I spent all day today trying to get the routing to work correctly between Tailscale, Nginx and Adguard.

Basically I wanted to be able to be able to use **http://immich.network ** to route to 192.168.1.2:9000

I wanted to share the steps I took so people don’t have to go through what I did.

First a few things Local Server IP: 192.168.1.2

  1. I installed Ngnix and Adguard, in a Docker Containers, and gave Adguard IPs 3000, 3001 instead of 80 and 443 because Ngnix took it.
  2. I went to my router and made it use the DNS: 192.168.1.2
  3. I configured Proxy Host in Ngnix … immich.network => 192.168.1.2:9000
  4. I configured DNS rewrite in Adguard … *.network => 192.168.1.2

At this point I was able to use http://immich.network finally. I installed Tailscale to be able to access when I’m outside but http://immich.network didn’t work.

These helped me https://tailscale.com/kb/1019/subnets + https://tailscale.com/kb/1054/dns?q=global+nameserver

  1. I created a subnet… tailscale up --advertise-routes=192.168.1.0/24
  2. I approved it on Tailscale login

At this point I was able to access home server using its local IP 192.168.1.2 but I couldn’t get http://immich.network to work.

  1. I created a nameserver dns with split DNS but I used my local ip… 192.168.1.2 => network

Finally everything is working… I have a feeling that I’m doing it wrong but I’m too tired and it’s finally working.

  • rhymepurple@lemmy.ml
    link
    fedilink
    English
    arrow-up
    24
    ·
    8 months ago

    Congrats on getting everything working - it looks great!

    One piece of (unprovoked, potentially unwanted) advice is to setup SSL. I know you’re running your services behind Wireguard so there isn’t too much of a security concern running your services on HTTP. However, as the number of your services or users (family, friends, etc.) increases, you’re more likely to run into issues with services not running on HTTPS.

    The creation and renewal of SSL certificates can be done for free (assuming you have a domain name already) and automatically with certain reverse proxy services like NGINXProxyManager or Traefik, which can both be run in Docker. If you set everything up with a wildcard certificate via DNS challenge, you can still keep the services you run hidden from people scanning DNS records on your domain (ie people won’t know that an SSL certificate was issued for immich.your.domain). How you set up the DNS challenge will vary by the DNS provider and reverse proxy service, but the only additional thing that you will likely need to set up a wildcard challenge, regardless of which services you use, is an email address (again, assuming you have a domain name).

    • Mir@programming.devOP
      link
      fedilink
      English
      arrow-up
      11
      ·
      edit-2
      8 months ago

      Thank you for the* so much wanted advice, it’s one of the reasons I actually posted this, to get advices on how to do things better.

      I’ve been trying to do that for a specific service running (firefly) but I can’t figure out what to do exactly, about the domain name, Is there a way to do that without one?

      • LifeBandit666@feddit.uk
        link
        fedilink
        English
        arrow-up
        5
        ·
        8 months ago

        You can get pretty cheap domain names if you google around. I managed to get mine for £35 for a number of years (3 I think, I was high when I set it up) and got a .com name out of that.

        You could look into DuckDNS. I know I used them many moons ago for Home Assistant but can’t quite remember what the capabilities were, I just remember it was free and a bit rubbish. But as a stopgap it works.

        Try that for a bit until you have a few quid spare, then get yourself a domain name paid for a while.

        • toffi@feddit.de
          link
          fedilink
          English
          arrow-up
          3
          ·
          8 months ago

          I used dynv6.com to get a free subdomain e. g. [name].dynv6.net and then a swag docker to do the reverse proxy subfolder->dockerport matching. Trafic in my home network is http and the swag ports are the only one exposed to the public. When I find the time I’ll do in depth setup guide including the ipv6 setup problems.

            • LifeBandit666@feddit.uk
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              8 months ago

              Have a look into Heimdall or Homarr. Much easier, don’t need to worry about addresses at all. Single set up and add Tailscale exit node for external access.

              I’ve been fiddling with it again today and (using Homarr) my only services that don’t work when I access through Tailscale are the ones I use names for (are.local, server.local, etc) and I can access them when I use the IP:port so when I get home I’ll just change them to IP:port on Homarr and I’ll be all good

              • Mir@programming.devOP
                link
                fedilink
                English
                arrow-up
                1
                ·
                8 months ago

                Yea I’m using Homarr, I’ve just finished setting everything up. The only problem I have right now is that I can’t access Syncthing GUI through the domain.

      • SirBoostALot@hear-me.social
        link
        fedilink
        arrow-up
        0
        ·
        8 months ago

        @Mir @rhymepurple Another place you can get free domain names is freedns.afraid.org - they have been around nearly forever and all you have to do is log into their site and go to any page once every six months (I guess so they know you are still alive) but they will email you a notice a couple weeks before that time is up. And at least for me they have always been very reliable.

        • Mir@programming.devOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          8 months ago

          Thank you, Might try them because duck dns domain is flagged by the browser for some reason and it’s worth than no https warning

    • peregus@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      8 months ago

      Is it possible to issue and update certificates for LAN services? About wildcard certificates, is it possible with Let’s Encrypt? Thanks!

      • rhymepurple@lemmy.ml
        link
        fedilink
        English
        arrow-up
        2
        ·
        8 months ago

        Everything I mentioned works for LAN services as long as you have a domain name. You shouldn’t even need to point the domain name to any IP addresses to get it working. As long as you use a domain registrar that respects your privacy appropriately, you should be able to set things up with a good amount of privacy.

        Yes, you can do wildcard certificates through Let’s Encrypt. If you use one of the reverse proxies I mentioned, the reverse proxy will create the wildcard certificates and maintain them for you. However, you will likely need to use a DNS challenge. Doing so isn’t necessarily difficult. You will likely need to generate an API key or something similar at the domain registrar or DNS service you’re using. The process will likely vary depending on what DNS service/company you are using.