Comments

• Brkdncr@lemmy.world ⁨1⁩ ⁨week⁩ ago

  Install Tailscale on your vps and your homelab server.

  Share the Tailscale dns of your server with guests.

  Use your vps as your exit node.

  source

  • foremanguy92_@lemmy.ml ⁨1⁩ ⁨week⁩ ago

    But if I correctly understand how Tailscale works I would need to install tailscale on all machines I wish to give access to friends?

    source

    • Mordikan@kbin.earth ⁨1⁩ ⁨week⁩ ago

      No, installing Tailscale on all machines is not actually required. You can setup a funnel that exposes a service to the internet for all to see. This also removes the requirement for them to access via Wireguard if desired. https://tailscale.com/kb/1223/funnel

      source
    • Brkdncr@lemmy.world ⁨1⁩ ⁨week⁩ ago

      Yes.

      Otherwise, just open up ports on your network firewall and set up DNS to point to your external ip.

      There might be a way to do this with cloudfare that is more secure.

      source

      • -> View More Comments
• thelittleblackbird@lemmy.world ⁨1⁩ ⁨week⁩ ago

  I don’t have time now so I will sketch the solution

  You need a proxy server in your vps that will redirect the traffic to your home. Caddy is usually recommended here and I am planning to migrate to it (current is nginx)

  For your dns you need something is called zone name resolution, it will resolve different ip depending where the request came from

  Good luck

  source

  • foremanguy92_@lemmy.ml ⁨1⁩ ⁨week⁩ ago

    Didn’t know if I explained it bad, but it’s not exactly what I want to do. All the request goes trough my home (since people are VPNed to it), if they are requesting outside stuff it goes trough the VPS using VPN connection. But they request inside services it should go directly to them.

    Basically I want to know a way of routing everything trough VPS (basically a wire guard connection) but home services to avoid doing a useless journey to the internet

    source

    • curiouschipmunk@lemmy.world ⁨1⁩ ⁨week⁩ ago

      If all traffic is going through your homelab you can make the vpn clients use a vpn specific DNS server or the one suggested with resolving per origin, you then make the external names to your services to resolve to the servsrs’ internal IP addresses, avoiding going out. Another way is to add rules to your gateway to redirect internal traffic going to your external IP addresses to DNAT to the internal addresses but in order for that to work you need to masquerade them which means server logs will have gateway’s IP.

      source

      • -> View More Comments
• DecentM@lemmy.blahaj.zone ⁨1⁩ ⁨week⁩ ago

  You’re pretty much describing Tailscale with an exit node on the VPS. If the purpose of the VPS is to make their traffic not come from your home, you can omit the VPS entirely as Tailscale only routes through the VPN when reaching services also on the VPN.

  source

  • foremanguy92_@lemmy.ml ⁨1⁩ ⁨week⁩ ago

    Could you precise your answer a bit?

    source
• ohshit604@sh.itjust.works ⁨1⁩ ⁨week⁩ ago

  This is absolutely possible as I do it myself however, executed entirely differently, my ASUS WRT Router with Merlin firmware handles the VPN server and it routes the IP range through my VPN provider (Proton).

  Didn’t have to mess with config files or anything, install the custom firmware and created a rule for the routing.

  source
• gravitywell@sh.itjust.works ⁨1⁩ ⁨week⁩ ago

  [deleted]

  source

  • foremanguy92_@lemmy.ml ⁨1⁩ ⁨week⁩ ago

    Hum maybe this is a good solution, gonna dig a bit into

    source
• gravitywell@sh.itjust.works ⁨1⁩ ⁨week⁩ ago

  A central wireguard peer on your vps, connect from home to vps and direct the wireguard. Add friends as peers on the VPS like such:

  [Interface]
  Address = 10.0.0.1/24
  ListenPort = 51820
  PrivateKey = <VPS_PRIVKEY>
  
  # Home
  [Peer]
  PublicKey = <HOME_PUBKEY>
  AllowedIPs = 10.0.0.2/32
  
  # Friend
  [Peer]
  PublicKey = <CLIENT_PUBKEY>
  AllowedIPs = 10.0.0.3/32
  

  Use iptables to Split tunnel traffic

  For the home network ip route add 192.168.1.0/24 via 1. 0.2 dev wg0

  And for the vpn To route google a .d such

  Enable NAT for clients

  iptables -t natw POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE

  You can set the iptables rules to run wjen

  source

  • foremanguy92_@lemmy.ml ⁨1⁩ ⁨week⁩ ago

    This is not what I exactly want to do. Requests to my home services are protected by not going directly to my home and rather going trough VPS, but since I know my friends I can let them go directly to my home without at any time go trough the VPS (expect to make up the out request).

    source

    • gravitywell@sh.itjust.works ⁨1⁩ ⁨week⁩ ago

      In that case you would need to add the peers to the wireguard node you have running in the home lab as well. Wireguard can route peer to peer and will take the shortest path available to it.

      That said, i highly recommend first getting things working in a “spoke and wheel” style wireguard configuration with either your homelab or the vps as a central peer, then add peers as endpoints after you have everyone with working connections to the central peer. Its just a heck of a lot easier to trouble shoot and get your head around thatway.

      source
  • MysteriousSophon21@lemmy.world ⁨6⁩ ⁨days⁩ ago

    This is almost right, but you’ll need more specific iptables rules for the split tunneling - try something like ip route add YOUR.HOME.SUBNET.0/24 via 10.0.0.2 on the VPS and then on the homelab add iptables -t nat -A POSTROUTING -d YOUR.HOME.SUBNET.0/24 -j ACCEPT followed by iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE to route evreything else through the VPS connection.

    source