Hey all, I like to share my storage with my friends with nextcloud and I have been using a VPN (Tailscale) to get them connected to my server. I would like to buy a VPS or use the Oracle free tier VPS as a reverse proxy instead because Tailscale takes a lot of battery on mobile devices and adds a layer of complexity to the users. Is the data that goes through the VPS encrypted (In case my data contains DRM content)? And is there any bandwidth limits on a VPS? Sorry if my question seems trivial… Port-forwarding is not an option for me unfortunately as my ISP does not give static IPv4 addresses to normal customers.
Please feel free to correct me if I have misunderstood anything.
Oh and I figure I will also need a domain name. I have purchased one from namecheap
When using NGINX with SSL, traffic gets encryped with that SSL certificate,
FQDN - example.com
VPS - 123.123.123.123
VPN - I use Tailscale because its really easy and solves almost all problems i’ve encountered on other Systems without much effort
- and it’s easy for friends to setup, so they can access their shares on the NAS through their own tailscale account, manage their own 2FA, but get limited access to what is attached otherwise.
VPS has NGINX - I use Nginx Proxy Manager,
*.example.com on Nameserver points to 123.123.123.123
All my Servers are on Tailscale,
their hostnames are registered on the public Nameserver - BUT - with their Tailscale IP,
so only reachable when you’re on THIS VPN.
I use ProxMox as my virtualizer, and a Synology NAS, mostly for the easy of use.
Hint: Startup Tailscale on ProxMox with tailscale up --accept-dns=falsehttps://tailscale.com/kb/1133/proxmox/
So basically, I have entries for
DNS.example.com
NPM.example.com
AUTH.example.com
LDAP.example.com
NAS.example.com
PVE.example.com
DOCKER.example.com
- All OnPrem, either Metal or Virtualised, ARecords to Tailscale IP
the DNS server als serves as a DNS redirector for these adresses when accessed ONPREM - to lead to the internal, offline reachable adresses to mitigate Internet reliability for the communication, but also makes it possible to basically drag and drop the VM/Container/Hardware physically somewhere else.
Now NPM listens on VPS on all other adresses and
Reverse Proxies the services or sites on my Tailscale VPN Network to the public,
only adress exposed at all times is the VPS 123.123.123.123,
easy allocation of subdomains for services without installation of any clients or setup for friends and family.
On NPM now, I setup Jellyfin, for example:
jelly.example.com -> Docker.example.com:3838
jelly does OAUTH, so it’s connected to OAUTH.example.com
OAUTH serves SSO and 2FA for LDAP credentials it gets from LDAP.example.com
My LDAP is located on the Synology NAS, but i might switch Authentication Servers in the future,
so I’Ve setup LDAP.example.com to point to NAS.example.com,
now Switching LDAP Servers is as easy as correcting the DNS entry and LDAP Credentials, etc.