For my first goal, I want to get around my ISP’s CGNAT so I can access my NAS outside my network. Tailscale doesn’t work. Attempting to access my NAS always goes through their relays. From what I’ve gathered, a VPS is a good way to get around this so I got the basic $1/mo Racknerd KVM VPS. I’d like a performant way to manage this with low latency being ideal. That is my primary goal. From what I’ve researched, wireguard would be the most performant way to make that connection. I’d like to be able to access my NAS’s primary IP or even set up reverse proxies so I can access it from outside the network, without sending all my network traffic through the NAS. I was under the impression tailscale did this but for some reason when I have tailscale active on my macbook, speedtests show major lag over 100ms.
I’ve heard wireguard was the most performant but anything will do with the goal of accessing my NAS. The maximum I need is to be able to stream 4k hdr/dolby atmos content from my NAS.
My second goal is to set up Unbound, Blocky and maybe have a fallback to quad9. I’d also like my devices to be able to use this externally. I set up a basic version of this today using this guide. However upon more investigation, I’ve learned Blocky causes much less latency than pihole. I went down a rabbit hole, researching nextdns, dnsfilter, etc. I think Blocky and Unbound will be great, but I’m more interested in the goal than the technology used to get there. I’m primarily interested in a low latency content/ad/tracker/malicious blocker that’s available on and off my network.
Would it introduce less latency to run this locally off my NAS, and have a separate version set up in the cloud for when I’m away from home? I’ll happily do this if there’s any tangible benefit. My routing setup is ISP modem/router -> asus zenwifi router-> 10g switch, then my PC and NAS. All connected by cable.
Is there a way to set this up with the primary goal of having external access to my NAS? I feel like there’s a way to kill two birds with one stone with this. Like maybe having the DNS resolve my NAS’s internal IP to the VPS external IP which will then forward traffic requesting that IP address to the NAS somehow (not sure how exactly to accomplish this, or if it’s possible).
I set this up originally on GCP due the guide I followed mentioning performance benefits. I’d be willing to host all this on the VPS if that’s possible, but would prioritize high availability, reliability and low latency, which I believe GCP would give me better than my budget VPS. Strangely, the latency when connected to the current setup, GRC DNS benchmark is showing 100+ ms latency, while with it deactivated I get about 50ms average.
My third and kinda stretch goal is to host my website and side projects with the help of the VPS since I’ll most likely not be using all the storage, bandwidth or computing power from just my primary and secondary goals. I currently host using github pages and redirect to my domain using cloudflare. I had my projects hosted on heroku. It seems like there’s a heroku free tier popping up and then quickly enshittifying every other week so it just seems more reliable to host it myself.
It goes without saying that I’d like to have this be as secure as possible as I’ve read lots of self hosting horror stories. My priorities are security, cost, reliability, performance in that order. I think hosting unbound/blocky on the VPS would make for a more elegant and easy to maintain solution, but I’m not 100% sure of the reliability and performance of Racknerd’s budget level VPS offerings.
So to retierate, I’d like to access my NAS which is behind a CGNAT externally, set up ad/tracker/malicious content blocking, and host my website/projects, with security, cost,reliability and performance in mind.
I think I want to use something like NPM, pfsense, blocky, unbound, authentik, fail2ban, and wireguard. either divided between free tier cloud hosts like GCP and oracle, and my VPS for less critical stuff like NAS access, or just put it all on the VPS if that’s easier. I’ve done an absolute boatload of research to try and educate myself, which I’ve not included here because this would make this already lengthy post even longer. That said I’m still very noobish with all of this and appreciate any advice!
My concern with using any cloud host would be streaming 4k plex videos over it. I have a feeling that would end up being pretty costly. I’d prefer this whole set up over the cloud but I chose VPS because it allows TBs of bandwidth included in the price which should be more than sufficient.
Oh wait, from my research, with oracle free tier, the bandwidth isn’t the issue, but the speed. It’s limited to 50mbps. I think that limits to like, 1080p no? Would be awesome if it worked for 4k
For the ARM instances they’re a gigabit per OCPU, which you can get 4 of for free (assuming you’re lucky enough with availability), so you can theoretically get 4Gbps for free.
I got set up with one today! Huge thanks for the tip. I would’ve overlooked it because I didn’t know about the ampere instances. Ridiculously powerful. And the physical server is like, 4 hours from me.
