I’ve been running a home server at home running CasaOS for a few months now. I use a wireguard vpn to remote in to use Jellyfin on my phone etc. Basically i want to know if there’s a way i can both hide my public IP (such as using a conventional vpn for torrenting) while still being able to remote in to my server?
I’ve been thinking of running running all my network traffic through my server and setting up some sort of firewall too, but I’m fairly new to this as this was originally just a project I did out of spite after getting rid of Spotify. I’m fairly green when it comes to networking and servers, but I’m otherwise pretty good with computers and can muddle my way through most things.
Any suggestions are greatly appreciated.
You can’t hide your public IP. It’s public.
I presume your servers sit on your home network, and it’s a basic flat network. And you have a basic home router. And you forward a port on your router to your server that’s running wireguard.
Sound about right?You already use a VPN to access your homelab/home-servers.
So the only ports you are forwarding (presumably) relate to wireguard. So the only accessable ports are secured sensibly (by wireguard, cause thats what it is).So you are already doing everything right.
If you want a fancier router/firewall, then OpnSense or OpenWRT are good options.
But I wouldn’t run everything through your server. Let your server serve. And use a router to do network things.
If you really want to hyperconverge onto a single server like that, then I’d do it inside different VMs (probably running on a proxmox host). Have a VM running OpnSense that only does network and routing. Then VMs for other services.
You’re directly coupling your home internet access to the proxmox host and the VM, tho.
Which is why I prefer using a more embedded/dedicated router appliance (I’m a huge fan of mikrotik stuff, but my home network is TP-Link Omada. Tho I think I’ll move to Unifi)Yeah, sounds about right. Server is on my home network and I’ve forwarded the applicable wireguard ports on my router so I can remote in. I just want to make sure that if I’m running a torrent client on my server or on my phone while I’m connected remotely then I won’t be getting angry letters from my ISP.
Ah, gotcha.
So… You generally have to pay a VPN company to get access to their VPN exit nodes, and “hide” in among all the other traffic.
There is nothing you can self-host to do that.ProtonVPN used to be a popular recommendation, however they are slipping out of favour due to behaviour over the last couple of years.
If you are looking for a VPN for anonymity, be careful of “review” articles posted on blogs owned by dodgy VPN providers.
I’m not sure who the “go to” VPN provider is these days.If you rent a VPS (virtual private server) in order to run your own VPN exit node, and the VPS provider gets a letter regarding illegal activity, then your VPS will be deleted.
I don’t know of a VPS provider that will protect customers privacy WRT legal requests (maybe there are, but they will be exceptionally expensive).So everyone pays a VPN provider that doesn’t keep logs in order to hide amongst the herd.
In order to make sure that your file downloading system uses a VPN instead of the default gateway for internet access is a huge field.
So you need to describe exactly the software you want to use the VPN exit node, and how it’s installed.
Because the solution could be host firewall, docker networking, isolated networks… Pretty sure there are many others.So, I already pay for Proton VPN, mostly for the E-Mail, but I do use the vpn currently on my main PC to torrent, which I then manually transfer to my server over the network, but I would like to eliminate the middleman and torrent directly to the server, while still being able to easily remote in. I run CasaOS on my Homelab and I was planning on installing qbittorrent in a container, probably through Portainer. I’m already running Soulseek on the server the same way (originally I was running slskd, but it was overly complicated to set up and once it was set up and working there were lots of upload errors and I didn’t like the UI, so I changed to a Nicontine+ docker), but that’s just open to the web.
I went through the same thought process as you a while ago, also with CasaOS. I ended up using the *arr suite, Jellyseer and then this container via Portainer https://haugene.github.io/docker-transmission-openvpn/. All the instructions are on there for whichever provider you go with, and all it took was making sure the env variables and permissions were in the right place.
Thanks for the recommendation. Once I found the “n” I mistyped as “m” in one of the file directories it actually went quite well. I looked at setting up sonarr & radarr, but its really just me and my partner using it right now, so I’ll put that on the back burner until I get more storage.
Imo, only services that require a VPN exit node should use a VPN exit node.
https://github.com/qdm12/gluetun
Is a well known VPN container that people use, and works with ProtonVPN.I don’t know anything about how to do this, but a cursory search for “gluetun qbitorrent docker” suggests that gluetun gets
network: "host". Any container that has to use a VPN exit node getsnetwork_mode: "service:gluetun". Adepends_on: {gluetun details}style option will ensure that any service that should use a VPN exit node will not run unless gluetun is running.Then it’s getting the data out of the qbittorent container into whatever you are using as a media server.
Thanks I’ll look into this tonight. I’m still trying to wrap my head around dockers and containers etc. I think I’ve a pretty good handle on it now, but it still hurts my brain after a while.
In that case, maybe look into proxmox and VMs.
Then run docker inside a VM. Have multiple VMs of docker for different environments (eg a VM for containers that should only use a VPN, another for media server stuff, another for experimenting… Whatever)Learning proxmox (or another hypervisor) is well worthwhile, because the base installer sets things up to just work for virtualization. And VMs are great for learning to run services.
Then you can spin up VMs for isolating environments, and have the benefit of oversight and management tools as well as snapshots. Snapshots means you can take a snapshot, tinker and break things, then roll back to a known good snapshot and try again.I use proxmox on any bare metal before I start setting up VMs for services. Even if it’s just a single VM with the majority of resources allocated to it.
Is proxmox overkill for running a server for some docker containers? Yes.
Does it make things easier? IMO, yes. At least operationally safer/easier.
You can setup a docker compose config that routes all of the arr traffic through a gluetun VPN. Below is an example.
https://gist.github.com/stravos97/5c2159d4fb8eb33df75bb4700713e249
Edit: if you need some help feel free to ask. I’m out until tomorrow, but could share after that. I use ProtonVPN and everything routes through that except ports I open to local network to access various service’s GUI.
If you want to keep your IP private, the usual way is to get a different IP. In praxis this means to get a cheap vps at some provider and create a tunnel of some sort to your homenet. Then use the VPSs IP for public access
I was actually just reading about VPS’. So would I run into problems if I was torrenting on the VPS? My plan was originally to have my phone always connected to my network (I stream a lot of music at work and sometimes torrent on my phone, then upload the files to my server) and just set up my server on a vpn, but I really wasn’t sure that was possible or practical.
