Selfhosted

51506 readers

290 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

Share single service via WireGuard (feddit.it)

submitted 1 day ago by syaochan@feddit.it to c/selfhosted@lemmy.world

14 comments fedilink hide all child comments

I wanted to share a service I'm hosting, but didn't feel comfortable just leaving publicly accessible, even behind a reverse proxy. In the meantime I did not want to give access to my whole lan with a VPN, or redirect all internet traffic from a client thru my network. So the idea is to run a WireGuard instance on my OpenWRT router in a completely isolated zone (input, output and forward set to reject on firewall) and then forward a single port from the service host's. Client is android, so using WG Tunnel and split tunnel just for the relevant app should not impair client's network access. Initial tests seems to be ok, is there anything I may have overlooked? Please feel free to comment.

you are viewing a single comment's thread
view the rest of the comments

[–] litchralee@sh.itjust.works 8 points 1 day ago (1 children)

Let me make sure I understand everything correctly. You have an OpenWRT router which terminates a Wireguard tunnel, which your phone will connect to from somewhere on the Internet. When the Wireguard tunnel lands within the router in the new subnet 192.168.2 0/24, you have iptable rules that will:

Reject all packets on the INPUT chain (from subnet to OpenWRT)
Reject all packets on the OUTPUT chain (from OpenWRT to subnet)
Route packets from phone to service on TCP port 8080, on the FORWARD chain
Allow established connections, on the FORWARD chain
Reject all other packets on the FORWARD chain

So far, this seems alright. But where does the service run? Is it on your LAN subnet or the isolated 192.168.2.0/24 subnet? The diagram you included suggests that the service runs on an existing machine on your LAN, so that would imply that the router must also do address translation from the isolated subnet to your LAN subnet.

That's doable, but ideally the service would be homed onto the isolated subnet. But perhaps I misunderstood part of the configuration.

[–] syaochan@feddit.it 1 points 1 day ago* (last edited 1 day ago)

The service runs on another machine with address 192.168.1.10, so a different subnet than the WireGuard one, hence the port forward. I confirmed that this works, I can reach the service from phone on mobile data connected to WireGuard endpoint. wg1 is in zone dmz this is the port forward