Hello, this is probably a newbie question, so thank you in advance for taking the time to help me.
My YunoHost server
Hardware: ODROID-HC4 YunoHost version: 11.2.10.1 (stable) I have access to my server : SSH and webadmin Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : No
Description of my issue
I’m trying to figure out how to set my instance of YunoHost up with a VPN so I don’t have to open ports on my router. I just can’t figure it out or find any guides for my case, they’re all targeted towards VPS’s. I’m really frustrated and stressed so this post isn’t as good as it should be, I’ll try to make it better later.
No fun, how long have you been trying to resolve the problem!
To be sure: you want to run all of your services over the VPN (as opposed to having a VPN available on your Yunohost to connect to when you’re “on the road”), correct?
For some basics (just to be sure, as we don’t know each other yet and I have no indication of your background on networking, internet and server configuration ) on how things work:
Server:
Your (or any) server has one or more IP’s that are used to connect to
These IP’s are not very easy to remember for most people
DNS:
DNS translates from recognizable domain names to IP’s
You need to tell your DNS at which IP’s a connection to your server can be made
VPN:
A virtual “private network”; private network is the 192.168.* network that your router creates at home; “virtual”, because it is not really at home, but spread over the internet
A VPN is for that reason also called a “tunnel”: like a tunnel, it connects two points and, from the outside, you can not see what is going on inside of it
Like a tunnel, it needs two entries/exits: one at home, one on the Internet
The reason why all guides are targeted at using a VPS, is that it is more flexible and usually cheaper than going with a commercial VPN service.
In the Yunohost room on Matrix there was a very similar post to yours, it mentioned NordVPN. Looking up their prices, their lowest pricing is over €10/month (after the first year of reduced fees); a VPS can be had (eg, I have one here) for €2.50 per month without special offers.
The reason behind that reason is the ‘tunnel’ nature of VPN’s: you still need ‘the other side’ of the tunnel somewhere.
Getting back to your situation
How does your tunnel look like? Which service provides your ‘other side of the tunnel’?
Also not unimportant: there are quite a few reasons people have for not having DNS point to their home IP’s. Which reasons apply to you?
Hi, thank you for the kind reply! It’s a new day where I am, I just woke up, so I’m feeling a lot better and ready to focus on this issue.
And yes, I believe that wanting to run all my services over a VPN is accurate to my use case. I don’t want to open ports on my router (save those essential for making Wireguard work) because of security; I’m still very new to Linux and server administration and my friends who have experience with these things say it’s better to use a VPN. Plus, my ISP blocks port 25; my family is planning to switch to another one soon, but I haven’t been able to find conclusive proof of whether the new ISP does or does not block port 25.
Regarding the basics: I believe I knew most of this already, but the refresher is helpful, so thank you. For the tunnel thing, I’m guessing that the two points the tunnel connects to are your local IP (the one that usually starts with 192.168) and a public IP? Please correct me if I’m wrong.
Actually, that post on the Matrix chat was by me! I have NordVPN for private use and since I already pay money for it, at the time I thought it would be convenient to be able to use it for my YunoHost server as well. After more research I determined that for various reasons, such as NordVPN using non-static IPs, it would probably be better to just set up a Wireguard server on my device.
I should clarify about the VPS point - I was under the impression a VPS was an alternative to having hardware at home where you pay a subscription for usage of hardware owned by the VPS company. Since my setup is on hardware I have at home, I thought it wouldn’t apply to my use case. Is that correct?
I’m not sure what my tunnel looks like. I’m trying to use the Wireguard app for YunoHost, as I’m not sure if installing stuff on a YunoHost device that aren’t made as YunoHost applications is supported. Since you’re asking about which service provides the other side of the tunnel, I’m guessing that’s something I’d have to pay for? I was under the impression that I could just set up Wireguard on its own…
If I understand you correctly, the reason I don’t want DNS to point to my home IP is for security. Like I said before, I’m new to Linux and server administration, and it’s a scary world out there. I would like to be able to keep my and my family’s data private and secure while being able to access it remotely; hence the desire to use a VPN.
