I spent all day today trying to get the routing to work correctly between Tailscale, Nginx and Adguard.

Basically I wanted to be able to be able to use **http://immich.network ** to route to 192.168.1.2:9000

I wanted to share the steps I took so people don’t have to go through what I did.

First a few things Local Server IP: 192.168.1.2

  1. I installed Ngnix and Adguard, in a Docker Containers, and gave Adguard IPs 3000, 3001 instead of 80 and 443 because Ngnix took it.
  2. I went to my router and made it use the DNS: 192.168.1.2
  3. I configured Proxy Host in Ngnix … immich.network => 192.168.1.2:9000
  4. I configured DNS rewrite in Adguard … *.network => 192.168.1.2

At this point I was able to use http://immich.network finally. I installed Tailscale to be able to access when I’m outside but http://immich.network didn’t work.

These helped me https://tailscale.com/kb/1019/subnets + https://tailscale.com/kb/1054/dns?q=global+nameserver

  1. I created a subnet… tailscale up --advertise-routes=192.168.1.0/24
  2. I approved it on Tailscale login

At this point I was able to access home server using its local IP 192.168.1.2 but I couldn’t get http://immich.network to work.

  1. I created a nameserver dns with split DNS but I used my local ip… 192.168.1.2 => network

Finally everything is working… I have a feeling that I’m doing it wrong but I’m too tired and it’s finally working.

  • rhymepurple@lemmy.ml
    link
    fedilink
    English
    arrow-up
    25
    ·
    7 months ago

    Congrats on getting everything working - it looks great!

    One piece of (unprovoked, potentially unwanted) advice is to setup SSL. I know you’re running your services behind Wireguard so there isn’t too much of a security concern running your services on HTTP. However, as the number of your services or users (family, friends, etc.) increases, you’re more likely to run into issues with services not running on HTTPS.

    The creation and renewal of SSL certificates can be done for free (assuming you have a domain name already) and automatically with certain reverse proxy services like NGINXProxyManager or Traefik, which can both be run in Docker. If you set everything up with a wildcard certificate via DNS challenge, you can still keep the services you run hidden from people scanning DNS records on your domain (ie people won’t know that an SSL certificate was issued for immich.your.domain). How you set up the DNS challenge will vary by the DNS provider and reverse proxy service, but the only additional thing that you will likely need to set up a wildcard challenge, regardless of which services you use, is an email address (again, assuming you have a domain name).

    • Mir@programming.devOP
      link
      fedilink
      English
      arrow-up
      12
      ·
      edit-2
      7 months ago

      Thank you for the* so much wanted advice, it’s one of the reasons I actually posted this, to get advices on how to do things better.

      I’ve been trying to do that for a specific service running (firefly) but I can’t figure out what to do exactly, about the domain name, Is there a way to do that without one?

      • LifeBandit666@feddit.uk
        link
        fedilink
        English
        arrow-up
        5
        ·
        7 months ago

        You can get pretty cheap domain names if you google around. I managed to get mine for £35 for a number of years (3 I think, I was high when I set it up) and got a .com name out of that.

        You could look into DuckDNS. I know I used them many moons ago for Home Assistant but can’t quite remember what the capabilities were, I just remember it was free and a bit rubbish. But as a stopgap it works.

        Try that for a bit until you have a few quid spare, then get yourself a domain name paid for a while.

        • toffi@feddit.de
          link
          fedilink
          English
          arrow-up
          4
          ·
          7 months ago

          I used dynv6.com to get a free subdomain e. g. [name].dynv6.net and then a swag docker to do the reverse proxy subfolder->dockerport matching. Trafic in my home network is http and the swag ports are the only one exposed to the public. When I find the time I’ll do in depth setup guide including the ipv6 setup problems.

            • LifeBandit666@feddit.uk
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              1
              ·
              edit-2
              7 months ago

              Have a look into Heimdall or Homarr. Much easier, don’t need to worry about addresses at all. Single set up and add Tailscale exit node for external access.

