Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] Add VPN to access from outside #58

Open
Sigri44 opened this issue Jul 9, 2024 · 2 comments
Open

[Feature] Add VPN to access from outside #58

Sigri44 opened this issue Jul 9, 2024 · 2 comments
Labels
new feature request new service request planned

Comments

@Sigri44
Copy link

Sigri44 commented Jul 9, 2024

Actually VPN is for service have access to internet tough VPN.

But think another feature can be added, is to need VPN to access service (like Wireguard), and configurable from config.yaml, to check if service need to have VPN access to be join from ext (like deluge or other private access).
@jfroment
Copy link
Owner

jfroment commented Nov 28, 2024
edited
Loading

(sorry for the delay)

Yes you're right, it should be a better option than opening ports on your router if you host your services at home.
See for example the discussion summarized here on this Reddit's thread.

In fact you can already add a wireguard custom service by adding a file in services/custom/wireguard.yaml

services:
  wireguard:
    image: lscr.io/linuxserver/wireguard
    container_name: wireguard
    restart: always
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
      - SERVERURL=auto
      - SERVERPORT=51820
      - PEERS=1
      - PEERDNS=1.1.1.1
      - INTERNAL_SUBNET=10.13.13.0
      - ALLOWEDIPS=0.0.0.0/0, ::/128, 0.0.0.0/1, 128.0.0.0/1
    volumes:
      - configwireguard:/config
      - /lib/modules:/lib/modules
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1

volumes:
  configwireguard:
    driver: local-persist
    driver_opts:
      mountpoint: $HOST_CONFIG_PATH/wireguard

and in your config.yaml

[...]
  - name: wireguard
    enabled: true
    vpn: false
    customFile: custom/wireguard.yaml
    traefik:
      enabled: false
      rules: []
[...]

These are example of a previous test of mine but I'm not sure they're still valid. They can serve as a good basis to work with though.

But what is missing from the seedbox stack for now:

  • Capability to select which services are only accessible from VPN
  • Better than Wireguard? Tailscale integration
  • Make it optional / selective
  • DNS integration to work with any provider. That's tough to implement in order to keep the seedbox generic enough.

But I will keep this item in mind. In fact I'd love it for myself, so I will make some tests.

@Sigri44
Copy link
Author

Sigri44 commented Nov 28, 2024

I do think that on the privacy side it could be fun, but I don't know how it's possible to keep DNS access only via a VPN.

But it could be secure if the VPN isn't connected so nobody can see/access the service, and you have to make the connection to access all the LAN services.

If you need to, you can take inspiration from dappNode (they use wireguard) and require no accessibility outside VPN, access is very restricted.
And they have a command like dappnode_status which gives the QRcode and/or privateKey and generated config that you just need to copy/paste into your local wireguard to connect directly to the node.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
new feature request new service request planned
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jfroment @Sigri44