May of this year, we were in an auto accident, and we are frequently sending forms, accident photos and paperwork etc to the Attorneys, I want to have control of the ownership of the files and would prefer not to email them, but link them to my server, frequently, those files even zipped can be over 100mb.

I do have a private DDNS provider I have my domain CNAME pointed to so it resolves to the home IP that way, so the ultimate plan is to untie my site from Cloudflare's DNS to a offload to a VPS or two for (NS1 and NS2) With a recent issue with Oracle Cloud, I'm not motivated to use them for this basic purpose.

And just a small part of me is starting to get tin hat against the idea that Cloudflare can decrypt the data before it hits my site before it encrypts it. Just just isn't sitting well with me at the moment. I can't verify this data yet, but I like to play it safe than sorry.

EDIT 2

So, I ran a funnel test and yes it works, but still have to use the ts.net like others said, so at best, I can figure this to be a good backup service. I can't forward a CNAME to my TS DNS. I checked /r/tailscale (Duckduckgo sent me there), and about a month ago, someone asked if you could use your own domain, the answer was "not yet" but there seems to be some interest.

What I found pretty fascinating is the mobile app does work quite well on Android and is so far so good, I can at least feel better knowing that the phones are on WG full time now through Tailscale. I had issues with the official WG client and another one staying on with our phones full time, so this so far has been a good improvement.

all 34 comments
sorted by: hot top controversial new old
[–] lemmyvore@feddit.nl 10 points 11 months ago* (last edited 11 months ago) (5 children)

Is there a reason to expose your services to the whole internet? That's what CF tunnels and Tailscale Funnel do.

I can't really recommend either of them, Funnel forces you to use a .ts.net subdomain you can't use your own domain. CF allows it but forces you to use their DNS service. Both CF and Tailscale play MITM with your HTTPS connection, meaning they decrypt and reencrypt it on the fly, meaning they are able to look at your unencrypted traffic.

If you really must expose your services publicly then get a cheap VPS, point your domain A and AAAA records at its public IPs, make a tunnel from your server to the VPS, and forward connections to port 443 on the VPS public interface through the tunnel to the reverse HTTP proxy running on your server (with mandatory TLS encryption and Let's Encrypt certificates for your domain).

This way you get an unbroken TLS connection all the way through, with nobody in the middle.

The tunnel that you use between your server and the VPS can work behind CGNAT because it's outgoing.

Technically the tunnel doesn't necessarily need to be encrypted because it will only carry TLS connections anyway, but then you have to deal with authorization. It's probably simplest to do an SSH tunnel.

[–] Auli@lemmy.ca 7 points 11 months ago (1 children)

According to tailscale they do not decrypt just relay.

[–] zzzz@lemmy.world 4 points 11 months ago

Also, you can host your own server: https://headscale.net/

[–] ck_@discuss.tchncs.de 5 points 11 months ago (1 children)

Both CF and Tailscale play MITM with your HTTPS connection

That's not correct, tailscale does not intercept the traffic, TLS is terminated on the node. Tailscale mandates HTTPS / TLS with ts.net certificates so it can route traffic to the correct node in your tailnet.

[–] lemmyvore@feddit.nl 1 points 11 months ago (1 children)

The Tailscale server on your node terminates the Transport Layer Security (TLS) and passes the request to the local service you’ve exposed through Funnel.

There's still going to be a gap where traffic is unencrypted and under their software's control. The gap takes place on your node rather then one of their servers but it still exists. You can't avoid the TLS gap when you switch domain names mid-connection.

Whether having the gap on their node rather than on Tailscale's server is more acceptable is up to OP to decide; but they have to understand that the gap exists. The solution I proposed doesn't have a TLS gap.

[–] ck_@discuss.tchncs.de 4 points 11 months ago (1 children)

That's just not true. When you run an nginx proxy on a tailscale node, that nginx will terminate the TLS. There is no "gap" between your browser and that server.

[–] lemmyvore@feddit.nl 0 points 11 months ago (1 children)

Only if that nginx is advertising the .ts.net domain, and using the certificates for the .ts.net domain, which means you have to export and renew them manually via tailscale cert. If you let Tailscale manage them you will have a TLS gap.

[–] ck_@discuss.tchncs.de 1 points 11 months ago

Precisely. Except there is no "Tailscale manage them for you".

So you could summarize your answer as " Tailscale certificates work like let encrypt".

[–] meteokr@community.adiquaints.moe 4 points 11 months ago (1 children)

This method is perfect for fully controlling your traffic. As another option, you can run a wireguard VPN on the vps and route traffic back through the VPN. In my experience wireguard has better performance than an ssh tunnel and allows for actual network topology with subnets rather than just raw port forwarding.

[–] sloppy_diffuser@sh.itjust.works 2 points 11 months ago

Seconding wireguard. I just have PiVPN manage my configs on an RPi, port forwarding on my router, and a script to do dynamic DNS via API on IP change.

I don't have CGNAT though and have full control over my work machine.

[–] hempster@lemm.ee 1 points 11 months ago (1 children)

Should I install a reverse proxy on the VPS and link services on the local server, or should I install it directly on the local server?

[–] lemmyvore@feddit.nl 1 points 11 months ago

Services and reverse proxy on your server. Tunnel host on the VPS.

[–] garibaldi@startrek.website 1 points 11 months ago

Rather than a cheap VPS, what about hosting a reverse proxy on fly.io, something like this? https://github.com/AnimMouse/frp-flyapp

[–] bmck@lemmy.bmck.au 6 points 11 months ago (1 children)
[–] node815@lemmy.world 1 points 11 months ago (1 children)

Thanks! That's one part of the equation. I think. I have a lot to read up on, I just got set up about an hour ago with Tailscale so a lot to ingest.

