Host a VPS as a VPN server. Tunnel everything through VPN. Don't need to use Cloudflare this way, but maybe a little more maintenance
this post was submitted on 29 Nov 2023
43 points (100.0% liked)
Selfhosted
38768 readers
369 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 1 year ago
MODERATORS
I think Tailscale can do the job, making you connect your server through a VPN.
How does your ISP have anything to do with port forwarding, or wired vs. wifi?
In the US at least, ISPs can force you to use a specific router and software restrict certain functions.
I have AT&T and they do this to me, I just have my own router behind theirs. Might be what OP needs to do.
I knew they provided some "perks" to incentivize using their own router, like free support and compatibility with other junk they push to customers, but actively forcing users should be forbidden.
Do you also have to pay to "rent" the device?
feudalism + capitalism
worst of both worlds
Yeah I have AT&T and had to set up IP passthrough on their router/gateway box. Basically it makes it so the ISP provided router acts as if it isn't there and my router gets to do whatever it wants.
Just stick a router behind that router?
Ye
They can't catch you if you hide it behind their router so they can't see it.
If it's fiber, you don't need the modem. You'll still need it once every few months.
Things you'll need:
- your own router
- cheap 4 port switch (1gig pref)
Setup: Connect gpon (the little fiber converter box they installed on the wall near modem) wan to any port on 4port switch. Then from switch to gpon port of modem (usually red or green port). Make sure modem fully syncs. Once this happens, you can move the cable from the modem to your own routers wan port. Done! Allow router a few moments to sync as well.
Now, every once in a while they'll send a line refresh signal that will break this, or if a power outage occurs. In such case, you'll just plug back in their modem, move cable back to gpon port of modem, wait for sync. Move cable back to router.
Edit: (after thought) put all this equipment on a battery backup and you'll still have Internet during short power outages.
Canada here, ISP provides router. You can set in Bridge Mode to avoid using their router, but then you are supplying your own equipment, whioe running through their box.
I'm in US. My ISP Xfinity decided their users are too stupid to use router settings so they purged port forwarding settings from the router panel altogether. Now you have to use their mobile application which doesn't allow you to make port forwarding rules for a specific IP (because again, they think their user is an idiot that can't figure out IP numbers), instead it just gives you a list of devices and you have to select one to create a port forwarding rule. Wired devices are not on that list.
What you could do, is set your phone with a temporary static IP (like, manually set on the device if the router doesn't have static leases). Then port forward to your phone as you would for the server. Then, set the phone back to DHCP, and set the server as the same static IP you used.
Assuming the router isn't smart enough to try to follow your phone's IP, you'll effectively have forwarded for the server.
It may also do it based on DHCP provided names, rather than WiFi names. In that case, you should make sure the server uses DHCP and advertises a valid name. If it's already got a static IP, that would explain why it doesn't show up on the UI.
I'm surprised how many people suggest using a Cloudflare tunnel given one of the main points of self-hosting is to avoid using centralized systems.
If it's for your own personal use and regular internet users don't need to be able to access it, just use a VPN. Way more secure. Wireguard is great. I like Tailscale, which uses Wireguard but makes it very easy to configure a mesh network with it.
You should be able to place the Xfinity modem into bridge mode and use your own router. Alternatively you can buy your own cable modem and return the rented one to Xfinity. Just make sure the modem you buy is DOCSIS 3.1 or 4.0 since some stores are still selling older DOCSIS 3.0 modems at full price.
Cloudflare Tunnels also work really well and turnkey for CGNAT restricted networks though. I used to have and love a simple WireGuard setup but one day the ISP can just change their structure and then you need some kind of end run around those. Tailscale works but it’s also not really a pure selfhosted solution either. Eventually you need some kind of offsite relationship afaik whether it’s a VPS or cloudflare. And cloudflare Just Works.
Decent ISPs that use CGNAT should also have IPv6 available, which doesn't use NAT at all. In the case of CGNAT, I'd really recommend using IPv6 rather than hacking around CGNAT.
You can self-host Tailscale by using the open-source Headscale project.
I'm behind CGNAT with months between IPv6 prefix changes. Having a separate publicly routable IP for each host is awesome.
Tailscale causes heavy battery drain on my phone (Pixel 4a GrapheneOS) so I'm now on always on plain Wireguard, which only needs 1% of my battery.
Sadly my mother doesn't have IPv6, so accessing e.g. Jellyfin is not possible.
