I need help figuring out where I am going wrong or being an idiot, if people could point out where…
I have a server running Debian 12 and various docker images (Jellyfin, Home Assistant, etc…) controlled by portainer.
A consumer router assigns static Ip addresses by MAC address. The router lets me define the IP address of a primary/secondary DNS. The router registers itself with DynDNS.
I want to make this remotely accessible.
From what I have read I need to setup a reverse proxy, I have tried to follow various guides to give my server a cert for the reverse proxy but it always fails.
I figure the server needs the dyndns address to point at it but I the scripts pick up the internal IP.
How are people solving this?
It’s easiest to just register a domain name and use Couldflare Tunnels. No need to worry about dynamic DNS, port forwarding etc. Plus, you have the security advantages of DDoS protection and firewall (WAF). Finally, you get portability - you can change your ISP, router or even move your entire lab into the cloud if you wanted to, and you won’t need to change a single thing.
I have a lab set up on my mini PC that I often take to work with me, and it works the same regardless of whether it’s going thru my work’s restricted proxy or the NAT at home. Zero config required on the network side.
Just be careful as DNS and federated requests can leak your real ip even through the CF proxy.
If you’re only exposing your services through a cloudflare tunnel, it doesn’t even matter if they get your real IP.
Just a reminder that even though the tunnel itself is encrypted, the whole connection is not E2E encrypted between your remote client and the server. Cloudflare as a CDN/PoP provider can see the traffic in plaintext.
In all other aspects, this is a great solution, as we even get to use the edge caching(over top of all others mentioned above) facility - which further reduces the requests to origin server.
I recently went this route after dabbling with other options. I had a wireguard VPN through my Unifi router, with rules to limit access to only the resources I wanted to share, but it can be a struggle for non savvy users, and even more so if they want to use Jellyfin on their TV. Tried Twingate too and would recommend if it fits your usecase, but Cloudflare Tunnels were more applicable to me.