I have an openwrt router at home which also acts as my home server. It’s running a bunch of services using docker (Jellyfin, Nextcloud, etc.)
I have set up an SSH tunnel between my openwrt router and VPS and can access jellyfin successfully.
I understand that I need to set up a reverse proxy to access multiple services and have https.
But I’m confused if I should set up this reverse proxy on the VPS or on the router itself. Is nginx the easiest option? Should i add subdomains in cloudflare for every service?
Pease don’t recommend vpns since they are all blocked where i live (wireguard, tailscale openVPN, etc.) I’m limited to using ssh tunneling only.
Thanks
I should also add something that lots of beginners miss.
The reverse proxy does not care what the domains that you define in it actually resolve to. It receives the domain name as a HTTP header which is completely at the whim of the client. As long as that domain name matches one of the domains defined in the proxy, it’s all good.
You can successfully connect to a proxy with a domain name defined in the domain owner’s DNS, or you can make up your own DNS that says whatever you want, or you can define any domain->IP association you want in your hosts file, or you can simply use curl or wget to connect directly to the proxy IP and lie about the domain in the HTTP headers without having it resolve in any DNS.
This means that yes, the proxy will happily serve your “private” *.local.example.com services to someone connecting from outside your LAN. All they have to do is figure out (or guess) your subdomain names. You need to add IP restrictions in the proxy (default deny from all + lan ip mask explicit exception) if you really want those services to be restricted to the LAN.
DNS is not security, it’s a public service that maps domains to IPs.
TLS is only security in the sense it protects the connection en route from eavesdropping, but it doesn’t restrict access.
If you are new i recommend “Caddy V2”
It is by far the easiest.
Wait with Nginx until you’re better. (and even then, use linuxserverio/swag instead of nginx)
How can something like Tailscale be blocked?
Unfortunately, Deep Packet Inspection does this as Tailscale/Wireguard does not encrypt trafficMy bad, it encrypts traffic, but I mean easily readable signature
Wireguard, like all VPNs, definitely does E2E encryption. What would be the point of an unencrypted VPN?
It’s definitely encrypted they can just tell by signature that it is wireguard or whatever and block it.
They could do this with ssh if they felt like it.
It definitely encrypts the traffic, the problem is that it encrypts the traffic in a recognizable way that DPI can recognize. It’s easy for someone snooping on your traffic to tell that you’re using Wireguard, but because it’s encrypted they can’t tell the content of the message.
https://www.wireguard.com/protocol/
Looks like wireguard encrypts traffic to me.
It’s easily detected by firewalls in China and Iran.
Interesting, because Tailacale doesn’t use any special ports. How would that be detected? And could you maybe use Headscale on a dynamic port to circumvent that?
Wireguard is blocked at protocol level no matter which port you use. Tailsclale uses wireguard. Haven’t tried headscale yet.
Maybe look into https://nginxproxymanager.com/ it makes it quite easy to set up.
Thank you very much my question is should npm be installed on my VPS or my local server? What SSH command should I use to connect the two machines in a way that npm works?