Cloudflare tunnel for anything web based
Ill hijack op now.
Can i setup cloudflare tunnel and stil access the server via Lan when I am at home with the same setup?
Like a two entry system?
Yes, since you define a service in cloudflare by giving it a local ip and port when using zero trust.
With that you shouldn't be losing your local setup.
An open source alternative is FRP
https://github.com/fatedier/frp
It's a reverse proxy server that you install in both your server and a VM in the cloud, and it tunnels your server over the VM, like Cloudfare solution.
Rathole is similar but allegedly performs better.
CloudFlare tunnels are dead simple, BUT their terms of service say you can't stream video with them (so not for Plex). I hear people stream video with them anyway and they haven't gotten in trouble yet, for what it's worth.
If the traffic is encrypted, how would they know?
Cloudflare is a glowie honeypot, the traffic is mitm'd and decrypted by them to see.
Probably about the rate, its a free service and money matters.
Look into cloudflare tunnels or tailscale funnel. Both let the wider public access a private server without port forwarding. If you want it private only, normal tailscale does that too, you might have some trouble if you want to use a custom domain though, since it's private.
If the ISP allows port forwarding for wireless connections (as you said in your post) you just get yourself a WiFi router that can work in bridge mode.
Then you forward your ports (in the ISP router) to your bridge router and then you log into your bridge router and forward ports to your wired devices.
This assumes that the WiFi connection on the bridge router acts as WAN and performs NAT for its wired devices. If the bridge router is really just a bridge then you should only have to forward ports on the ISP router.
Wait, they allow port forwarding for wireless connections but not wired? How does that work?
My copied answer to other user in this thread:
I'm in US. My ISP Xfinity provides their own router and has decided their users are too stupid to use router settings so they purged port forwarding settings from the router firmware altogether. Now you have to use their mobile application which doesn't allow you to make port forwarding rules for a specific IP (because again, they think their user is an idiot that can't figure out IP numbers), instead it just gives you a list of devices and you have to select one to create a port forwarding rule. Wired devices are not on that list.
I'm pretty sure you can make them set the modem/router to bridge mode and run your own router. If it's cable, you can also buy your own non-router cable modem, then use whatever router you like behind it.
If you want non-crippled mid-split, you have to use their gear for now. That's the main reason I haven't switched. I want that 200 upload, but I refuse to put their box in my house.
Not what you're asking but since it's been covered well:
Buy your own cable modem and put your own firewall behind it. Not only will this save you money in the long run, you'll also have no issues with things like port forwarding. I use Comcast/Xfinity with a docsis3.1 cable modem + a decent firewall and it's a good way to go.
Don't they require their gateway device for the faster tiers?
I'm on 1.2gbps with my own modem... That's the fastest available at my address.
What's your upload? Cause I want that 200 with my S33 but I didn't think they allowed it.
Sadly about 50. But that's all my plan allows at my address so not a hardware issue.
Mine did this to me few weeks back. They can kiss my... Read here. Free oracle VPS and wireguard. With the installer super easy! Read here https://lemmy.world/post/8121307
I don’t recommend Oracle at all if you value your sanity. Paying a couple bucks a month for DigitalOcean or Vultr (or probably almost anything else) is so worth it compared to dealing with that monstrosity
Also, I’ve experienced this, and I’ve heard reports of others having the same issue; Oracle might just randomly delete/disable your VPS
DigitalOcean and Vultr are relatively expensive... You can find plenty of VPS services for $15-30/year that'd be sufficient for this use case. LowEndTalk is a good resource for that.
So far all is working fine.
Nothing could make me consider Oracle for anything, ever.
Tor onion services also don't need any port forwarding to work. They are however only accessible over the Tor network.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
| Fewer Letters | More Letters |
|---|---|
| CGNAT | Carrier-Grade NAT |
| IP | Internet Protocol |
| NAT | Network Address Translation |
| Plex | Brand of media server package |
| VPN | Virtual Private Network |
| VPS | Virtual Private Server (opposed to shared hosting) |
6 acronyms in this thread; the most compressed thread commented on today has 13 acronyms.
[Thread #313 for this sub, first seen 29th Nov 2023, 22:35] [FAQ] [Full list] [Contact] [Source code]
Another option is hoppy wireguard connection to get you a static IP. Good for not having to setup a vps and multi users dobr have to connect them to a vpn since it would make the services public.