Hi, guys. Like in the title. I have orangepi5 with some services like nextcloud or grafana. I would like to access to those instances from outside - but I don’t want to open ports.
Could you guys point me how can I achieve that?
Do I need to set domain for home services? I have heard that people recommends cloudfare tunnel, but I think cloudfare tunnel does not work with subdomain like duckdns. Do I need to buy domain for my case? One more think, if I set this tunnel or maybe other solution- should I go with https (lets encrypt) solution?
Thank You
If you don’t want it publicly exposed to the internet you can use a vpn. Tailscale is probably the easiest.
for this I am using zerotier - and I can connect from outside but … using IPs which is not great. Would like to use domains
Sounds like you want to set up DDNS (dynamic DNS). Basically run a little script on your router or server that occasionally updates a domain name with your IP address.
Many free options. DuckDNS, Cloudflare, etc.
I’m using PiHole with my tailscale to use their MagicDNS.
This shares the PiHole among all the devices connected to the tailnet, and in the PiHole you can configure your local DNS to point your domains to your tailIP.
My setup has several services in a single machine, so there’s also the issue of ports, for that I use caddy as a reverse proxy, which also allows me to have HTTPS only configuring the key to my registrar for the DNS challenge
deleted by creator
I did not - thank you will try
Any self-hosted VPN will work, tailscale just happens to be the easiest to set up. Wireguard and OpenVPN are also popular choices. You only need to use things like CloudFlare tunnels if you want to allow OTHER people to access your stuff without having to use your VPN.
using a reverse proxy is prob your best bet. something like nginx (nginxproxymanager for easier configuration)
nginxproxymanager
Well, I was trying to play with nginx proxy manager, was able to set this but still, could connect only from home network - not from outside
nginxpm still requires ports to be open, but only 2: 80 and 443. a lot better than opening every port for every service you have
consider tailscale
You’ve really got two options here. Tailscale, which will give you named dns routes for your machines, based on the machine name, or dynamic DNS with a reverse proxy like SWAG.
You will need to open some ports, but ideally you just open up 1 port for a VPN and call it a day.
If you want a really easy solution you can buy one of the mid to high end routers that comes with a built in OpenVPN you can enable, and you just do the process to have it be the router for your network (usually by setting your modem to pass through mode and then have your personal router immediately next in line, and it becomes the actual router of the network)
If you do a search you should find a few decent models out there with OpenVPN support, and then its just a matter of enabling the feature in the router’s interface and following its guide and then installing OpenVPN on your mobile phone(s)
Thank you for this tip, actually I have second router connected to my main router(from provider) and on this second router I have openwrt - I think I have seen there openvpn option - will check
No problem, the mode you are looking for is called Bridge Mode, and what you’ll need to ensure your setup is, is:
ISP -> ISP Router -> Your Router -> Rest of the network
It’s crucial you only have your router as the only thing plugged into the ISP Router, and you want it to be typically plugged into port 1. You’ll need to either look up the paperwork or talk to your ISP about how bridge mode works for their modem model.
Keep in mind once bridge mode is enabled on the ISP router, it loses its wifi network so the only way after you can connect to it to configure it is by a physical connection, so if you mess it up you’ll need to have a laptop or smartphone you can physically connect via ethernet to port 1 of the isp router to be able to access its interface again.
But once you get bridge mode working your private router will now get a public IP assigned to it instead and it will act as the “real” router of your network.
I use zerotier for that kind of stuff, mostly because it runs native on my router (mikrotik) and is zero config so easy to run on a random mobile device I might have on me.
you could use cloudflare zero-trust, i use it with a docker container which runs cloudflared. it tunnels your services through without a single port open. there are a couple youtube tutorials which are pretty good.