(I asked this on r*ddit a long while ago, but I don’t think I explained myself properly)

Basically, I would like to host a few services on my own metal (and not anywhere else in the world!) to play around with and learn, like my personal site, lemmy instance, vpn, fdroid, image host, etc etc.

I would also like to hide my public IP address because I don’t want people who connect to me to know my location (even if it’s rather coarse).

I know that this isn’t possible without at least another server in a different physical location, but I really have no idea how to approach this. What software do I run? What is this action called? What do any of these AWS/Azure service names mean? How much would I realistically need to pay? Etc etc.

Anyone have any pointers?

    • SmugBedBug@lemmy.iswhereits.at
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      Was going to suggest CloudFlare as well. At the very least just setup your DNS with there nameservers and benefit from CloudFlare proxies on the IP addresses.

      But tunnels is pretty sweet.

    • dap@lemmy.onlylans.io
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      1
      ·
      1 year ago

      Cloudflare tunnels are great but OP may not want to have to authenticate each user to their services.

  • ThorrJo@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    9
    ·
    edit-2
    1 year ago

    As others have pointed out,

    1. a VPN (so that your outbound traffic comes from your VPN endpoint, not your bare IP address)
    2. a reverse proxy server

    I use a router from GL-iNet to run the always-on VPN, and rathole for a reverse proxy. Both the VPN and the reverse proxy terminate at $4/mo VPSes.

  • dap@lemmy.onlylans.io
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    1
    ·
    1 year ago

    Cloudflare free tier + a reverse proxy will set you straight. You can add subdomains for your services as A records in Cloudflare off of your root domain, i.e. lemmy.yourdomain.tld, personalsite.yourdomain.tld, images.yourdomain.tld.

    When doing this, enable the Cloudflare DNS proxy which will route DNS requests to your origin service through Cloudflares’s CDN. This essentially “hides” your public IP as anyone doing a nslookup lemmy.yourdomain.tld will get Cloudflares’s IPs back as a response.

    Once you’ve done this, you can break everything back out to it’s respective backend via a reverse proxy. For example, lemmy.yourdomain.tld gets passed to 192.168.0.10, personalsite.yourdomain.tld gets passed to 192.168.0.20, etc.

    • augentism@thaumatur.ge
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      1 year ago

      That’s sounds so much simpler than what I am doing right now. Right now I have a digital ocean droplet server running openvpn and I have any servers I want open to the internet connecting to that openvpn server as a client. I then NAT all incoming traffic to the servers I have with iptables as if the droplet is a router. Is it much easier to setup a cloudflare tunnel? Or am I basically accomplishing the same thing? Will I be able to run all the other services I have because I’m not just web hosting? I also do not have a static IP.

      • death916@lemmy.death916.xyz
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 year ago

        Since I didn’t want to use cloudflare I use a free oracle vps with tailscale and a reverse proxy on it. Then thru tailscale all services from home can go to the proxy without forwarding any ports and services can be accessible

      • dap@lemmy.onlylans.io
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Cloudflare tunnels or a reverse proxy with Cloudflare DNS would be much easier to manage IMO. What you’re doing will work but it seems like you have a lot of moving parts in your setup which can lead to errors creeping in.

        With both proposed setups you should be able to pass non web-based traffic to their respective backends. In nginx that would look something like the following:

        server {
                listen 443 ssl http2;
                server_name service.yoursite.tld;
        
                location / {
                        proxy_set_header X-Real-IP $remote_addr;
                        proxy_set_header Host $host:$proxy_port;
                        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                        proxy_pass http://<IP of your service>:<port>;
                }
        }
        

        With Cloudflare tunnels you can setup a VM as your tunnel termination point and configure ingress rules to pass traffic where it needs to go, similar to this:

        tunnel: <Tunnel UUID>
        credentials-file: /root/.cloudflared/<Tunnel credentials>.json
        
        ingress:
          - hostname: service1.yourdomain.tld
            service: http://192.168.0.10:80
          - hostname: service2.yourdomain.tld
            service: ssh://192.168.0.20:22
          - service: http_status:404 # This is a catch-all rule to handle unmatched ingress traffic
        

        One thing you can do for your public IP is use something like inadyn to update cloudflare with your public IP when it changes. Inadyn is super lightweight and will make sure, +/- 5 minutes, that your public IP is up-to-date with Cloudflare.

  • jacob@lemmy.dork.lol
    link
    fedilink
    English
    arrow-up
    5
    ·
    1 year ago

    Maybe take a look into Cloudflare Tunnels, which sounds like will do what you want (maybe not VPN though).

    The short version is you run a daemon on your local network that Cloudflare talks to. So, outside requests only see Cloudflare, and communication from your network only goes to Cloudflare. Your IP is not exposed to consumers. This is free! Though you are not supposed to send video/pictures though the tunnel and have them cache it without using one of their (paid) services, but it’s simple to disable caching for a host. I do use their DNS, though I cannot recall if that’s a requirement for Tunnels, though.

    Keep in mind you should still set up some sort of firewall, as people can and do just scan the entire IPv4 address range looking for open ports.

  • elb@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    You need a VPN or a reverse proxy or similar for this.

    What you want is either a service that gives you an IP address unrelated to your physical location (a VPN), or a machine that is willing to accept connections for you and forward them transparently to your machine (a reverse proxy).

    You can set up your own VPN to proxy connections by getting a host from ~any hosting service and running something like OpenVPN on it.

  • fox@lemmy.fakecake.org
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    ingress traffic to lemmy is obvious (CF -> reverse proxy, for example) but what about egress traffic i.e. federation requests? I kind of poked around lemmy backend / issue tracker but didn’t find any way to setup a HTTP proxy for backend requests, so your real IP would be visible to any instance you contact, I think.