For my first goal, I want to get around my ISP’s CGNAT so I can access my NAS outside my network. Tailscale doesn’t work. Attempting to access my NAS always goes through their relays. From what I’ve gathered, a VPS is a good way to get around this so I got the basic $1/mo Racknerd KVM VPS. I’d like a performant way to manage this with low latency being ideal. That is my primary goal. From what I’ve researched, wireguard would be the most performant way to make that connection. I’d like to be able to access my NAS’s primary IP or even set up reverse proxies so I can access it from outside the network, without sending all my network traffic through the NAS. I was under the impression tailscale did this but for some reason when I have tailscale active on my macbook, speedtests show major lag over 100ms.
I’ve heard wireguard was the most performant but anything will do with the goal of accessing my NAS. The maximum I need is to be able to stream 4k hdr/dolby atmos content from my NAS.
My second goal is to set up Unbound, Blocky and maybe have a fallback to quad9. I’d also like my devices to be able to use this externally. I set up a basic version of this today using this guide. However upon more investigation, I’ve learned Blocky causes much less latency than pihole. I went down a rabbit hole, researching nextdns, dnsfilter, etc. I think Blocky and Unbound will be great, but I’m more interested in the goal than the technology used to get there. I’m primarily interested in a low latency content/ad/tracker/malicious blocker that’s available on and off my network.
Would it introduce less latency to run this locally off my NAS, and have a separate version set up in the cloud for when I’m away from home? I’ll happily do this if there’s any tangible benefit. My routing setup is ISP modem/router -> asus zenwifi router-> 10g switch, then my PC and NAS. All connected by cable.
Is there a way to set this up with the primary goal of having external access to my NAS? I feel like there’s a way to kill two birds with one stone with this. Like maybe having the DNS resolve my NAS’s internal IP to the VPS external IP which will then forward traffic requesting that IP address to the NAS somehow (not sure how exactly to accomplish this, or if it’s possible).
I set this up originally on GCP due the guide I followed mentioning performance benefits. I’d be willing to host all this on the VPS if that’s possible, but would prioritize high availability, reliability and low latency, which I believe GCP would give me better than my budget VPS. Strangely, the latency when connected to the current setup, GRC DNS benchmark is showing 100+ ms latency, while with it deactivated I get about 50ms average.
My third and kinda stretch goal is to host my website and side projects with the help of the VPS since I’ll most likely not be using all the storage, bandwidth or computing power from just my primary and secondary goals. I currently host using github pages and redirect to my domain using cloudflare. I had my projects hosted on heroku. It seems like there’s a heroku free tier popping up and then quickly enshittifying every other week so it just seems more reliable to host it myself.
It goes without saying that I’d like to have this be as secure as possible as I’ve read lots of self hosting horror stories. My priorities are security, cost, reliability, performance in that order. I think hosting unbound/blocky on the VPS would make for a more elegant and easy to maintain solution, but I’m not 100% sure of the reliability and performance of Racknerd’s budget level VPS offerings.
So to retierate, I’d like to access my NAS which is behind a CGNAT externally, set up ad/tracker/malicious content blocking, and host my website/projects, with security, cost,reliability and performance in mind.
I think I want to use something like NPM, pfsense, blocky, unbound, authentik, fail2ban, and wireguard. either divided between free tier cloud hosts like GCP and oracle, and my VPS for less critical stuff like NAS access, or just put it all on the VPS if that’s easier. I’ve done an absolute boatload of research to try and educate myself, which I’ve not included here because this would make this already lengthy post even longer. That said I’m still very noobish with all of this and appreciate any advice!
This is not the Nat functionality as people associated with ipv4, and certainly it is not showing the drawback of allowing the communication only when the NATed client started the communication.
Even if they are alike they are not the same.
I reaffirm myself here. It is possible to have full ipv6 communication and providers do not have cgnats. It is your easiest and most uncomplicated solution with almost nothing to install to make it work.
And in addition, I have to say that I don’t see any benefit in using such functionality at home. If someone can illustrate me a use case I would be thankful
I use NAT on IPv6 so that I control which IP address is exposed. I’ve got /60 and all of my home devices are assigned unique IPs. What I like to do is set up a V6 address that uses the same numbers as my static V4 address and NAT that to my NGINX box, basically using the router assigned V6 as a “local” address.
Take wiht a bit (or a lot) of salt what I am gonna say. Because undoubtedly I am. Missing something here.
But if what you a already say is true probably you are not restricting anything. The recommended way to do so is with a firewall rule (probably in your router).
You are extending the subnet definition beyond the 16 bits. This can create problems and I doubt that your router will block anything if something crafted is received from Internet.
But of course, being the extremely big address space your are probably safe.
I any case, with a firewall rule in your router allowing only the proxy to go receive connections, you should be good and more standard conform
I already do use firewall rules, this is just an extra step I take to segment things which also serves to make it a bit easier for me to remember certain addresses. It is entirely unnecessary, but I like it this way.
Let’s say I have a static IPv4: 72.235.228.162
And IPv6 block: 2660:1100:45f0:c17:: /60
What I do is set up a Virtual IP in OPNSense and give it the address 2660:1100:45f0:c171:72:235:228:162
Then I set up the firewall rules for that IP.
Then I NAT 1:1 that IP to the NGINX VM’s IP and now the Internet doesn’t need to know about it.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !selfhosted@lemmy.world
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
selfh.st Newsletter and index of selfhosted software and apps
This is not the Nat functionality as people associated with ipv4, and certainly it is not showing the drawback of allowing the communication only when the NATed client started the communication.
Even if they are alike they are not the same.
I reaffirm myself here. It is possible to have full ipv6 communication and providers do not have cgnats. It is your easiest and most uncomplicated solution with almost nothing to install to make it work.
And in addition, I have to say that I don’t see any benefit in using such functionality at home. If someone can illustrate me a use case I would be thankful
I use NAT on IPv6 so that I control which IP address is exposed. I’ve got /60 and all of my home devices are assigned unique IPs. What I like to do is set up a V6 address that uses the same numbers as my static V4 address and NAT that to my NGINX box, basically using the router assigned V6 as a “local” address.
Take wiht a bit (or a lot) of salt what I am gonna say. Because undoubtedly I am. Missing something here.
But if what you a already say is true probably you are not restricting anything. The recommended way to do so is with a firewall rule (probably in your router).
You are extending the subnet definition beyond the 16 bits. This can create problems and I doubt that your router will block anything if something crafted is received from Internet.
But of course, being the extremely big address space your are probably safe.
I any case, with a firewall rule in your router allowing only the proxy to go receive connections, you should be good and more standard conform
I already do use firewall rules, this is just an extra step I take to segment things which also serves to make it a bit easier for me to remember certain addresses. It is entirely unnecessary, but I like it this way.
Let’s say I have a static IPv4: 72.235.228.162
And IPv6 block: 2660:1100:45f0:c17:: /60
What I do is set up a Virtual IP in OPNSense and give it the address 2660:1100:45f0:c171:72:235:228:162
Then I set up the firewall rules for that IP.
Then I NAT 1:1 that IP to the NGINX VM’s IP and now the Internet doesn’t need to know about it.