Cloudron 9 - VPN In/Out for Containerized Apps

robi

Inspired by the Invidious companion thread, this thread serves as the point of architectural discussion for Cloudron 9.x .

I asked if will Cloudron 9 have the ability to VPN out from a container and have apps appear to come from a different IP?

For the experimenters, let's say getting Cloudflare WARP (VPN accelerator) working for an app such as Invidious (mainly to help make Invidious work as Google/Youtube may block certain VPS IPs over time).

In the past we've discussed a way to get VPN access into an App container and now that we have Wireguard functional in the VPN App we can leverage that for specific containers for both ingress and egress.

Having more functionality for internal network routing is a welcome enhancement for the community from multi-year requests in various use cases.

malvim

VPN as an external addon like databases and the like would be sweet. I've managed to have a proxy app to an internal (homelab) service by manually installing wireguard on the cloudron server, and routing just worked.

I'm not using it like this anymore, since cloudron doesn't support maintaining external tools on the server, but I think an addon might solve this.

robi

@malvim Thanks for the feedback, did you use the Cloudron Proxy App from the App Store?

Another common use case is making local apps and services available at a domain:port via tools such as ngrok, Localtunnel, or many others. This would be a good use case especially since Cloudron can programmatically instantiate new subdomains.

malvim

Yeah, I did. I installed wireguard manually and my homelab computer was a peer. Used the proxy app from the App Store to point to its wireguard IP, and it worked well.

james

Hello @malvim
This sounds very interesting, could you write a little summary about what you did there?
Might be very useful for other users!

malvim

@james I'm TERRIBLE at writeups, but I'll summarize it and maybe we can write something better together if you think it's interesting enough:

So I have a cloudron machine with a public IP, vanilla setup. I also have a raspberry pi in my home network running a few services, and an external VPS.

I use a "hub-and-spoke" wireguard architecture, which is pretty common and straightforward as well. It is set up like so:

• VPS has a public IP
• I installed and set up wireguard in it. Let's say it uses interface wg0, and its wg IP address is 10.0.0.1, network 10.0.0.0/24
• I had to set a few things to enable packet forwarding on the VPS so it would act as a "router" between my raspberry pi and other devices, but its pretty straightforward stuff
• I installed and set up wireguard in my raspberry pi, interface wg0, IP address 10.0.0.2; added the VPS added as a peer with its public key, allowed-ips 10.0.0.1/24, and the endpoint is its public IP and the port I had wireguard listen on

So now when I turn on wireguard on both VPS and pi, I can ping 10.0.0.1 from the pi, and I can ping 10.0.0.2 from the VPS. This is the simple hub-and-spoke setup, with the VPS acting as the hub (because it has a public IP address) and the raspberry pi and other devices (say my laptop or phone) are the "spokes".

So now for the cloudron part:

• installed wireguard on my cloudron machine and set it up as a peer to the wireguard network, same as I did on the pi. Added the VPS as the only peer, and on the VPS added one more peer which was the cloudron server. Say its IP is 10.0.0.100
• I can now ping 10.0.0.1 (vps) and 10.0.0.2 (pi) from the cloudron server, and I can also ping these IPs FROM ANY CLOUDRON APP as well!
• I had a service running on the raspberry pi on port 8080, so I installed a new app proxy on the cloudron from the app store, and the upstream address was http://10.0.0.2:8080, and it all worked.

Now, I COULD get rid of the VPS and use only cloudron, boith as the wireguard "hub" and reverse proxy. That would be great because it's one less machine I have to pay for and maintain (the VPS), and I would benefit from user management and stuff. Cloudron explicitly says it needs to be the sole service installed on the machine, though (which makes sense, not complaining), so I haven't done this yet.

Not sure this is a good enough description, but I'm here to answer any questions if needed.