Am a bit new to all this so apologies if terminology etc isn’t correct.
I have my server with apps in docker containers. I have gluetun set-up and working, serving an internet connection to the rest of the containers.
I’m thinking about going down the Tailscale route so that I can use the apps when I’m away from home - haven’t needed to so far but its nice to have the option.
For that to work I think I’ll need two VPN connections - one to extend the LAN away from the house, the other to provide internet access.
If so, how the hell do I go about setting that up? Can I do this with Gluetun or do I need something else?
Any wise words or links to set-up guides would be much appreciated.
I don’t use tailscale or gluetun. They’re probably good options I just wasn’t aware of them when I was setting up and what I’m doing now has worked great for years.
My home server has 4 containers you’re interested in:
wireguard_out
this is a wireguard instance which is connected to a mullvad server on a paid subscription.
For any containers I want to “use this vpn” I just attach them to this container’s stack. it’s one of the
networkoptions in docker. Notably these containers include qbittorrent and squid (below).Wireguard configurations look unapproachable at first but it’s one of those things where messing around with it for an hour or so will serve you well for a lifetime. There’s not heaps more to learn. LLMs are great at writing wireguard configurations.
squid
This is a http proxy attached to the wireguard_out stack. You didn’t ask about this and may not need it but I’ve found it super useful.
One of the private torrent trackers I use will only let your torrent client connect to the tracker from the same IP address you used to download the torrent file - so when browsing their website you need to use the vpn connection. Using squid makes this really easy.
In firefox (librewolf) I have foxyproxy addon which allows you to specify a proxy to use for specific urls. So when I navigate to mytracker.com firefox automatically routes the connection through squid > wireguard > mullvad on my server.
wireguard_in
This handles my “road warrior” set up so I can access services on my home server while I’m away.
This container has a separate docker network to most of my other containers, in the ip subnet 10.0.2.0/24.
traefik
this is a reverse proxy
it’s on the same network as wireguard_in with the ip address 10.0.2.2
I’ve configured a public dns “A” record *.home.mydomain.com to point to 10.0.2.2, the private ip address.
The configurations I use for the wireguard connections on my phone or other devices only route requests for this subnet through the wireguard connection. so if I’m away from home and my phone requests lemmy.world that goes through the public network, but if I request photon.home.mydomain.com that goes through my vpn. This way you don’t need to turn off / on the wireguard connection.
I use file based configurations for traefik. It can do docker label configurations but they’re just awful IMO. The yaml configurations are much more readable and manageable.
As an aside, you can replicate this structure many times on one host. I have several incoming wireguard networks for different purposes. You configure the traefik container to sit across all the networks, like a spider at the centre of a web.
Is your setup such that when you are not at home, traffic routed to your wireguard_in network reaches out to the Internet through wireguard_out? Idea being your mobile devices effectively use the same mullvad connection they would if you were at home.
I used to do this (before my server died). You can for example use this to bypass Proton’s free tier one user per account limit.
Basically it’s about correctly setting the wireguard’s AllowedIPs and DisallowedIPs. Your laptop wants to send everything through wireguard. Your home server wants to send everything through Proton (or Mullvad or aVPN) except the communication with your laptop.
(I did that by marking the packets from one VPN with fwmark and sending marked packets to the other but that is a dumb solution for such a simple problem.)
If you’re using stuff like torrent clients, you can bind just those containers to gluetun. I recommend doing that instead of all of them. And then yeah the VPN server on the host.
It should work, but you may need to fiddle with routing.
It’s definitely doable. I run both gluetun & tailscale in separate docker containers on Ubuntu. The trick here is that gluetun should get /dev/net/tun device (basically the default example in the project readme) and tailscale should he configured (via env vars) to run in userspace mode
I have the arr stack connected to gluetun doing its thing and then wireguard on the host. I only expose my reverse proxy to the host and can connect to the services through that.
Note the networks below, vpn_net allows it to talk to the gluetun network which has the other stuff. The gluetun and arr stuff are in a separate compose file that defines the network. Then the non vpn stuff connects to that network when it comes up
nginx: image: nginx:1.25.4-alpine-slim container_name: nginx restart: always volumes: - /etc/letsencrypt/:/etc/letsencrypt/ - ./nginx/nginx.conf:/etc/nginx/nginx - ./nginx/conf/:/etc/nginx/conf.d/:ro - ./nginx/htpasswd:/etc/apache2/.htpasswd:ro - /var/log/nginx:/var/log/nginx/ - ./www/html/:/var/www/html/:ro - ./content/Movies:/var/www/media/Movies:ro - ./content/Shows:/var/www/media/Shows:ro ports: - 443:443 security_opt: - no-new-privileges networks: - reverse-proxy_service1 - reverse-proxy_serviceN - vpn-stack_vpn-net depends_on: - service1 - serviceNwireguard on the host
Ahh. Of course. I don’t know why I hadn’t thought of that.
Should I consider deploying a reverse proxy? I hear that setting one up can be painful.
I notice you have multiple reverse-proxy services under ‘networks’ - do you set up a separate network for each service?
Nginx proxy manager is easy to use. It has a nice gui. Caddy is incredibly simple after installing. It just has no gui. It cam’t be simpler than caddy, just 3 lines.
Well i have the rp as i only want one port exposed. I have separate networks per service too to isolate things. Only the things that need to talk to each other can.
My stuff is only accessible on the lan and via the vpn and even then only certain ips have access to certain things.
In your case it might be different , but generally a reverse proxy is better as you can have a single point of access to secure and you are not exposing all of your ports to the host or the internet.
I wouldn’t say setting up a reverse proxy (to your home LAN) is painful. Its just generally Ill advised. Its painful if compromised.
