Max

[Help] How can I use a VPS to protect my home's ip?

https://mander.xyz/post/719049

[Help] How can I use a VPS to protect my home's ip? - Mander

I have a nextcloud instance being hosted from my home network. The URL associated with it points directly at my home’s IP. I don’t want to host the instance on a VPS because disk space is expensive. So, instead, I want to point the URL at the VPS, and then somehow route the connection to my home’s nextcloud instance without leaking my home’s ip. How might I go about doing this? Can this be achieved with nginx? EDIT: Actually, not leaking my home’s IP is not essential. It is acceptable if it is possible to determine the IP with some effort. What I really want is to be able to host multiple websites with my single home IP without those websites being obviously connected, and to avoid automatic bots constantly looking for vulnerabilities in my home network.

Jun 15, 2023 at 10:51pmWeb
Show threadsamnJun 15, 2023
At the basic level, you could do a reverse ssh tunnel to forward the port from your home server to the VPS, although there’s some efficiency issues doing this iirc, and you’ve got the issue of it failing if the tunnel ever breaks
Show threadsionide21Jun 15, 2023

You can use wireguard to set up a tunnel between your home server and the VPS. Then set up nginx on the VPS to forward web requests over the tunnel.

But make sure you keep the server up to date and it's probably wise to put a firewall on your home server because if the VPS gets hacked, it could be used to get to your home network.

WireGuard: fast, modern, secure VPN tunnel

WireGuard: fast, modern, secure VPN tunnel

Show threadpoVoqJun 15, 2023
A wireguard tunnel/VPN is probably what you want.
Show threadMaxJun 16, 2023

From what I have learned today, I think that Wireguard Tunnel is what I want!

First I was able to use nginx as a reverse proxy to route the information from my home network through the VPS. But with this approach the client would do the SSL handshake with the VPS, and then the VPS fetches information from my home network via HTTP. Since there is no encryption layer between my VPS and my home network, I suppose that the flow of information between my home server and the VPS is insecure.

Then, I need to establish some form of encrypted connection between my home server and the VPS... And that is where the Wireguard Tunnel comes in! This tunnel allows me to transfer the information with encryption.

I am still reading and setting it up, but yeah, I'm liking this, thanks!

Show threadpoVoqJun 16, 2023
Nginx can also do something called SNI routing that would allow to keep the connection between your VPS and your homeserver encrypted, but overall I think a Wireguard tunnel is probably more flexible.
Show threadMaxJun 16, 2023

Oh, cool! I have managed to do it with the Wireguard tunnel! I set up a tunnel and use the nginx proxy_pass to redirect through the tunnel. It is pretty nifty that I don't even need to port-forward!

My next step is: in my current configuration, the SSL handshake occurs between the VPS and connecting client. So the VPS has access to everything that goes through... I need to figure out how to hand-shake through the tunnel such that the VPS does not get the SSL keys.

Thanks a lot for your suggestion!

Show threadpoVoqJun 16, 2023
You can do SNI routing also though the tunnel.
Show threadMaxJun 16, 2023
That's the next topic then. Thank you
Show threadboothinJun 15, 2023
If all you're wanting to do is hide your home ip, could you just put it behind cloudflare?
Show threadMaxJun 16, 2023
I am looking into that too! But I do want to understand the foundations of how to route network traffic, and I feel like this must be a straight-forward thing to do once I understand how to do it, if you know what I mean.
Show threadpunkskunkJun 16, 2023
I believe this is exactly the use-case for Cloudflare Tunnels: https://www.cloudflare.com/products/tunnel/
Show threadMaxJun 16, 2023
Thanks! That seems to come with even more protections than simply hiding the IP, so it is worth definitely worth considering!
Show threadbigkahuna1986Jun 16, 2023
Reverse proxy with caddy?
Show threaddleeweeJun 16, 2023

I have done this before by setting up a Wireguard VPN link between my home server and a VPS, and then running a reverse proxy (such as Caddy) on the VPS, which basically forwarded web requests to my home server. This works well for most things, although there was a definite performance hit by routing traffic through the extra hop.

By using the VPN connection, you wouldn't even need to open a port on your home network which is a great starting point for security as well.

Show threadMaxJun 16, 2023

Thank you!

By using the VPN connection, you wouldn’t even need to open a port on your home network which is a great starting point for security as well.

Hmm, what do you mean with this? I would need to at least open one port to route the connection to the nextcloud instance in my home network - right?

Show threaddleeweeJun 20, 2023
Only the host acting as the VPN "server" needs to have an open port. In my setup, I made the VPS the server and my home server a client. Thus I had no open ports on my home network, only on the VPS.
Show threadAvalanchedJun 17, 2023
I currently use reverse ssh tunnels to my vps. The vps runs nginx proxy manager and through that way I can tunnel specific ports to my vps, whereas with wireguard all my internet traffic was rerouted to my vps. I didn't like that because of bandwith limitations so that's why I chose this aproach
Show threadMaxJun 17, 2023

ssh tunnels

There are so many concepts to learn about! But if the SSH tunnel improves the the available useful bandwidth compared nginx/wireguard, it might be worth looking into it too. Thanks!

Show threadAvalanchedJun 17, 2023
nah it's more that I really don't understand wireguard an that I'm to incompetent to learn to correctly configure it so that it only tunnels a few ports, if you're looking to use ssh tunnels I'd recommend this tutorial from jeff geerling: https://www.jeffgeerling.com/blog/2022/ssh-and-http-raspberry-pi-behind-cg-nat
SSH and HTTP to a Raspberry Pi behind CG-NAT | Jeff Geerling

Show threadMetroWindJun 26, 2023

You can setup HTTP reverse proxy on your VPS. You’ll need to point the domain to your VPS for that to work.

What I really want is to be able to host multiple websites with my single home IP without those websites being obviously connected

That’s easy. You have two ways:

  • Host the websites under different paths in the same domain. If your websites are static this is fine, but if they are “services” this may not be feasible (and could be very complicated if it is feasible).
  • Host them under different sub-domains. The way it works is you create a bunch of NS records in your DNS, pointing the subdomains to your root domain, and setup one “virtual host” for each of them. Both Apache and Nginx have the ability to match virtual host by domain name.

to avoid automatic bots constantly looking for vulnerabilities in my home network.

I’m not sure how you would eliminate bots by separating the websites though.