.. | ||
private | ||
vps | ||
README.md |
DIY Tunnel
I love Cloudflare Tunnels and routinely use them to expose my self-hosted services to the Internet. However, there are a couple of limitations that make them less than ideal for some use-cases.
- They work best with HTTP/HTTPS services. Other services like SSH / rando-TCP-service require the clients to run
cloudflared
. This prevents running public-facing non-HTTP services via. Cloudflare Tunnels. - Cloudflare is the man-in-the-middle. They manage the TLS certificates and, were they evil, they could inspect traffic.
This folder has some sample wireguard configuration to allow a cheap cloud-VPS to forward traffic through a wireguard tunnel to a private server.
- The VPS does not own/manage TLS certificates or any data.
- It supports any TCP services
- The connection is made from the private server to the public VPS, so only the VPS requires a static IP. The private server can hide behind a VPN and move networks with impunity.
- Through some network trickery, packets are forwarded from the VPS to the private server. The implication is that the private server sees the actual source IPs for the traffic which allows things like fail2ban to work appropriately.
Requirements:
- One public facing machine (like a VPS) with a static IPv4 address
- One private machine running your services
- Wireguard installed on each (
apt install wireguard
for you Debian/Ubuntu folks)
Steps:
- Generate keys for both the public and private server.
wg genkey | tee privatekey | wg pubkey > publickey
- Copy
private/wg0.conf
to/etc/wireguard/wg0.conf
on your private server.
- Update the ports
80,443
to be whatever ports you want to pass through. - Add the private key for the public server, and the public key for the private server.
- Copy
public/???/wg0.conf
to/etc/wireguard/wg0.conf
on your public server.
- Update the ports
80,443
to be whatever ports you want to pass through. - Add the private key for the private server, and the public key for the public server.
- Update the public IP for the public server (replace all 999.999.999.999) with your VPS IP
- Start wireguard on each machine:
wg-quick up wg0
- Enable wireguard on boot on each machine:
sudo systemctl enable wg-quick@wg0
Testing:
- From public server, can ping private IP
ping 10.0.0.2
- From private server, can ping public IP
ping 10.0.0.1
- Run a webserver on the private server...
- From public server:
curl http://10.0.0.2
should work - From workstation:
curl http://publicIP
should work - From the private server:
curl http://publicIP
should also work
- From public server:
That's about it.