Hey all, I like to share my storage with my friends with nextcloud and I have been using a VPN (Tailscale) to get them connected to my server. I would like to buy a VPS or use the Oracle free tier VPS as a reverse proxy instead because Tailscale takes a lot of battery on mobile devices and adds a layer of complexity to the users. Is the data that goes through the VPS encrypted (In case my data contains DRM content)? And is there any bandwidth limits on a VPS? Sorry if my question seems trivial… Port-forwarding is not an option for me unfortunately as my ISP does not give static IPv4 addresses to normal customers.
Please feel free to correct me if I have misunderstood anything.
Oh and I figure I will also need a domain name. I have purchased one from namecheap
When using NGINX with SSL, traffic gets encryped with that SSL certificate,
FQDN - example.com
VPS - 123.123.123.123
VPN - I use Tailscale because its really easy and solves almost all problems i’ve encountered on other Systems without much effort
- and it’s easy for friends to setup, so they can access their shares on the NAS through their own tailscale account, manage their own 2FA, but get limited access to what is attached otherwise.
VPS has NGINX - I use Nginx Proxy Manager,
*.example.com on Nameserver points to 123.123.123.123
All my Servers are on Tailscale,
their hostnames are registered on the public Nameserver - BUT - with their Tailscale IP,
so only reachable when you’re on THIS VPN.
I use ProxMox as my virtualizer, and a Synology NAS, mostly for the easy of use.
Hint: Startup Tailscale on ProxMox with tailscale up --accept-dns=falsehttps://tailscale.com/kb/1133/proxmox/
So basically, I have entries for
DNS.example.com
NPM.example.com
AUTH.example.com
LDAP.example.com
NAS.example.com
PVE.example.com
DOCKER.example.com
- All OnPrem, either Metal or Virtualised, ARecords to Tailscale IP
the DNS server als serves as a DNS redirector for these adresses when accessed ONPREM - to lead to the internal, offline reachable adresses to mitigate Internet reliability for the communication, but also makes it possible to basically drag and drop the VM/Container/Hardware physically somewhere else.
Now NPM listens on VPS on all other adresses and
Reverse Proxies the services or sites on my Tailscale VPN Network to the public,
only adress exposed at all times is the VPS 123.123.123.123,
easy allocation of subdomains for services without installation of any clients or setup for friends and family.
On NPM now, I setup Jellyfin, for example:
jelly.example.com -> Docker.example.com:3838
jelly does OAUTH, so it’s connected to OAUTH.example.com
OAUTH serves SSO and 2FA for LDAP credentials it gets from LDAP.example.com
My LDAP is located on the Synology NAS, but i might switch Authentication Servers in the future,
so I’Ve setup LDAP.example.com to point to NAS.example.com,
now Switching LDAP Servers is as easy as correcting the DNS entry and LDAP Credentials, etc.
They are two completely different things
VPN: Allows you to create a virtual LAN, so a network same of the LAN with a “virtual router” that encrypt connections and data ransferred in the network. This “vitual router” must be reachable from everyone, so it needs a static ip/uri and a static opened port. Or you can use a free one like Tailscale and ZeroTier
Reverse Proxy: It’s a software that “acts as a receptionist”. You request a service to the reverse proxy, it expose you the right service. So it acts like a central point for any of your services. You can add any layer of security, because as “receptionist” can check if you are allowed to use the service you are requesting or not. The Reverse Proxy doesn’t create a virtual networks, need a static ip/uri and a static opened port, also it needs the access to all the services (local or remote) it should expose
For privacy, VPN offers you better privacy, because only you have access to the networkReverse Proxy is visible from anyone, you can protect it with SSL and password, but it remains always visible from outside
I don’t understand how you can connect the reverse proxy to the services without port-forwarding. Without port-forwarding vpn is always needed
I still have limited knowledge but afaik, reverse proxy is not a substitute for VPN (even when using VPN you prolly want a DNS config/reverse proxy so you connect to ‘site.yourdomain.homelab’ instead of IP). A server that is exposed to public vs one that’s not and you only connect via VPN is a big leap.
I just wanted to mention that with the server exposed to outside, a lot of additional steps probably need to be taken, think about good firewall management (UFW, and extra careful when using docker with it), some IPS like fail2ban, the mentioned reverse proxy + SSL like nginx, basic sudo users management and disabling root, adding SSH keys.
They’re the same for privacy, in both cases the visitor only sees the cloud IP address.
-
VPN is an permanent outgoing connection that your server needs to keep alive to the VPN server in the cloud.
-
Reverse proxy is essentially on-demand incoming connection. More robust, but needs a home connection that allows incoming connections (i.e. no CG-NAT or blocked by a firewall, but IPv6 works fine), and it’s mainly for http(s).
Thank you for such a detailed answer. This sounds like a great setup. If i understand this right… Your Server connects to Proxy via tailscale. And the Proxy exposes the services via the Domain name, this connection is encrypted only with SSL. Is there a benefit to using tailscale to connect to the proxy? considering that this is also (i think) SSL encrypted?
A server that is exposed to public vs one that’s not and you only connect via VPN is a big leap
I see… I will have to study this more then I don’t want to put my and users data at risk. Thank you so much for replying. I have a clearer idea of the setup now.
A benefit over other VPNs? I’d say the managing aspect, because it’s so little effort even if you don’t simply connect every service or containerhost on its own.
Other than that, all other VPN solutions basically do the same job.
You could also realise this with Cloudflare Tunnels and no VPS; FQDN Domain; Maybe even Reverse Proxy.
Tailscale is just my choice here, but i’ve considered selfmanaging it through Headscale or go one tier lower with wireguard itself, just for the learning aspects of the technology.