              I’ve been fiddling with it again today and (using Homarr) my only services that don’t work when I access through Tailscale are the ones I use names for (are.local, server.local, etc) and I can access them when I use the IP:port so when I get home I’ll just change them to IP:port on Homarr and I’ll be all good

              • Mir@programming.devOP
                link
                fedilink
                English
                arrow-up
                1
                ·
                7 months ago

                Yea I’m using Homarr, I’ve just finished setting everything up. The only problem I have right now is that I can’t access Syncthing GUI through the domain.

      • SirBoostALot@hear-me.social
        link
        fedilink
        arrow-up
        0
        ·
        7 months ago

        @Mir @rhymepurple Another place you can get free domain names is freedns.afraid.org - they have been around nearly forever and all you have to do is log into their site and go to any page once every six months (I guess so they know you are still alive) but they will email you a notice a couple weeks before that time is up. And at least for me they have always been very reliable.

        • Mir@programming.devOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          7 months ago

          Thank you, Might try them because duck dns domain is flagged by the browser for some reason and it’s worth than no https warning

    • peregus@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      7 months ago

      Is it possible to issue and update certificates for LAN services? About wildcard certificates, is it possible with Let’s Encrypt? Thanks!

      • rhymepurple@lemmy.ml
        link
        fedilink
        English
        arrow-up
        2
        ·
        7 months ago

        Everything I mentioned works for LAN services as long as you have a domain name. You shouldn’t even need to point the domain name to any IP addresses to get it working. As long as you use a domain registrar that respects your privacy appropriately, you should be able to set things up with a good amount of privacy.

        Yes, you can do wildcard certificates through Let’s Encrypt. If you use one of the reverse proxies I mentioned, the reverse proxy will create the wildcard certificates and maintain them for you. However, you will likely need to use a DNS challenge. Doing so isn’t necessarily difficult. You will likely need to generate an API key or something similar at the domain registrar or DNS service you’re using. The process will likely vary depending on what DNS service/company you are using.

  • N0x0n@lemmy.ml
    link
    fedilink
    English
    arrow-up
    13
    ·
    7 months ago

    Congrats !!!

    Only one day? Lucky you ! It took me a whole week to get it to work with self-signed ssl certificate behind Traefik + docker + Adguardhome.

    Adguard home rewrites and the correct certificate configuration solved most of my isues (android can be picky with self-signed root certificates). But I learned ALOT through the whole week, so I didn’t waste my time :).

    I hope you too learned alot :) but if I may, I would switch from AdguardHome to Pi-hole.

    I know… AdguardHomes functionalities and UI are awesome and overpass Pi-Holes’ but since I saw they add some strange trackers and very sketchy DNS request in their AdguardVPN android application, I don’t trust them anymore !

    • lemmyreader@lemmy.ml
      link
      fedilink
      English
      arrow-up
      5
      ·
      7 months ago

      I hope you too learned alot :) but if I may, I would switch from AdguardHome to Pi-hole.

      +1

      • pi-hole rocks! :)
      • N0x0n@lemmy.ml
        link
        fedilink
        English
        arrow-up
        3
        ·
        7 months ago

        It does !! I really like it and was easy peasy to make the switch. But I have to admit, AdguardHome’s UI and DNS logs are way more detailed and I’m missing a few features I used with AGH. But nothing to critical that makes pi-hole unusable in my workflow !

        But yeah, they do not have the same budget… That’s a good tradeoff i’m willing to take for my privacy :).

        And one day, when I get a job I will surely donate to them.

    • Mir@programming.devOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      7 months ago

      I just finished the SSL today, but have you gotten Syncthing GUI to work though? I can’t seem to get it to work with the domain for some reason.

      • N0x0n@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        7 months ago

        Hummm, I have a syncthing instance in a docker compose, so yeah I can access it through my ssl domain (https://syncthing.home.lab) but traefik takes care of everything.

        Now if it’s on your local machine you’re trying to use your SSL certificate I don’t know, I always access it through the local ip (127.0.0.1:8384).

