Hi all :)
I’ve got a media server set up running Navidrome, Calibre-Web, and Immich along with some other services, and want to get access to them from outside the house now. I’ve read that Caddy is good for securing things by making it easier to set up encryption, but I’m not sure I understand that side of things.
I’ve set up a Cloudflare tunnel for a Minecraft server, and I’ve got Tailscale installed but not set up with an exit server yet, but understand that Caddy would be better. I ideally want to set up apps on my wife’s phone so that she can access the libraries too.
Is it just a case of installing Caddy and setting up the services I want to share through it? That seems too easy, like I’ve missed something.
If it makes any difference, I’ve got a standard UK ISP router with a few ports forwarded, and I’m going to add an access point and then a LevelOne GEP-5070 managed switch to learn about things like VLANs. The link to the switch is here:
https://mayflex.com/shop/product/GEP-5070
I feel like I’m missing something, but can’t think what, so I’d be grateful for any help :)
You must log in or # to comment.
Tailscale and Tailscale SSH (cli) and Sunshine and Moonlight (gui).
I thought that Sunshine and Moonlight were for screen sharing? I’ve only ever seen them used for gaming.
Tailscale meets your needs even without an exit node configured.
Sorry about the slow reply. Don’t I need to be running Tailscale on the remote device then though? Ideally I want to be able to put a link into whichever app / program and be able to share that link with my wife and kid
Well yes but that’s a one-time setup.
I’m a bit dubious about running Tailscale on the family’s devices, as they’re not particularly techy, and will forget to launch it if it isn’t running for whatever reason, and then I get the blame.
Wouldn’t all traffic go through it when it’s running too, or can you select which apps now? They’d mostly be using Android devices.
It’s selective. You just provide the internal address or the Tailscale host name. All other traffic runs outside of the vpn tunnel.
Honestly it takes 10 mins to set up you should try it out.
Ah, that’s cool. I’ll give it a try once I’ve had some sleep, it’s been a long day. Thanks for the help :)
I use Tailscale. It’s much simpler. Just install it on the host and client devices and everything is securely connected.
You may also be interested in Calibre Web Automated (which is similar but with more features)
Sorry about the slow reply.
This is where I get confused with Tailscale. Doesn’t everything then go through Tailscale, like when you run a VPN? Ideally I just want to be able to connect with a link and save that in the remote app / program, and also avoid having my wife forget to start Tailscale and shout at me >.<
Yeah, it operates like a VPN. On my wife’s phone, I installed tailscale and set it as the “always on” VPN so that she never has to touch it. The same goes for computers. You can have it set as a startup app, and it should automatically connect every time.
On some devices, if you want to use another VPN, it can get complicated.
Tailscale only responds to the range of connections that it’s in charge of, so it doesn’t interfere with connecting to normal internet, etc.
That’s great thanks :)
The fact that it can be always on is really helpful, there’s less chance of her forgetting to use it then.
Tailscale only responds to the range of connections that it’s in charge of, so it doesn’t interfere with connecting to normal internet, etc.
This is the other thing that I was concerned about, that everything else would be diverted. Someone else said that it can selectively route apps, and that’s put my mind at ease. I don’t know why, but anything to do with networking gets me mixed up >.<
Thanks for your help, I’m going to have a play with some settings :D
pangolin is cool
Totally unnecessarily complicated though. Just setup Wireguard, Caddy and some routing.
Pangolin is cool. Combines a lot of things you’d normally have to piece together. However, OP already has a secure, operating server. I’m just not sure where OP came to the conclusion to toss in Caddy into an already viable system.
Sorry, I’ve just replied to another comment before I saw yours. I didn’t realise that Cloudflare could deal with encryption on its own, I thought you needed something like Caddy to get certificates. I found out after seeing the other comment that one of my services running through the Cloudflare tunnel is encrypted, but I couldn’t get it to work in the past. I’m not sure what’s changed, but I’m going to give it a proper look once I’ve had some sleep.
There’s something about the networking side of things that just throws me, and I struggle to get my head around it. If I can get things running through Cloudflare, I’ll be very happy :)
Caddy supports mTLS so if your client apps support it you could put everything behind client certs (assuming your services support it)
You also could use plain Wireguard since it might be simpler if you have the option to open up the firewall. I personally use netbird since I’m behind CG nat
I would also deploy IPv6 since it will help a lot of performance on carrier grade Nat networks like mobile data.
I’m still a bit confused with all of this so I might be getting things completely wrong. I thought that I needed to get certificates for anything that I wanted to make public with an URL, and that’s where I thought Caddy came in, but a few of the other replies have said that I can use the Cloudflare tunnel and let them sort out the encryption. That seems like it should be easier for me, as I’ve dealt with it already.
IPv6 isn’t available through my ISP as far as I can tell, they only enable it locally through their router at the moment.
you already have a cloud flare tunnel, so you can add a new entry for a domain and point it to another service. cloud flare handles the encryption. for docker, I have my reverse proxy on port 80 doing the routing and the docker route is http://localhost/
Huh, I didn’t know that! I’ve had the Cloudflare tunnel running for quite a while now, and tried getting something set up on https a few years ago, but couldn’t get it to work. I’ve just checked my Ombi service and it is encrypted. I don’t know what’s changed, but I’m going to have another look, thanks :)
You’ve got Cloudflare tunnels/Zero Trust and Tailscale. You’ve got it wrapped up. Honest Question: What makes you think Caddy would be better? I think adding Caddy would be adding more complexity to a system that is already got everything it needs to operate correctly. I’m not even sure what Caddy would bring to the table in this scenario.
I just replied to your other comment before I saw this one, but I’ll post the reply here too for anyone who’s following the thread :)
The main thing I’m still not sure of is Tailscale. I don’t know if I can just put my services behind an URL for my wife to add to her devices, as she’s unlikely to remember to run Tailscale before she listens to her music, for example.
Sorry, I’ve just replied to another comment before I saw yours. I didn’t realise that Cloudflare could deal with encryption on its own, I thought you needed something like Caddy to get certificates. I found out after seeing the other comment that one of my services running through the Cloudflare tunnel is encrypted, but I couldn’t get it to work in the past. I’m not sure what’s changed, but I’m going to give it a proper look once I’ve had some sleep.
There’s something about the networking side of things that just throws me, and I struggle to get my head around it. If I can get things running through Cloudflare, I’ll be very happy :)
I do appologize for not getting back sooner.
through the Cloudflare tunnel is encrypted,
Yes indeed
I thought you needed something like Caddy to get certificates
You can, and Caddy works well. It just didn’t make sense in this scenario. No worries, mate.
but I’m going to give it a proper look once I’ve had some sleep.
Well. I do have some notes tjat might help put the pieces together, if you get stuck.
The main thing I’m still not sure of is Tailscale
I use tailscale on the server as a
overlayprotective overlay, which could be accessed as well if needed,
