Am a bit new to all this so apologies if terminology etc isn’t correct.
I have my server with apps in docker containers. I have gluetun set-up and working, serving an internet connection to the rest of the containers.
I’m thinking about going down the Tailscale route so that I can use the apps when I’m away from home - haven’t needed to so far but its nice to have the option.
For that to work I think I’ll need two VPN connections - one to extend the LAN away from the house, the other to provide internet access.
If so, how the hell do I go about setting that up? Can I do this with Gluetun or do I need something else?
Any wise words or links to set-up guides would be much appreciated.
If you’re using stuff like torrent clients, you can bind just those containers to gluetun. I recommend doing that instead of all of them. And then yeah the VPN server on the host.
It should work, but you may need to fiddle with routing.
Tailscale now supports buying Mullvad subscription through them and using it with their app. So it solves this issue, although the control you have over your Mullvad tunnel is less and it misses some advanced Mullvad features. Still probably good enough for most people.
I ended up going a different route by buying a VPS and hosting Caddy as reverse proxy. Then I only have my VPS and NAS on tailscale and other devices use the reverse proxy. This allows me to also share links to cloud files or other stuff I host with friends that are not on tailscale.
Yeah this is the plan eventually. I’m already paying for two VPNs so I can’t justify a third until one of those subscriptions are up 🤣
It’s definitely doable. I run both gluetun & tailscale in separate docker containers on Ubuntu. The trick here is that gluetun should get /dev/net/tun device (basically the default example in the project readme) and tailscale should he configured (via env vars) to run in userspace mode
This is exactly right - the key is setting Tailscale with TS_USERSPACE=true in your docker-compose environment variables and it’ll work alongisde gluetun without fighting over the TUN device.
I have the arr stack connected to gluetun doing its thing and then wireguard on the host. I only expose my reverse proxy to the host and can connect to the services through that.
Note the networks below, vpn_net allows it to talk to the gluetun network which has the other stuff. The gluetun and arr stuff are in a separate compose file that defines the network. Then the non vpn stuff connects to that network when it comes up
nginx: image: nginx:1.25.4-alpine-slim container_name: nginx restart: always volumes: - /etc/letsencrypt/:/etc/letsencrypt/ - ./nginx/nginx.conf:/etc/nginx/nginx - ./nginx/conf/:/etc/nginx/conf.d/:ro - ./nginx/htpasswd:/etc/apache2/.htpasswd:ro - /var/log/nginx:/var/log/nginx/ - ./www/html/:/var/www/html/:ro - ./content/Movies:/var/www/media/Movies:ro - ./content/Shows:/var/www/media/Shows:ro ports: - 443:443 security_opt: - no-new-privileges networks: - reverse-proxy_service1 - reverse-proxy_serviceN - vpn-stack_vpn-net depends_on: - service1 - serviceNwireguard on the host
Ahh. Of course. I don’t know why I hadn’t thought of that.
Should I consider deploying a reverse proxy? I hear that setting one up can be painful.
I notice you have multiple reverse-proxy services under ‘networks’ - do you set up a separate network for each service?
Nginx proxy manager is easy to use. It has a nice gui. Caddy is incredibly simple after installing. It just has no gui. It cam’t be simpler than caddy, just 3 lines.
Well i have the rp as i only want one port exposed. I have separate networks per service too to isolate things. Only the things that need to talk to each other can.
My stuff is only accessible on the lan and via the vpn and even then only certain ips have access to certain things.
In your case it might be different , but generally a reverse proxy is better as you can have a single point of access to secure and you are not exposing all of your ports to the host or the internet.
I wouldn’t say setting up a reverse proxy (to your home LAN) is painful. Its just generally Ill advised. Its painful if compromised.
I used to do this (before my server died). You can for example use this to bypass Proton’s free tier one user per account limit.
Basically it’s about correctly setting the wireguard’s AllowedIPs and DisallowedIPs. Your laptop wants to send everything through wireguard. Your home server wants to send everything through Proton (or Mullvad or aVPN) except the communication with your laptop.
(I did that by marking the packets from one VPN with fwmark and sending marked packets to the other but that is a dumb solution for such a simple problem.)
