Hadn’t thought of a server outside of my network, that might make this a lot easier. Could even forward the listening ports so both sides act like it’s local to them.
Are you accessing the ssh via phone or maintaining a persistent connection from a phone? If so, what are you using?
Tailscale and Netbird both have Docker Image, and both of them don’t require to open any port for the clients.
I didn’t realize that was an option in the iOS app, I’ve been trying to figure out how to do it via Shortcuts or some other automation. Thanks for the heads up! I can finally ditch Cloudflare and close the http ports on my router.
That’s easily done with the wireguard app too. I use it for years now exactly this way. As soon as I leave home WiFi VPN kicks in and I use my piholes as dns at home to get ad block while on the road.
I don’t think you looked too hard at what’s behind login authentication and what’s not. Things like whoogle which are kept locally segmented and designed to be open to the public are not a security risk, especially if you have a little bit of fail2ban experience. If by chance some zeroday exploit crashed my docker container…boo hoo, it has no access to my system and runs with a PUID/GUID meant for containers.
Things like plex/overseerr which don’t use login credentials, and instead use login tokens are also meant to be forward facing like they are and NOT behind credentials beyond their own, if you setup static domains in your plex instance for example and do not allow remote access via plex.tv
The whole site is behind cloudflare, and protected from ddos/hammering/blahblah through the cloudflare system before it ever gets forwarded to my A records.
The site also does use authentication for everything outside of the first few listed services, you probably only clicked on one link.
I mean in essence your whole thing about security has been thought of and accounted for
Definitely do so, the android client is simple to flick on and off
OpenVPN is way slower than WG, its configuration is more complex and usually connection is more prone to breaking.
I’m not, and being that this is a self hosted forum, I don’t particularly want to route my traffic through a third party. I’m still reading about tailscale because I don’t know enough about it to say how it works, but I’m really looking for something using ssh directly.
Is that the same thing as wg-easy? Any guide to set this up in Synology docker?
Very nice, so if one wanted, where would they start? (assuming they are dummy)
Speed I could believe, but I just haven’t experienced the other two. Wireguard seems way more convoluted, unless there’s some easy setup guide I’ve missed. Most I ever got was for clients to connect to the server, but without access to the broader internet. And just that took hours of fiddling with config files. Not so with OpenVPN.
Headscale is the self hosted version of
If you can forward ports, just roll your own WireGuard VPN.
If you’re on Windows, SoftEther is another option worth considering. Easier than Tailscale/Headscale to get running self-hosted.
You can run it on Unix too, but you’re mostly on your own and it’s no longer simple.
I am not a Synology user and hate WireGuard in docker too. Have tried to help with way to many issues over at r/WireGuard with people using it in docker and docker doing whacky stuff on network. Also I don’t have experience with wg-easy I have WireGuard running since before any tools were made so I do it all bare bones on bare metal.
But it’s nothing fancy just setup a peer with any guide you find on the Google. And create a config for your iPhone as second peer and have it connect to the Synology peer.
The only guide I used:
If you’re up for it, feel free to pm me with a discord username, and we can go over everything, and maybe spend a night setting things up for you. It helps to have someone go through things with you, documentation isn’t as easily understandable heh.
I’ve setup OpenVPN couple times, only once from script (easy stuff) but rest was manual process. Also I’ve setup Wireguard once manually and about 3 times with docker. Docker is the easiest way.
BUT, indeed wireguard is not as packed as OpenVPN. Its just a protocol. Where OpenVPN comes with a plethora of options. One of the thing in WG which i miss the most is password protection. If your connection config is leaked and you dont know it - you’re screwed. With password bad actor would have to break it first. In openvpn is relatively easy to set it. But in wireguard you cannot do it unless you start to use some more advanced solution built arround wireguard (firezone) with SSO and stuff.
I’ll look into it, I was using OpenVPN before, maybe WireGuard is less obnoxious.
See I even tried WG with Docker, but it never could successfully bridge the internal network with my host network. I set up my routes and firewall just like I’ve had to do with OVPN as well, but WG was a no-go.