        If I had to guess or give it a try, I would point the IP to my dns through my host file on my machine. But that’s just a wild guess :/

        I think syncthing has a good documentation about it :)

        • skittlebrau@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          7 months ago

          You could use split DNS on your router (or wherever your DNS is) so that when you visit the syncthing address on your local network, you’re being directed to traefik.

          I use a domain override in pfsense for syncthing.myhomelab.com which points to my reverse proxy’s local IP.

        • Mir@programming.devOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          7 months ago

          I can access using the local ip but I can’t access using the ssl domain, I can access it but I can’t login for some reason. I can’t figure out how to fix it

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    4 months ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    CA (SSL) Certificate Authority
    DNS Domain Name Service/System
    HTTP Hypertext Transfer Protocol, the Web
    HTTPS HTTP over SSL
    IP Internet Protocol
    SSL Secure Sockets Layer, for transparent encryption
    VPN Virtual Private Network
    VPS Virtual Private Server (opposed to shared hosting)
    XMPP Extensible Messaging and Presence Protocol (‘Jabber’) for open instant messaging
    nginx Popular HTTP server

    10 acronyms in this thread; the most compressed thread commented on today has 6 acronyms.

    [Thread #719 for this sub, first seen 28th Apr 2024, 06:25] [FAQ] [Full list] [Contact] [Source code]

  • lud@lemm.ee
    link
    fedilink
    English
    arrow-up
    3
    ·
    7 months ago

    I also host all my stuff on 192.168.1.2. It’s just my gaming pc with a bunch of services for piracy but it’s good enough until I can build a proper server in the future.

  • LifeBandit666@feddit.uk
    link
    fedilink
    English
    arrow-up
    1
    ·
    7 months ago

    Hello again.

    I’ve gone through your steps outlined in this post now for LAN. I’ve made my own network name .crypt and added *.crypt to Adguard and pointed it at the IP address of Nginx.

    I’ve then gone and mapped my local services in Nginx. So radarr.crypt sonarr.crypt plex.crypt etc and mapped them to ports.

    Now what I enjoyed was that I had to map Adguard to forward to Nginx, but in Nginx I can use the IP address of anything on my network, not just on the host.

    So it’s map Adguard in DNS rewrites to Nginx IP, then map the IP:ports in Proxy Hosts in Nginx.

    Now when I use my Tailscale exit node (that I have from Home Assistant) I can use those addresses outside the house.

    I have noticed it only works for the .crypt domains, and not .local despite being set up as well. I guess because .local is a special address it is harder to map to Tailscale.

    Anyway, it’s working for me after following what you’ve done, I just did less in Tailscale because of the exit node

    • LifeBandit666@feddit.uk
      link
      fedilink
      English
      arrow-up
      1
      ·
      7 months ago

      I’ve just looked this up. So is Yunohost supposed to replace Proxmox or can I install it as a service in Proxmox? Will it run in Docker?

      I’d have a go at installing it if my 10 year old wasn’t saving democracy on my PC at the mo (playing Helldivers 2) there’s no way I can prize him off that just to tinker with and ultimately uninstall, another service for a few hours. I got shit to do today.

      • lemmyreader@lemmy.ml
        link
        fedilink
        English
        arrow-up
        2
        ·
        7 months ago

        Yunohost is doing the installation and finishing with having a XMPP and email server, and from there you can install apps on top of that. You can play with Yunohost inside a container if you wanted to but you will have to prepare the proxy in front of it. If you want to try Yunohost the easiest way, rent a VPS for it.

  • tomatol@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    7 months ago

    I’m running immich on a Debian machine at home. Anyone can point me to a detailed tutorial on how to achieve this including SSL and with no payments or subscriptions needed?

  • LifeBandit666@feddit.uk
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    7 months ago

    I’ve been wanting to do exactly what you’re doing here on my LAN for a while. I tried to do it on Friday using Zoraxy and managed to get Homarr running on server.local but couldn’t get anything else running with a name (overseerr.server.local and server.local/overseerr just wouldn’t work, although I did get a webpage on server.local/overseerr it wouldn’t resolve properly).

    Anyway as to your second point of getting a nameserver in Tailscale. While I haven’t managed to get a nameserver in Tailscale I have managed to get apps running through Tailscale.