Thanks again for responding. I hope this information helps.
You got everything quite right, just a few lines missing between the ‘dots’.
Good reasons for using a VPS, I think. Nice that you got started on the whole self-hosting adventure
Correct!
… on each side of the tunnel. Wireguard does not really have a server-program and a client-version; it is a single executable that has both roles, depending on the situation. It’s peer to peer. If one side (Yunohost) is inside your LAN, and you want to have it available on the Internet, you still need some service running Wireguard on the internet.
Yes, it is. Also. You could run everything on a VPS, but it would mean a very small installation or an expensive server, and still not with your data at home.
In this case, you would only run Wireguard on the VPS, which routes all traffic to your actual server. A VPS to run Wireguard hardly needs any resources; if you can find a VPS with 2 GB of storage and 128 MB of RAM, it is more than enough.
Lowest prices can be found on sites such as https://lowend-deals.xbit.win ; I hang around at lowendspirit.com from time to time to see if there are any (recurring) deals and get an impression of the quality/reliability of the provider (make an account there to see exclusive offers as well).
Things to look for in an offer:
Is the price recurring (or only the first month/year) ?
Is an IPv4 included? Without will work mostly, but in some cases people would be unable to connect. IPv6 should also be included, else people without IPv4 won’t be able to connect. A single IPv4 costs about 1-2 Euro in small volumes, so for small VPS’s a large part of the price is just for the IP.
Where is the VPS hosted? If the sun just rose in your place, a VPS in Singapore will make things slower because all traffic has to go there first (or you just got out of bed very late)
Yunohost is a manamement layer on top of plain Debian (version 11, Bullseye, as of now). Anything that runs on Debian, runs under Yunohost. If things break on your Yunohost, and it is not Yunohost specific (such as the web interface, or diagnosis not working, or some such), finding a solution for Debian will mostly help you solve the problem on your Yunohost. That being said: with the Wireguard apps being available, there’s no need to apt search an alternative.
Next steps?
Get a small VPS
I see Hizakura is less than 10 Euro/year; I have no servers with them, but they seem to be in good standing.
I have multiple servers with Inceptionhosting.com; their VPS’s are priced a bit steeper without special offers, but I have never had an issue in over ten years.
Without IPv4 you can get a so-called ‘NAT VPS’, which runs from about 3 euro/year (I have a ‘bundle’ from gullo.me, to run as… VPN’s )
Configure your Yunohost to use Wireguard on the VPS for traffic.
consider that without extra configuration, all traffic to your Yunohost will go via the VPN, also photo synchronisation from your phone in the LAN to your Nextcloud installation and the from your Jellyfin installation to your mediaplayer.
Make notes how you got things up and running. In case you want to switch VPS provider, it will come in handy!
Give a shout when you got stuck. Good luck!
(edit: added the point “configure traffic forwarding”)
I think I understand what you mean about having a Wireguard “server” on each side of the tunnel. I’m already familiar with the concept of LAN, so… I need a device that is exposed to the internet which has Wireguard on it for the remote IP side, and a device that is on my LAN that has Wireguard on it for the local IP side. Am I understanding it correctly? If so, I can definitely see why people decide to use a VPS for the remote IP side of their Wireguard VPN.
Just to be absolutely sure - there’s no way I could do what I want without having to pay for a VPS? i.e. using a separate device that I own. It’d be nice to have the whole thing on the YunoHost device, but I understand if that’s not possible. And I’m not really objecting to having to pay for a VPS; I just want to understand all the options before I discuss the decision with my parents, as they’d be the ones paying.
On that note, I actually live in the USA, so I’d need to find a VPS provider that provides service to my area and accepts payment in USD. I’ll check your recommendations out to see if they do, but in case they don’t, any recommendations you have for my use case would be awesome. If you don’t have any, just some general advice on how to find a good VPS provider in terms of security and privacy would be great, too. It’ll be kinda tough since the privacy laws for servers located in the USA aren’t too great.
