Hello SelfHosters! After getting myself a wonderfully large NAS and spending a couple days thinking about how to link up the different services, I turn to you for advice. This is my situation:

I’ve been operating a cheap VPS for a while now, which runs a bunch of services that require neither lots of storage nor compute (webserver, vaultwarden, gitea and so on). But I refuse to pay the price for a large capacity / powerful remote machine for stuff like Jellyfin or Immich, especially because I want these things to be available to me in the local network no matter the network state (internet drops frequently here). Therefor, I’ve setup a ~50TB NAS, on which I want to both store and backup larger data packets, as well as operate some storage/traffic heavy applications (Jellyfin, Immich, Nextcloud, …).

What I’m struggling with is the networking of things. My VPS sits behind a Cloudflare Proxy, and I like it that way. All services are managed via domains and accessible from anywhere via that. I neither want nor need isolation of these services by a VPN. I want to continue this way with the new homelab, but am unable to directly expose ports on my home connection, or to get a static IP. For additional complication, traffic from these data-heavy applications cannot run through Cloudflare due to their limitations on the free plan. Finally, in a perfect world, I would be able to manage the domain names for services on the Homelab in the Nginx Container on the VPS, so that everything is centralized and I don’t have separate management interfaces.

My first idea was to connect the VPS and the Homelab with a Wireguard tunnel, but since this would route traffic through Cloudflare, it wouldn’t work.

network layout with a tunnel

I then read about Tailscale, and that I could link up the Homelab and VPS in a tailnet, setting up the node on the VPS as subnet router for the docker network on the homelab, which would bring me to something along these lines:

network layout with a direct connection

In a perfect world, the Nginx container on the VPS would be able to seemlessly direct traffic to both services running on the VPS and the Homelab, and data coming from the homelab would be routed directly to the client, while VPS data would continue running through Cloudflare. This would work without the client having to connect to any VPNs or mesh networks, the domain name would have to be enough.

Maybe I’m overcomplicating things. Please don’t feel obligated to copy-paste guides, I’ll happily read external ressources that you can recommend. I’ll also provide clarifications in the comments as needed. Any pointers how you people solve this would be much appreciated.

  • ck_@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    7
    ·
    1 year ago

    With Tailscale, you would typically cut out the VPS, the connection would be client <-> homelab. No intermediary required. You COULD of course do it how you describe with the subnet router and everything, but the point of tailscale is really to have end to end connectivity.

    • 7Sea_Sailor@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      1 year ago

      Yesnt. I know that I can run the apps I want on the homelab, have them expose their port in the local network, connect to my tailnet whenever I need access and use the homelabs local address plus port to access it. But that implies needing to connect to my tailnet whenever I want to access my service. Which is not something I can easily tell my larger family to do if I wanted to provide them with movies or a photo backup solution. So I’m trying to find a method that doesn’t require a tailnet connection, which is why I was thinking of the VPS.

  • dr_robot@kbin.social
    link
    fedilink
    arrow-up
    2
    ·
    1 year ago

    What benefit do you get from running a Cloudflare proxy if you’re directing it to a VPS? I used to run with a Cloudflare proxy when my reverse proxy was hosted at home. Since then, I’ve moved it to a VPS and I no longer use the Cloudflare proxy, because I only expose the IP address of the VPS which is fine. Arguably Cloudflare provides you with DDoS protection, but that’s so far never been a problem for me.

    • 7Sea_Sailor@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Caching, DDOS and other protections, centralized DNS management of all my domains scattered around different registrars, zero trust for sensible dashboards, and most important of all: it makes me feel good that the server IP is just a tad more secret.

    • 7Sea_Sailor@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I’m pretty sure that cloudflare has a certain traffic limit on their tunnels. Nothing that’s specific or disclosed, but if I were to stream from jellyfin through a tunnel, they will take down the tunnel or even the account after a while - or so I’ve heard.

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    1 year ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    DNS Domain Name Service/System
    IP Internet Protocol
    VPS Virtual Private Server (opposed to shared hosting)

    [Thread #290 for this sub, first seen 19th Nov 2023, 03:15] [FAQ] [Full list] [Contact] [Source code]