    My app was Audiobookshelf. I wanted to be able to just turn on Tailscale on my phone and sync to Audiobookshelf and managed to do just that.

    I already connected Audiobookshelf at home with it local IP.

    I then spun up a Tailscale container in the docker host that Audiobookshelf was on, signed in to it on the Tailscale dash, then just added the Tailscale network in Docker to the Audiobookshelf docker container.

    Now I can turn on Tailscale when I’m out of the house and open Audiobookshelf app and it connects to my.home server.

    Meaning I don’t need to remember the IP address and portz I set that up once in the Audiobookshelf app and connect to it at will.

    I intend to have a go at attaching it to Syncthing next. I don’t have much use case for Syncthing at present so it’s a perfect app to experiment with. I intent to just attach the Tailscale network to my Syncthing container and just see if it connects. Then I’ll try syncing my Keepass database to my host as an experiment from my phone.

    In my head it should be that simple. If it is I’ll just connect all my docker apps that way and spin up another Tailscale instance on my other VM that does my Arr, and I’ll have outside access to everything.

    Another point to give you for your quest: if you set up Heimdall and a Tailscale exit node, you can put all your self hosted apps in Heimdall for ease of access and then just hit that through your Tailnet. I have a shortcut on my phone home page. You can then just click the service you want in Heimdall and go to that service.

    Edit: turned off the exit node I had running inside Home Assistant and now nothing works. Turns out it wasn’t as easy to connect to the Tailnet as I thought, and I must have been hitting audiobookshelf through my Tailscale exit node after all. But that does mean that my final paragraph still stands, exit node plus a home page (Heimdall, Homarr) gives the same results, but without the nameservers.

    • Mir@programming.devOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      7 months ago

      Now I can turn on Tailscale when I’m out of the house and open Audiobookshelf app and it connects to my.home server.

      I did all this because I wanted to use the same address for home and tailscale

      Heimdall

      I think that’s what I’m currently doing with Homarr

  • dutchkimble@lemy.lol
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    3
    ·
    7 months ago

    I used chatgpt to create the exact steps, commands and configurations I needed for my setup and achieved this the seemingly cheatful way. I used nginx and certbot. Worked like a charm. Congrats!

    • Mir@programming.devOP
      link
      fedilink
      English
      arrow-up
      6
      ·
      7 months ago

      I used chatgpt to create the exact steps, commands and configurations I needed for my setup and achieved this the seemingly cheatful way. I used nginx and certbot. Worked like a charm. Congrats!

      It’s impressive that you was able to get it to help you correctly. It usually just spew things i need to fix that’s why I didn’t ask him, thank you for the tip.

      Btw did you use a custom local domain name or did you use an actual domain ?

      • dutchkimble@lemy.lol
        link
        fedilink
        English
        arrow-up
        1
        ·
        7 months ago

        Thanks, it took some prompts but it worked in the end! I used a few subdomains of an actual domain I use for email…

        • Mir@programming.devOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          7 months ago

          I just finished the SSL today, but have you gotten Syncthing GUI to work though? I can’t seem to get it to work with the domain for some reason.

            • Mir@programming.devOP
              link
              fedilink
              English
              arrow-up
              1
              ·
              4 months ago

              It took me a week suffering to get syncthing to work but it finally did. Thank you

          • dutchkimble@lemy.lol
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            7 months ago

            No, sorry I haven’t tried it with Syncthing. Mainly using it for immich, seafile, a matrix server, some arr apps and a status monitor called dashdot. Would be useful for syncthing though, never thought of trying it - I’ll give it a shot over the weekend and let you know how it goes!

  • Tinkerer@lemmy.ca
    link
    fedilink
    English
    arrow-up
    1
    ·
    7 months ago

    This exactly what I’m trying to do, get valid https certificates via a domain name on cloudflare. I have nginx proxy manager running and working to serve a couple of sites like home assistant. The problem I’m having is how do I get valid certificates for my internal services via npm but only be able to access them inside my lan not the internet?