VPS running wireguard server, proxies all traffic to/from my home server. Home server URL DNS records point to VPS static IP. Certbot runs with --no-checks flag to obtain letsencrypt cert.
don’t cheap out. Building your whole stack on top of free or ultra budget providers is going to backfire eventually
check the traffic limits if you want to stream 4k content from your NAS
if latency and bandwidth is a concern, you need to select a VPS provider with good peering. This fully depends on your ISP.
i’d recommend setting things up with split DNS. Your DNS server would answer with local IPs for queries from within your LAN and with the IP of the VPS for external queries.
take a look at AdGuard Home
you can skip fail2ban if you go straight for ssh keys
check the traffic limits if you want to stream 4k content from your NAS
For the VPS I chose, the bandwidth limit is 2tb. That’s definitely more than enough! Unless there’s another way they can limit traffic aside from that.
you can skip fail2ban if you go straight for ssh keys
Can you explain that further? Where in the chain would I put this? I’m guessing basically every device I’d want to communicate with the VPS would need an ssh key right? And I could set it up so only particular requests require ssh keys, in case I wanted my homepage to be accessible by anyone?
Thanks for the advice btw!
don’t cheap out. Building your whole stack on top of free or ultra budget providers is going to backfire eventually
I think ideally this would all run on a cloud host. But would it be possible to stream plex without incurring massive charges?
Jellyfin is completely free. I only used it shortly in my LAN environment so I can’t give you any numbers. It should roughly be in the same ballpark as plex though.
is that just the free tier? I’ll have to test this out!
edit: no luck with zero tier. Has the same issue as tailscale but i don’t think they have relays in case it can’t make a connection. It’s just timing out.
Cgnats don’t exist in ipv6. Nat doesn’t exist in ipv6
What also could happen is your isp blocking some ports from outside its network as a security approach, but normally you can ask to free a range of port from the firewall.
My isp doesn’t support ipv6 in my area (Verizon). They claim to be in the process of rolling it out, but it’s been years that they have been saying that, so idk. At least they don’t use CGNAT, so it isn’t a huge deal for me after I set up dynamic DNS.
I can totally believe it. Here in the Netherlands we still have providers that haven’t implemented IPv6. We’ve had one (Delta) finally starting their IPv6 rollout to fiber customers this year, not sure if they already finished it. Some providers are just slow AF unfortunately.
Are you experimenting some kind of connections problems?
I ask because I know some multiplayer games make a heavy use of the ipv6. Steam have some servers that are not reachable via ipv4, and don’t speak about vps…
Can’t answer that I’m afraid. My current provider fully supports IPv6 (and assigns a /48 😁 ), as did their predecessor, so my network has been dual-stack for years.
NAT certainly exists in IPV6, I use it on my home network for my nginx proxy VM. I cannot, for the life of me, figure out how to change the IP on the host so I do NAT on my router. 🤷♂️
This is not the Nat functionality as people associated with ipv4, and certainly it is not showing the drawback of allowing the communication only when the NATed client started the communication.
Even if they are alike they are not the same.
I reaffirm myself here. It is possible to have full ipv6 communication and providers do not have cgnats. It is your easiest and most uncomplicated solution with almost nothing to install to make it work.
And in addition, I have to say that I don’t see any benefit in using such functionality at home. If someone can illustrate me a use case I would be thankful
I use NAT on IPv6 so that I control which IP address is exposed. I’ve got /60 and all of my home devices are assigned unique IPs. What I like to do is set up a V6 address that uses the same numbers as my static V4 address and NAT that to my NGINX box, basically using the router assigned V6 as a “local” address.
Take wiht a bit (or a lot) of salt what I am gonna say. Because undoubtedly I am. Missing something here.
But if what you a already say is true probably you are not restricting anything. The recommended way to do so is with a firewall rule (probably in your router).
You are extending the subnet definition beyond the 16 bits. This can create problems and I doubt that your router will block anything if something crafted is received from Internet.
But of course, being the extremely big address space your are probably safe.
I any case, with a firewall rule in your router allowing only the proxy to go receive connections, you should be good and more standard conform
I already do use firewall rules, this is just an extra step I take to segment things which also serves to make it a bit easier for me to remember certain addresses. It is entirely unnecessary, but I like it this way.
Let’s say I have a static IPv4: 72.235.228.162
And IPv6 block: 2660:1100:45f0:c17:: /60
What I do is set up a Virtual IP in OPNSense and give it the address 2660:1100:45f0:c171:72:235:228:162
Then I set up the firewall rules for that IP.