Ideally, I want to replace my Wireguard connection which I am currently using (WG-Easy) to stay connected to my home network when I'm away from home so far that's been hit/miss on 2 out of 3 phones I have running Android 13. I'm working on getting that to work with my new setup on Tailscale.

[–] lemmyvore@feddit.nl 5 points 11 months ago

Then try just regular Tailscale first, see how reliable it is for keeping you connected to your server.

CF Tunnels and Tailscale Funnel are for exposing websites over internet, as you probably know, but ideally you shouldn't need to do that if you can use a VPN.

[–] Decronym@lemmy.decronym.xyz 5 points 11 months ago* (last edited 11 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
CF CloudFlare
CGNAT Carrier-Grade NAT
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
HTTPS HTTP over SSL
IP Internet Protocol
LXC Linux Containers
NAT Network Address Translation
RPi Raspberry Pi brand of SBC
SBC Single-Board Computer
SSH Secure Shell for remote terminal access
SSL Secure Sockets Layer, for transparent encryption
TLS Transport Layer Security, supersedes SSL
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)
nginx Popular HTTP server

[Thread #331 for this sub, first seen 3rd Dec 2023, 11:45] [FAQ] [Full list] [Contact] [Source code]

[–] Dave811 4 points 11 months ago (1 children)

So my post was the one to get rid of the cloudflare tunnel.

Basically I set up a tailscail docker on my home server and connected it with a one time key from tailscale. There I exposed my local network. (Perhaps secure that only to your homeserver IP)

Then I set up a Debian Server which hosts a lot of other stuff. But there I also installed tailscail and connected it to my account.

After this the most important part! I wasted hours to find this line of code sudo tailscale up --accept-routes With that you allow the external server to accept routes. Otherwise you can't redirect to your homeserver

The next step I took was to install nginx and setup a reverse proxy to my traefik docker on my home network

Here I routed the domain with every subdomain (*.your.domain) to my homeserver.

My homeserver took care of the https certificate so my nginx server only redirects traefik from port 80.

I can share my configs later but I have a little problem with large nextcloud uploads. And I don't have the previously working nginx config anymore.... So I need to dig a bit further again.

Ask me questions, but I can only answer them in about 7h Hope my late night writing makes sense.

[–] node815@lemmy.world 1 points 11 months ago (1 children)

Nice! So, using the --accept-routes part, does that allow you to use a CNAME record to your funnel's address (machine.tailscale-id.ts.net) ? I tried to do this and it failed to resolve for reasons of too many redirects.

[–] Dave811 1 points 11 months ago (1 children)

I didn't try that, I use the static local ipv4 address of my network. Like http(s)://192.168.1.3:443

[–] node815@lemmy.world 1 points 11 months ago* (last edited 11 months ago) (1 children)

Gotcha, so normal means of exposing services via reverse proxy. :) With mine so I could access my local IP I just enabled the --advertise-routes option.

[–] Dave811 1 points 11 months ago (1 children)

To be clear I ran that on my reverse proxy server. In the tailscail dashboard you also need to enable the subnet

[–] node815@lemmy.world 1 points 11 months ago

Understood! I have subnet routing enabled as well. First thing I did when I realized my phone couldn't access my local server once connected to Tailscale. :)

[–] morphixz0r@lemmy.world 4 points 11 months ago (1 children)

Just curious what the reason behind not wanting to use Cloudflare Tunnels is?

[–] SeeJayEmm@lemmy.procrastinati.org 7 points 11 months ago

Because it's a large company slowly taking over the internet?

[–] ck_@discuss.tchncs.de 2 points 11 months ago

Cloudflare can decrypt the data before it hits my site before it encrypts it

Give Tailscale funnel a try, it provides similar functionality but does not need to terminate yout TLS to do it.

[–] effward@lemmy.world 1 points 11 months ago (1 children)

I saved this recent comment, maybe it was somewhere in this thread?

https://lemmy.world/comment/5721150

[–] ck_@discuss.tchncs.de 2 points 11 months ago

Except you can condense that whole thread into

  1. Install Tailscale
[–] ck_@discuss.tchncs.de 1 points 11 months ago (1 children)

I ran a funnel test and yes it works, but still have to use the ts.net

Out of curiosity, why is that a deal breaker for you?

[–] node815@lemmy.world 1 points 11 months ago

Simply put - I won't risk making my work's IT mad by logging into my machinename.tailscale-defined.ts.net. I don't know if it's blocked there, but you never know with IT polices and such. I've already been able to get through to my foo.example.com address without issue so I'm letting a sleeping dog alone so to speak.

Also, I think it's easier to tell someone to go to videos.example.com than machinename.tailscale-defined.ts.net. :)

[–] seang96@spgrn.com 1 points 11 months ago (1 children)

If you want to keep it exposed like cloud flare you could use this service. https://hoppy.network/

[–] node815@lemmy.world 2 points 11 months ago (1 children)

I will update my OP soon, but with the help of Dave811@lemmy.today here I was able to resolve my domain to my machines at least through Cloudflare using the ''' --accept-routes''' tag in my tailscale up command. This then, allowed me to point the A Record to the IP for the machine which Tailscale gives. I will have more details on this later this weekend or maybe sooner. I'm still working on resolving my password manager being exposed through Tailscale which I figured out this morning, so I need to migrate that over to a new LXC container. Then, after that - I'm ready to move away from CF once I copy my existing tunnel mappings over to the A name records with Porkbun. (shoot! I might just write a new post about this so anyone can glean from it when I'm done). Its still very much a Work in Progress.

[–] seang96@spgrn.com 1 points 11 months ago

--accept-routes bit was interesting be cool to see followup posts showing results more often!