Edit: I checked out your recommendations and I like the gullo.me options. But what do you mean by “without IPv4”? Very few ISPs in the USA provide IPv6, and my family rarely if ever travels outside of the country. According to the plans I see they provide “1 NAT IPv4 w/20 ports” which from my understanding of those terms should be perfect for our use case; I just want to check with you because of what you said about “without IPv4”.
Yes, correct. The device on your LAN is of course your Yunohost. The other end needs to be ‘on the Internet’.
Again, correct. There is no requirement to pay, but there is a requirement to have your server available on the 'Net. For sake of completeness, the options I can think of from cheap via complex to expensive (sorry for the long list):
The server is at home, sharing your internet connection
need to forward ports in the router
need to set reverse DNS / pointer (for antispam)
traffic is shared with the home LAN
more feature rich routers/firewalls can provide separation of traffic
The server is at home, with a separate internet connection
the router/firewall can be set to forward all traffic to your server
no shared traffic between server and home LAN
reverse DNS / mail difficulties still apply
The server is at home, using the ‘DMZ’ function of the router
some routers provide a ‘demilitarized zone’ on a specific port, that does not share traffic with the LAN, and where all ports are open.
reverse DNS / mail difficulties still apply
The server is at home, using an external VPN provider
even with a dynamic IP it could work, using a DNS provider that supports dynamic dns (dns.he.net does, for free)
a fixed IPv4 would be preferable, but seems to come at quite a premium
The server is at home, using a VPN via a small VPS you control
VPS’s are made to run as a server; this is more flexible than the commercial VPN provider
it offers reverse DNS and the IP should not be on a blacklist for mailing (spamhaus, for example)
The server is a small VPS on the internet, using storage at home
This would need a bit bigger VPS; Yunohost is installed on the VPS, applications that need a lot of space use mounted storage at home (SSHFS, for example)
this option is more complex
a VPS is made to run as a server, there should be no problems for internet facing applications, but LAN-facing applications (mediaservers, for example) can give trouble
The server is a large VPS on the internet, with ample storage
Just install everything on the VPS
not cheap for large disks
not always very easy to expand storage later on
a VPS is made to run as a server, there should be no problems for internet facing applications, but LAN-facing applications (mediaservers, for example) can give trouble
The server is a ‘dedi’
‘dedi’ for ‘a (hardware) server dedicated to a single customer’: you rent a computer in a datacenter
The server is in colocation
you rent space in a datacenter and put your own computer there
Of those, I think the option with a small VPS to run a VPN on is low in cost and complexity, and fits with your requirement of keeping traffic out of the LAN at least until you are more accustomed to running a server. Depending on who uses the NordVPN connection for which goals, and how much it costs, you might be able to swap the NordVPN subscription for one or more VPS’s.
If only mail troubles would prevent you from using your home connection, there would be a way out by using a relay for just your mail traffic.
There is one option I left out that is said to come without a financial cost. I think Cloudflare offers VPN services just for your use case. Disadvantages:
The 'Net becomes more and more centralized around a few pillars
Cloudflare decrypts all your traffic before sending it on. They are an ‘official’ MitM.
You could create a dependency on their services, making it hard to leave
You’re in luck Hardly any provider excludes customers from the US, and payment is usually via Paypal or credit card, automatically exchanging currency. Many providers (also smaller ones) offer services in multiple datacenters around the world. Regarding privacy: you could run a test with some services in the EU; it might be that the delay is hardly noticeable, while having your traffic pass through another jurisdiction while being encrypted.
Yes, 20 ports would suffice, if you could chose those ports by yourself. In this case, the server can be offered very cheaply because it has few resources, and splits a single IPv4 into thousands of blocks with a range of 20+1 ports (20 for application traffic, 1 for SSH access).