Then I NAT 1:1 that IP to the NGINX VM’s IP and now the Internet doesn’t need to know about it.
Are you sure? Did you want to troubleshoot this or did you just want to give up?
I’ve got two synology nas connected to each other directly for hyper backup replications at clients because both units are on cgnat isps and there’s no public IP. And it just works.
After I followed the instructions and having 15 years of system administration experience. Which I was willing to help but I guess you’d rather quip.
From my perspective unless there’s something that you’ve not yet disclosed, if wireguard can get to the public domain, like a vps, then tailscale would work. Since it’s mechanically doing the same thing, being wireguard with a gui and a vps hosted by tailscale.
If your ISP however is blocking ports and destinations maybe there are factors in play, usually ones that can be overcome. But your answer is to pay for mechanically the same thing. Which is fine, but I suspect there’s a knowledge gap.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !selfhosted@lemmy.world
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
selfh.st Newsletter and index of selfhosted software and apps
Did you ask your ISP to remove CGNAT? It worked for me
No, they’re extremely closed up. You have to buy an enterprise package for that
Same here, for my ISP it’s no extra charge, they just ask you why you’re opting out
I setup a VPN on Oracle free tier that I use to access my server. It can be difficult to sign up and the ARM instances are hard to get though.
My concern with using any cloud host would be streaming 4k plex videos over it. I have a feeling that would end up being pretty costly. I’d prefer this whole set up over the cloud but I chose VPS because it allows TBs of bandwidth included in the price which should be more than sufficient.
Oracle give 10TB of outbound bandwidth per month for free. Inbound bandwidth is free.
Oh wait, from my research, with oracle free tier, the bandwidth isn’t the issue, but the speed. It’s limited to 50mbps. I think that limits to like, 1080p no? Would be awesome if it worked for 4k
The ARM instances are gigabit. The AMD micro instances are 50 mbps. Most streaming services are in the 15-30 mbps range for 4K video.
Oh shit O_o. That could easily do everything I need my VPS to do but better. That sounds ideal, I’ll have to look into that.
For the ARM instances they’re a gigabit per OCPU, which you can get 4 of for free (assuming you’re lucky enough with availability), so you can theoretically get 4Gbps for free.
I got set up with one today! Huge thanks for the tip. I would’ve overlooked it because I didn’t know about the ampere instances. Ridiculously powerful. And the physical server is like, 4 hours from me.
I’m pretty sure I used this setup: https://golb.hplar.ch/2019/01/expose-server-vpn.html
VPS running wireguard server, proxies all traffic to/from my home server. Home server URL DNS records point to VPS static IP. Certbot runs with --no-checks flag to obtain letsencrypt cert.
Right on, thanks, I’m gonna give this a shot!
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
10 acronyms in this thread; the most compressed thread commented on today has 3 acronyms.
[Thread #220 for this sub, first seen 17th Oct 2023, 06:05] [FAQ] [Full list] [Contact] [Source code]
Just a few thoughts:
For the VPS I chose, the bandwidth limit is 2tb. That’s definitely more than enough! Unless there’s another way they can limit traffic aside from that.
Can you explain that further? Where in the chain would I put this? I’m guessing basically every device I’d want to communicate with the VPS would need an ssh key right? And I could set it up so only particular requests require ssh keys, in case I wanted my homepage to be accessible by anyone?
Thanks for the advice btw!
I think ideally this would all run on a cloud host. But would it be possible to stream plex without incurring massive charges?
You can skip fail2ban for SSH. I missed the important bit. Duh…
Never used Plex but had a good experience with Jellyfin.
What’s your setup for this? Can you give me basic bandwidth you use and charges?
Jellyfin is completely free. I only used it shortly in my LAN environment so I can’t give you any numbers. It should roughly be in the same ballpark as plex though.
ah, I was referring to streaming your media through a cloud hosting service.
I had a similar problem with my ISP’s CGNAT, and Zero-Tier One is what got around it for me.
is that just the free tier? I’ll have to test this out!
edit: no luck with zero tier. Has the same issue as tailscale but i don’t think they have relays in case it can’t make a connection. It’s just timing out.
Ipv6
Cgnats don’t exist in ipv6. Nat doesn’t exist in ipv6
What also could happen is your isp blocking some ports from outside its network as a security approach, but normally you can ask to free a range of port from the firewall.
