Comment on Options for protecting home IP on my self hosted home srver
towerful@programming.dev 1 day ago
You can’t hide your public IP. It’s public.
I presume your servers sit on your home network, and it’s a basic flat network. And you have a basic home router. And you forward a port on your router to your server that’s running wireguard.
Sound about right?
You already use a VPN to access your homelab/home-servers.
So the only ports you are forwarding (presumably) relate to wireguard. So the only accessable ports are secured sensibly (by wireguard, cause thats what it is).
So you are already doing everything right.
If you want a fancier router/firewall, then OpnSense or OpenWRT are good options.
But I wouldn’t run everything through your server. Let your server serve. And use a router to do network things.
If you really want to hyperconverge onto a single server like that, then I’d do it inside different VMs (probably running on a proxmox host). Have a VM running OpnSense that only does network and routing. Then VMs for other services.
You’re directly coupling your home internet access to the proxmox host and the VM, tho.
Which is why I prefer using a more embedded/dedicated router appliance (I’m a huge fan of mikrotik stuff, but my home network is TP-Link Omada. Tho I think I’ll move to Unifi)
thetrekkersparky@startrek.website 1 day ago
Yeah, sounds about right. Server is on my home network and I’ve forwarded the applicable wireguard ports on my router so I can remote in. I just want to make sure that if I’m running a torrent client on my server or on my phone while I’m connected remotely then I won’t be getting angry letters from my ISP.
towerful@programming.dev 1 day ago
Ah, gotcha.
So… You generally have to pay a VPN company to get access to their VPN exit nodes, and “hide” in among all the other traffic.
There is nothing you can self-host to do that.
ProtonVPN used to be a popular recommendation, however they are slipping out of favour due to behaviour over the last couple of years.
If you are looking for a VPN for anonymity, be careful of “review” articles posted on blogs owned by dodgy VPN providers.
I’m not sure who the “go to” VPN provider is these days.
If you rent a VPS (virtual private server) in order to run your own VPN exit node, and the VPS provider gets a letter regarding illegal activity, then your VPS will be deleted.
I don’t know of a VPS provider that will protect customers privacy WRT legal requests (maybe there are, but they will be exceptionally expensive).
So everyone pays a VPN provider that doesn’t keep logs in order to hide amongst the herd.
In order to make sure that your file downloading system uses a VPN instead of the default gateway for internet access is a huge field.
So you need to describe exactly the software you want to use the VPN exit node, and how it’s installed.
Because the solution could be host firewall, docker networking, isolated networks… Pretty sure there are many others.
thetrekkersparky@startrek.website 1 day ago
So, I already pay for Proton VPN, mostly for the E-Mail, but I do use the vpn currently on my main PC to torrent, which I then manually transfer to my server over the network, but I would like to eliminate the middleman and torrent directly to the server, while still being able to easily remote in. I run CasaOS on my Homelab and I was planning on installing qbittorrent in a container, probably through Portainer. I’m already running Soulseek on the server the same way (originally I was running slskd, but it was overly complicated to set up and once it was set up and working there were lots of upload errors and I didn’t like the UI, so I changed to a Nicontine+ docker), but that’s just open to the web.
towerful@programming.dev 1 day ago
Imo, only services that require a VPN exit node should use a VPN exit node.
github.com/qdm12/gluetun
Is a well known VPN container that people use, and works with ProtonVPN.
I don’t know anything about how to do this, but a cursory search for “gluetun qbitorrent docker” suggests that gluetun gets
network: “host”. Any container that has to use a VPN exit node getsnetwork_mode: “service:gluetun”. Adepends_on: {gluetun details}style option will ensure that any service that should use a VPN exit node will not run unless gluetun is running.Then it’s getting the data out of the qbittorent container into whatever you are using as a media server.
SolarpunkSoul@slrpnk.net 14 hours ago
I went through the same thought process as you a while ago, also with CasaOS. I ended up using the *arr suite, Jellyseer and then this container via Portainer haugene.github.io/docker-transmission-openvpn/. All the instructions are on there for whichever provider you go with, and all it took was making sure the env variables and permissions were in the right place.
talentedkiwi@sh.itjust.works 1 day ago
You can setup a docker compose config that routes all of the arr traffic through a gluetun VPN. Below is an example.
gist.github.com/…/5c2159d4fb8eb33df75bb4700713e24…