Cloudron homeserver forwared to DO via VPN
I have pretty decent x86_64 system at home which I can use for server duty and I think cloudron is great for my use case. I know that setting this up at home it would have two difficulties:
- Dynamic IP
- NAT Port forwarding
From what I understand Cloudron has a way to solve this. Perhaps a container running and checking the external IP every minute and updating the DNS service provider accordingly. So the first issue seems to be easily solved. The second issue though I am not so sure. I see that my router supports UPnP -- does this mean that when I install X app the port will open automatically?
I was thinking maybe there is a better alternative -- something like a hybrid. Let me explain:
I buy a cheap VPS at DigitalOcean or an EC2 AWS instance (something that cloudron supports) and I install manually (without using cloudron) an OpenVPN server. Then I install a VPN client on my home server (where cloudron runs). The idea is to tell cloudron to forward all the traffic of the apps via the VPN connection. Why doing this? Because I think it's easier to do the following:
- No more dynamic IP issue -- plus your home IP address is not exposed.
- No more NAT issues, since the services will be exposed at the VPS running on DO network.
- I can use my home hardware.
- My data are at my home
^^^ are those assumptions correct ? ^^^
If so, how easy is to do a setup like that?
@drpaneas Cloudron handles Dynamic IPs, so you should be good there and not need the VPS
Personally, I recommend Hetzner instead of DO, many others here seem to be happy with it too. The smallest VPS Cloudron will run on is like €3/month, so it's almost worth having just as a playground.
@marcusquinn thanks for the reply. There are many apps I am going to install through Cloudron, and I am particularly interested to install is Nextcloud! I have bought a 8TB disk and I want to use it for the whole family -- similar to Google Drive/Dropbox solutions. Getting such an amount of storage as a service it's going to be really expensive, that's why I am considering hosting Cloudron at home rather than remotely.
Apart from that though, I think it's a really good idea to be able to isolate your home IP address from the rest of the world and provide your services using a VPS. In my mind it doesn't sound that complicated:
The virtual server will have only two services: OpenVPN, and a reverse proxy (HAProxy, nginx, etc), so very easy to maintain. The
OpenVPNwill allow you to connect your cloudron homeserver to the VPS server, and thus allow its exposure on the Internet, while HAPROXY will distribute traffic to VPN clients according to the URL received (Haproxy layer 7).
Here's some use-cases for this feature:
- In some countries, the ISP does not provide a public IP address (direct Internet exposure address) to each connected user, but passes traffic through a single point on the Internet
- Some other ISPs consider self-hosting as a violation of the contract, so they block direct incoming traffic to your Box.
- What interests me in this type of service is its bandwidth, regardless of the server’s power and storage capacity.
- Inexpensive (as you said, 3 Euro @ Hetzner)
- Easy to maintain
- Perhaps DDoS protection or any other protection the cloud provider provides within their network.
- Does not require NAT to be installed on your internet box -- yet you self-host at home.
- Cloudron homeserver isolation can be instantaneous (Openvpn service shutdown),
- You benefit from the Firewalls of the infrastructure in which the VPS server is hosted,
- You can move your Cloudron server anywhere (e.g. relocate your home address, or change to a completely new router) without any configuration changes.
Hetzner is a choice, sure. The reason I prefer DO or AWS is because I assume Cloudron can auto-configure their firewall or modify DNS records. Did I get that right?
@drpaneas You're gonna love it, I'm sure! One-by-one I'm converting friends & family too
Yes, Hetzner has DDoS protection for the whole network, regardless of if you have a domain or naked IP.
I really don't like anything Amazon, and Digital Ocean is just very pricy and either throttled or lots of hidden extra costs.
Contabo is another option if you want even more bang for bucks but a slightly dated interface and a few less custom networking features without contacting their support. I have 9 VPSs with them though, and very happy with bang for bucks there too.
Seriously, you really don't need AWS & DO, try Hetzner, Contabo or Cloudron has a couple of other recommended partner hosts.
I use Cloudflare for DNS, which Cloudflare integration handles beautifully. I know some are suspicious of them but you don't have to use their DNS proxying and from what I read, they seem to be basing so much of their business model on privacy, I think their selling or backdooring any data wouldn't be worth it. I think Hetzner DNS integration is coming soon too though.
I use Wasabi for backups and happy with that. Someone recommended ODrive for replication of backups but I've not tried that yet.
My money is where my mouth is on those things, so happy to recommend.
I get where you're going, and I have Gigabit Fibre at home with 0ms ping times to London & Paris, so I could build a server farm at home at some point but, for now, most of my focus is on the apps because that's where the ultimate value is for me.
@drpaneas And if you're good with VPNs, why not Wireguard for max speed?
@marcusquinn thank you for your extra tips and comments on the cloud provider side, really appreciated I am already using CloudFlare (without the proxy -- just DNS) and I'm really happy with the service. It's not that I am not experienced to configure all those things by hand, but my current daily work is being an SRE for Kubernetes, so the last thing I need right now is to spend my off-work hours to work-related topics
Anyway, I would most likely go with Hetzner to give them a try, so you made them a customer.
My current internet speed at home is a 250 VSDL. See:
Is that good enough? I guess it's OK, but only production usage will tell.
Wireguard is my second step in the process. First I need to make sure this setup works with OpenVPN so to avoid any compatibility/legacy hiccups -- and then as soon as I have a proof that cloudron can redirect the traffic, I suppose I can easily switch to to Wireguard for better speed.
So from what I understand, after setting up the DNS Server (on remote VPS) and the Cloudron server (at home), I have to tell Cloudron to use
tun0(https://docs.cloudron.io/networking/#dynamic-dns). Right? In that case the SSL certificates will use the IP Address taken from the tun0 interface -- that would be the private/local network of the VPS.
@drpaneas Yeah, I think ping times make more difference than bandwidth in most cases.
The rest sounds right but everyone has different routers and setups, so it's a case of try it and ask again here if anything doesn't work as there's a bunch of home-hosting experience around.
@drpaneas I host at home myself with the same constraints you have - Dynamic IP and NAT Port forwarding. I have a normal residential connection (comcast).
- For dynamic IP, go to Domains and enable Dynamic DNS. With this, Cloudron will periodically poll your public IP and update DNS accordingly.
- Port forwarding is a feature of the router. Most modern routers should support this already.
So.. you don't really need a VPN tunnel to have a Cloudron at home. All my apps are also publicly accessible (intentionally). I want to be able to use apps from outside my home via mobile network.
Let me know if I misunderstood your question.
@girish in my case it's even easier because I my router (fritzbox) has a setting that bypasses NAT completely and my machine (only one) is exposed in the internet.
tldr; I don't have any problem with the way it is; everything is working fine for me. This is just a feature request for the future. Not a necessity, but a nice to have.