My ISP doesn’t support IPv6.
CGNAT but no IPv6? Despicable
It’s Mexico. The ISPs incredibly worthless and corrupt
My condolences :(
Honestly, I cannt believe it.
Double or triple check it. The problem these days is to get a semifucntianl ipv4, they are expensive, scarce and full of problems.
Ipv6 on the contrary is abundant and all enterprise equipment fully support it since decades.
My isp doesn’t support ipv6 in my area (Verizon). They claim to be in the process of rolling it out, but it’s been years that they have been saying that, so idk. At least they don’t use CGNAT, so it isn’t a huge deal for me after I set up dynamic DNS.
I can totally believe it. Here in the Netherlands we still have providers that haven’t implemented IPv6. We’ve had one (Delta) finally starting their IPv6 rollout to fiber customers this year, not sure if they already finished it. Some providers are just slow AF unfortunately.
Truly incredible, shame on the.
Question then.
Are you experimenting some kind of connections problems?
I ask because I know some multiplayer games make a heavy use of the ipv6. Steam have some servers that are not reachable via ipv4, and don’t speak about vps…
Can’t answer that I’m afraid. My current provider fully supports IPv6 (and assigns a /48 😁 ), as did their predecessor, so my network has been dual-stack for years.
NAT certainly exists in IPV6, I use it on my home network for my nginx proxy VM. I cannot, for the life of me, figure out how to change the IP on the host so I do NAT on my router. 🤷♂️
This is not the Nat functionality as people associated with ipv4, and certainly it is not showing the drawback of allowing the communication only when the NATed client started the communication.
Even if they are alike they are not the same.
I reaffirm myself here. It is possible to have full ipv6 communication and providers do not have cgnats. It is your easiest and most uncomplicated solution with almost nothing to install to make it work.
And in addition, I have to say that I don’t see any benefit in using such functionality at home. If someone can illustrate me a use case I would be thankful
I use NAT on IPv6 so that I control which IP address is exposed. I’ve got /60 and all of my home devices are assigned unique IPs. What I like to do is set up a V6 address that uses the same numbers as my static V4 address and NAT that to my NGINX box, basically using the router assigned V6 as a “local” address.
Take wiht a bit (or a lot) of salt what I am gonna say. Because undoubtedly I am. Missing something here.
But if what you a already say is true probably you are not restricting anything. The recommended way to do so is with a firewall rule (probably in your router).
You are extending the subnet definition beyond the 16 bits. This can create problems and I doubt that your router will block anything if something crafted is received from Internet.
But of course, being the extremely big address space your are probably safe.
I any case, with a firewall rule in your router allowing only the proxy to go receive connections, you should be good and more standard conform
I already do use firewall rules, this is just an extra step I take to segment things which also serves to make it a bit easier for me to remember certain addresses. It is entirely unnecessary, but I like it this way.
Let’s say I have a static IPv4: 72.235.228.162
And IPv6 block: 2660:1100:45f0:c17:: /60
What I do is set up a Virtual IP in OPNSense and give it the address 2660:1100:45f0:c171:72:235:228:162
Then I set up the firewall rules for that IP.
Then I NAT 1:1 that IP to the NGINX VM’s IP and now the Internet doesn’t need to know about it.
Tailscale doesn’t work? Because that’s what I use to get around my isp cgnat
Nope, tailscale ping can’t establish a direct connection and trying to access the NAS is pretty much impossible.
Are you sure? Did you want to troubleshoot this or did you just want to give up?
I’ve got two synology nas connected to each other directly for hyper backup replications at clients because both units are on cgnat isps and there’s no public IP. And it just works.
Of course I didn’t just give up. I’d rather a free option than a paid one but thems the breaks. Good for you though, sounds like it just worked.
After I followed the instructions and having 15 years of system administration experience. Which I was willing to help but I guess you’d rather quip.
From my perspective unless there’s something that you’ve not yet disclosed, if wireguard can get to the public domain, like a vps, then tailscale would work. Since it’s mechanically doing the same thing, being wireguard with a gui and a vps hosted by tailscale.
If your ISP however is blocking ports and destinations maybe there are factors in play, usually ones that can be overcome. But your answer is to pay for mechanically the same thing. Which is fine, but I suspect there’s a knowledge gap.
Alright, thanks for the help!