seedbox icon indicating copy to clipboard operation
seedbox copied to clipboard

Published 20 hours ago verified publisher icon jfroment

[Feature] Add VPN to access from outside

Open Sigri44 opened this issue 1 year ago • 5 comments
trafficstars

Actually VPN is for service have access to internet tough VPN.

But think another feature can be added, is to need VPN to access service (like Wireguard), and configurable from config.yaml, to check if service need to have VPN access to be join from ext (like deluge or other private access).

Sigri44 avatar Jul 09 '24 11:07 Sigri44

(sorry for the delay)

Yes you're right, it should be a better option than opening ports on your router if you host your services at home. See for example the discussion summarized here on this Reddit's thread.

In fact you can already add a wireguard custom service by adding a file in services/custom/wireguard.yaml

services:
  wireguard:
    image: lscr.io/linuxserver/wireguard
    container_name: wireguard
    restart: always
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
      - SERVERURL=auto
      - SERVERPORT=51820
      - PEERS=1
      - PEERDNS=1.1.1.1
      - INTERNAL_SUBNET=10.13.13.0
      - ALLOWEDIPS=0.0.0.0/0, ::/128, 0.0.0.0/1, 128.0.0.0/1
    volumes:
      - configwireguard:/config
      - /lib/modules:/lib/modules
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1

volumes:
  configwireguard:
    driver: local-persist
    driver_opts:
      mountpoint: $HOST_CONFIG_PATH/wireguard

and in your config.yaml

[...]
  - name: wireguard
    enabled: true
    vpn: false
    customFile: custom/wireguard.yaml
    traefik:
      enabled: false
      rules: []
[...]

These are example of a previous test of mine but I'm not sure they're still valid. They can serve as a good basis to work with though.

But what is missing from the seedbox stack for now:

  • Capability to select which services are only accessible from VPN
  • Better than Wireguard? Tailscale integration
  • Make it optional / selective
  • DNS integration to work with any provider. That's tough to implement in order to keep the seedbox generic enough.

But I will keep this item in mind. In fact I'd love it for myself, so I will make some tests.

jfroment avatar Nov 28 '24 22:11 jfroment

I do think that on the privacy side it could be fun, but I don't know how it's possible to keep DNS access only via a VPN.

But it could be secure if the VPN isn't connected so nobody can see/access the service, and you have to make the connection to access all the LAN services.

If you need to, you can take inspiration from dappNode (they use wireguard) and require no accessibility outside VPN, access is very restricted. And they have a command like dappnode_status which gives the QRcode and/or privateKey and generated config that you just need to copy/paste into your local wireguard to connect directly to the node.

Sigri44 avatar Nov 28 '24 22:11 Sigri44

One thing I recommend doing is using Tailscale. What I've done personally is popped on my own Headscale co-ordination server with my own domain, so that only bits that I want accessible without VPN are routed on public DNS. Everything else, I've put through Headscale's DNS, so I can only access internal services (Sonarr, Radarr, etc) when connected.

If you pop it on a free Oracle Cloud server, it runs completely fine.

Permanently avatar Jan 17 '25 15:01 Permanently

https://github.com/wg-easy/wg-easy

Sigri44 avatar Feb 03 '25 20:02 Sigri44

If you need it, you can also make a VPN connection to your router, even without a static IP. Currently, many routers have this option, and whether it be Tailscale, wireguard or OpenVPN - it does not matter. There are plenty of tutorials on the internet. A It's useful, for example, on vacation if you don't want to connect to the bank directly from the hotel network ;)

Qbaakr avatar Feb 04 '25 13:02 Qbaakr