Most providers of these services offer some kind of reverse proxy so that you can run a webserver that expects port 80 and 443, but the actual ports available to your VPS are for example 7301-7320 with 7321 for SSH. Many Yunohost services run over HTTPS on port 443 and might be compatible, but many require their own specific port to be able to interact with other servers.
Such a VPS is perfect to run a monitor, a VPN server (but not for your case), just as a server to try things out.
Thank you so much for the clear answers! That gives me a great idea of the options. I agree with you, I think that using a VPS as a VPN would be ideal for my use case. I’ve picked out a provider and discussed it with my dad, who will be discussing it with my mom soon; my dad thinks the price is very cheap, so most likely they’ll decide to go for it.
That’s all the questions I have for now! I’ll mark your earlier response as the solution since it seems like it would be the best for people who have use cases slightly different from me. Thank you again!
Could you go into more detail about this? I’ve tried following these instructions and can’t figure out the part about pointing the DNS to the IP of my VPS.
Or did you order a domain by yourself? In that case the domain provider will have an interface where you configure: this (sub)domain is to be found on that IP.
I have domains from a few different providers, but manage most of them via dns.he.net
In their interface it would look like this:
add a new A-record (IPv4 domain name)
In the popup you’d enter the domain, the IP and the cache time (by default it is usually 2+ hours, I set it to 5 minutes because the site has low traffic and high chance I want to review changes)
Ahhh, so that’s what you meant by it. I know how to do that - I just didn’t know what specifically you meant by “your DNS”. There’s a DNS field in the config files for Wireguard, so I thought that might have been what you meant.
I’ve already set that up, so I don’t think setting the IP is the problem. I’ve been trying different methods of setting up Wireguard over the past few days, none of which worked - usually I manage to have my YunoHost device connect to the VPS as a client, but either the ports don’t register as open (I did in fact test to make sure that I couldn’t access my YunoHost apps through their domains - I can’t) or they don’t register as open AND my YunoHost device gets cut off from the internet completely. At first I thought it was the network configuration on the VPS as described in rungeard’s guide, but now I get the feeling it has something to do with the firewall, as I’m pretty sure the ports on the VPS are already open. Do you have any ideas of things I could check to diagnose this?
Ah, great The industry isn’t called “Informationoverload & missCommunication Technology” without a reason.
How do you mean, gets cut off?
unable to reach it via SSH / webadmin (via the LAN)?
unable to ping sites on the internet while connected with keyboard / monitor?
The first case could ‘just’ mean that there is no LAN traffic, with the Wireguard tunnel still intact. Still inconvenient, as long as SSH/webadmin via LAN is your only access
Depending on the OS on your VPS, it will default to having no firewall installed and all ports open (just with nothing listening on it, so no open ports in effect)
Depending on the configuration of Wireguard, it will listen on zero or more ports.
Looking into the issue, I think I might have omitted a point in my list above
This bit is necessary to allow the forwarding of traffic (else the tunnel will only allow traffic originating at Yunohost to go to the VPS, or originating at the VPS to go to Yunohost, but not traffic coming in from the internet via the VPS through the tunnel).
Both of those apply to what I mean by “gets cut off”.
I’ve done that, actually! I’ll quick check to make sure it’s been done on both machines. …It was done on the VPS, but not on the YunoHost device, so I’ve done that now.
What do you mean by this? I’m pretty sure Wireguard is configured to listen on the default port 51820, but do I have to configure it to listen on other ports, too? Like port 25 for email to function, and 80 and 443 for HTTP and HTTPS? Please elaborate, if you don’t mind.
Sorry, it does not need forwarding at the Yunohost-end! There is no need for your local traffic to go through the tunnel, or for internet traffic to end up in your LAN via the tunnel.
That is the port where the tunnel connects.
Wireguard turns out to always forward the whole connection; I didn’t pay enough attention to the allowedIPs and thought it could includ ports. It does not, so you can’t go wrong there.
I haven’t used my VPS as a proxy myself. I’d like to help you further, but I think that for the details your best help is to follow Rungeard’s tutorial.
) on how things work:
