Just want to plug TailScale for being awesome.
I’ve been dabbling in hosting some services from my home Unraid server. My standard setup was:
- Domain from AWS Route53 with an entry that points all my subdomains to a CNAME record registered in DuckDNS. So www.mydomain.com, nextcloud.mydomain.com etc. all point to mydomain.duckdns.org.
- DuckDNS to ensure mydomain.duckdns.org points to my current public IP, as my ISP changes this fairly regularly.
- SWAG - manages Let’sEncrypt certificates for subdomains and proxies subdomain requests to the appropriate service host (other containers mostly).
This setup requires port forwarding ports 80 and 443 on my router to my Unraid server. I actually bought a new router because my old one didn’t allow port forwarding for these two ports. It’s been working great, all the photos from my phone syncs to Nextcloud, I’m hosting my own blog etc. It’s been fun. However, I’ve been pretty uncomfortable with port-forwarding my home connection, mostly because my router firmware isn’t going to get updates. I’d prefer a port-scan of my public IP to return nothing.
Now with TailScale, I can replicate the experience without needing ANY port forwarding. My new setup looks like this:
- Tiny $5 USD Linode instance (thanks linode credits). This instance can be small because it doesn’t do much:
- Runs DuckDNS as a cronjob so now mydomain.duckdns.org points to that instance instead of my home public IP.
- Container running SWAG with exactly the same docker-compose config as the one that use to run on my Unraid server.
- Ports 80 and 443 opened up in Linode Firewall, all other traffic is dropped.
- TailScale authenticated to my own network
- Unraid server:
- dsmith44’s community application for tailscale - adds my Unraid server to the tailscale network.
- nginx proxy conf changes:
- On the linode instance, I changed all my configs to reflect the change in routing. Instead of relaying traffic to the internal port of the container, it relays the traffic to the port exposed on the Unraid server’s IP on my tailscale network (which remains stable regardless of my public IP).
I’ve disabled all port forwarding on my router and can access all my services as normal. There is a slight (<30ms) increase in latency to my services, but that’s okay for my usage. Do note that since all the traffic is relayed, this might not be ideal if you use services that consume huge amounts of data a month. Linode’s traffic limits are way more generous than AWS though so good on them.
This setup is very well suited to my specific requirements, but I wanted to share it in case someone else wanted to try it out. If you haven’t been able to do home hosting because you are on a network where you can’t port-forward the required 80 and 443 (e.g. campus networks), this might also work for you.