I host an openVPN instance from a Debian machine with my phone permanently connected to it.
Keeps my phone within my lan while roaming so it has access to non-public services like pihole, the arr stacks management interfaces, ssh/ftp, etc. Also keeps my browsing private + secure on public/work wifi.
Only the things I share with others like Emby get exposed to WAN (through a reverse proxy), the rest is VPN/LAN access only.
I’ve seen a lot of descriptions of Tailscale but still have no idea what exactly it does. I get that it uses Wireguard, but what differentiates it from a typical VPN setup? NAT traversal?
It does the wireguard config for you so you don’t have to reconfigure each machine when a new item is added to your network. Still peer to peer type network rather than single vpn to a lan router
90% of network traffic uses the primary, but some things like to use both or exclusively the secomd one on random days.
I use Gravity-Sync to keep the settings/lists between them identical. (lots of local dns records for local self-hosted stuff, and each device has a static ip + dns record to identify it easily in logs)
Most services are on the unraid box. But I had a pi running Pi-hole for a long time (switched to adguardhome) and wanted that separate from the main server in case it went down. Pis boot up a lot faster than my server hardware and then you still need to start the array and mount drives. Having AGH on a Pi as primary DNS means minimal internet outages caused by my tinkering. I was given the 4 and put it in a really cool case that can fit a M.2 or 2.5" SSD and boot from it. So that is NextcloudPi and AGH. The 3 is because my 3d printer is nowhere near a LAN connection and 3 has WiFi. The 4 is sitting next to my router. We won’t mention the 1B I’ve been messing with too…
I set it up manually using this as a guide. It was a lot of work because I had to adapt it to my use case (not using a VPS), so I couldn’t just follow the guide, but I learned a lot in the process and it works well.
I had something manual setup originally as well, but it became a bit of a maintenance hassle. Moving configs to devices was a bit of a pain, and generating keys wasnt easy.
I ran Pi-hole for years. Switched to adguardhome running on 2 servers (primary and secondary) with AGH sync keeping the two instances identical. I like the UI better, dns rewrites, and the ability to simply block services entirely with a single click.
I did this as well, I still have 2 pihole instances running with gravitysync for now, but AGH sync is much easier to setup and maintain. My 2 pihole instances are running for my guest network only and AGH is running everything else.
Adding a wireguard system that has iptables adjuated to include forwarding and masquerading will allow your single wireguard connection to see the rest of your LAN www.stavros.io/posts/how-to-configure-wireguard/
If you are totally new to wireguard setup, I found that reviewing all of these links gave me a better understanding of how the configuration setup worked. No one site seemed to cover it all, and each on had some good tips or explanation about a certain part of wireguard.
That great, thanks for the info. I was able to get Wireguard setup in unraid but they make it pretty easy, so I didn’t have a problem. I just didn’t think about connecting to the entire network, not just the server.
If someone really wants this service but do not want to (or cannot) host it themself, ovpn.com offer this in their client. I used to have a pi-hole selfhosted but not anymore. Using their client on my phone as well solved the problem with blocking ads while not at home.
I think openvpn works completely fine for most use cases and didn’t have any trouble with it at all. I did however switch to wireguard on my gateway and I get a little better throughput compared to openvpn. That being said, I’m also using a pfsense box as my home gateway, so access to internal services has been easy as general routing gets.
Any reason the VPN can’t stay as-is? Unless you don’t want it on the unraid box at all anymore. But going to unraid over VPN then out the rest of the network from there is a perfectly valid use case.
Well, I didn’t realize that was an option to be honest, lol. I am having some issues with that box at the moment though so having a pi or my router acting as the gateway appealed to me with it’s longer uptime
Abrechnung is really good and actively developed and improving. The UI is already pretty satisfactory, and there’s also an API which is needed if for example you want to bulk-import a spreadsheet, for now you have to code it a bit.
You need to change the Heimdall urls to the the tailscale urls. I’ll update this post soon.
My old set up has openmediavault as the base system.
I installed tailscale directly to that base system. (The OS)
My old ip links in Heimdall stopped working.
From memory… You need to go to the tail scale website dashboard. Iirc by default you have some random numbers as your tailscale URL. The other option is to use their magic DNS which gives you random words as a URL. Either way you will need to edit you Heimdall links. So if it’s currently 192.167.1.1:8096 you need to change it to buffalo-cow.tailscale:8096. (Or something to that effect.)
What I did was just duplicate my current Heimdall and used a different port number… Then change all the urls to the tailscale urls.
Your current containers should remain untouched aside from the the Heimdall one with the correct app urls.
Except that the services are “unable to open” and “other” even from the tailscale admin panel. The top two services, heimdal and portainer, are the only ones with an “open” link.
edit: if I stop heimdall in Docker, the situation is the same, except no start page.
Hmm… I’m not sure. If your making it to Heimdall and portainer I don’t see why the other containers wouldn’t work. I just remember having to redo my Heimdall links.
Is tailscale installed on the base operating system?
OP here’s a troubleshooting approach i would take:
ensure services can be reached locally, thus eliminating tailscale as a variable. test on the host itself as well as another device on the same network.
attempt connecting, with tailscale enabled, to the services directly. meaning, go to the hosts’s tailscale IP:port in a browser and NOT through heimdall
if the above work, then it’s an issue with heimdall. edit the config as previously mentioned to link the services to the host’s tailscale IP:port, or have two instances of heimdall - one for local and one for remote
I think I figured it out, just have to implement the fix. I think the problem is the lack of 443’s published by the containers. Looks like I may be able to modify the ports easily in Portainer.
I actually had a lot of fun a couple years ago deploying PiHole on one of my RaspberryPi’s and routing all my household machines through it. It worked great UNTIL… my kid was turning in empty homework on Google Classroom and his teachers were getting up him about it. We chastised him thinking it was his fault until I finally discovered that Pihole was messing up his uploads to GC and literally causing this problem. I got super angry with it and walked away without even trying to troubleshoot. Had to profusely apologise not only to his teachers but to him.
selfhosted
Oldest
This magazine is from a federated server and may be incomplete. Browse more on the original instance.