Am a bit new to all this so apologies if terminology etc isn’t correct.

I have my server with apps in docker containers. I have gluetun set-up and working, serving an internet connection to the rest of the containers.

I’m thinking about going down the Tailscale route so that I can use the apps when I’m away from home - haven’t needed to so far but its nice to have the option.

For that to work I think I’ll need two VPN connections - one to extend the LAN away from the house, the other to provide internet access.

If so, how the hell do I go about setting that up? Can I do this with Gluetun or do I need something else?

Any wise words or links to set-up guides would be much appreciated.

  • frongt@lemmy.zip
    link
    fedilink
    English
    arrow-up
    4
    ·
    25 days ago

    If you’re using stuff like torrent clients, you can bind just those containers to gluetun. I recommend doing that instead of all of them. And then yeah the VPN server on the host.

    It should work, but you may need to fiddle with routing.

  • DreamlandLividity@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    23 days ago

    Tailscale now supports buying Mullvad subscription through them and using it with their app. So it solves this issue, although the control you have over your Mullvad tunnel is less and it misses some advanced Mullvad features. Still probably good enough for most people.

    I ended up going a different route by buying a VPS and hosting Caddy as reverse proxy. Then I only have my VPS and NAS on tailscale and other devices use the reverse proxy. This allows me to also share links to cloud files or other stuff I host with friends that are not on tailscale.

    • jobbies@lemmy.zipOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      23 days ago

      Yeah this is the plan eventually. I’m already paying for two VPNs so I can’t justify a third until one of those subscriptions are up 🤣

  • cantankerous_cashew@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    25 days ago

    It’s definitely doable. I run both gluetun & tailscale in separate docker containers on Ubuntu. The trick here is that gluetun should get /dev/net/tun device (basically the default example in the project readme) and tailscale should he configured (via env vars) to run in userspace mode

    • MysteriousSophon21@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      22 days ago

      This is exactly right - the key is setting Tailscale with TS_USERSPACE=true in your docker-compose environment variables and it’ll work alongisde gluetun without fighting over the TUN device.

  • JoeKrogan@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    25 days ago

    I have the arr stack connected to gluetun doing its thing and then wireguard on the host. I only expose my reverse proxy to the host and can connect to the services through that.

    Note the networks below, vpn_net allows it to talk to the gluetun network which has the other stuff. The gluetun and arr stuff are in a separate compose file that defines the network. Then the non vpn stuff connects to that network when it comes up

    nginx: 
        image: nginx:1.25.4-alpine-slim
        container_name: nginx
        restart: always
        volumes:
           - /etc/letsencrypt/:/etc/letsencrypt/
           - ./nginx/nginx.conf:/etc/nginx/nginx
           - ./nginx/conf/:/etc/nginx/conf.d/:ro
           - ./nginx/htpasswd:/etc/apache2/.htpasswd:ro
           -  /var/log/nginx:/var/log/nginx/
           - ./www/html/:/var/www/html/:ro
           - ./content/Movies:/var/www/media/Movies:ro
           - ./content/Shows:/var/www/media/Shows:ro
        ports:
           - 443:443
        security_opt:
          - no-new-privileges
        networks:
          - reverse-proxy_service1
          - reverse-proxy_serviceN
          - vpn-stack_vpn-net
        depends_on:
          - service1
          - serviceN
    
    • jobbies@lemmy.zipOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      25 days ago

      wireguard on the host

      Ahh. Of course. I don’t know why I hadn’t thought of that.

      Should I consider deploying a reverse proxy? I hear that setting one up can be painful.

      I notice you have multiple reverse-proxy services under ‘networks’ - do you set up a separate network for each service?

      • illusionist@lemmy.zip
        link
        fedilink
        English
        arrow-up
        2
        ·
        25 days ago

        Nginx proxy manager is easy to use. It has a nice gui. Caddy is incredibly simple after installing. It just has no gui. It cam’t be simpler than caddy, just 3 lines.

      • JoeKrogan@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        25 days ago

        Well i have the rp as i only want one port exposed. I have separate networks per service too to isolate things. Only the things that need to talk to each other can.

        My stuff is only accessible on the lan and via the vpn and even then only certain ips have access to certain things.

        In your case it might be different , but generally a reverse proxy is better as you can have a single point of access to secure and you are not exposing all of your ports to the host or the internet.

      • foggy@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        25 days ago

        I wouldn’t say setting up a reverse proxy (to your home LAN) is painful. Its just generally Ill advised. Its painful if compromised.

  • TMP_NKcYUEoM7kXg4qYe@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    24 days ago

    I used to do this (before my server died). You can for example use this to bypass Proton’s free tier one user per account limit.

    Basically it’s about correctly setting the wireguard’s AllowedIPs and DisallowedIPs. Your laptop wants to send everything through wireguard. Your home server wants to send everything through Proton (or Mullvad or aVPN) except the communication with your laptop.

    (I did that by marking the packets from one VPN with fwmark and sending marked packets to the other but that is a dumb solution for such a simple problem.)