How to migrate YNH to a local-only server on a non `.local` domain that I connect to through Wireguard

Support
, ,
1

What type of hardware are you using: Raspberry Pi 3, 4+
What YunoHost version are you running: 12.0.10
How are you able to access your server: The webadmin
SSH

Describe your issue

I currently have YNH at home configured in a relatively standard way. Say my “main” domain is example.com with two apps installed there, and Home Assistant installed on a subdomain homeassistant.example.com.

I’m hosting this at home with ports 80 and 443 exposed on my home router, forwarded to YNH. I’d like to not do this, and instead move to a client --wireguard--> VPS --wireguard--> YNH setup.

I found a few similar threads look similar to what I want to do (1, 2), but I’m not sure if my situation is exactly the same.

I’d only like to be able to connect to Yunohost through the VPN. If I point example.com at my VPS’s IP address, it might only be for the purpose of having a domain to provide for Endpoint in Wireguard clients.

So, say I reserved internal.example.com as the main domain of Yunohost and added a rule in dnsmasq on my local network to forward requests to internal.example.com to Yunohost. I think I could also configure WG clients to use this same DNS server.

With all of this:

  • will Yunohost be flexible enough to support such a setup in a way that I wouldn’t be constantly working against it?
  • how would certificates work in this situation? As a sort of proof of concept, I was able to set up a Caddy server with a DNS-01 challenge to get a cert for internal.mydomain.test and *.internal.mydomain.test. Would YNH be able to do the same? Or would I have to manage certs “out of band”?
2

Hi gahamalama,

Your current setup is most standard I think. Your future construction is fairly standard, although it involves more configuration than plain direct-to-home hosting.

Both of them seem to accomplish what you want:

  • have no visible services running at the home IP(s)
  • have a VPS running a VPN as entrypoint for your YNH at home

The second case seems more complex, mixing YNH-functionality on the VPS with VPN functionality for forwarding traffic to two YNH at separate locations.

I don’t quite understand this bit. Care to elaborate?

I never ran YNH in this fashion. Someone else can maybe chime in about results in the diagnosis (I can imagine it’ll find a mismatch between its IP and the IP in DNS, for example)

YNH uses HTTP challenge. As long as all traffic gets forwarded, Letsencrypt will check the token (after domain resolution to the IP of your VPS, via VPN to your home) on YNH’s www directory. I may be mistaken, but I don’t see issues here.

3

Sure, so I have OpenWRT running on my main router at home, which also acts as a local DNS server with dnsmasq.

I also have a rule to forward requests for internal.example.com and *.internal.example.com to an internal service. For now it’s the Caddy server I used as a proof of concept, but in the future setup I was thinking I’d make it point to the Yunohost service.

With this setup, this is what I’d hope to achieve:

example.com            --> VPS "vpn server"
internal.example.com   --> Yunohost (local)
*.internal.example.com --> YNH subdomain apps

So that’d work “out of the box” if I was on my home network, but if I’m connecting to the VPN outside my network, I think I can configure clients so that they use the same local DNS server (by setting DNS = <local IP of OpenWRT>)

I’m just not sure if YNH would be “okay” with having the main domain actually be a subdomain. Alternatively, maybe I could do:

example.com                --> Yunohost (local)"
vpn.example.com            --> vps IP address
^(?!vpn\.).*\.example\.com --> YNH subdomain apps

In either case, I’m not sure if such a setup would mess with the processes for obtaining and automatically renewing certs.

4

This is a part I’m not quite sure about. In my imagined future state, I’d expect that the only “publicly accessible” thing is the opportunity to connect to the VPS with Wireguard in order to be on the same network as Yunohost. With the way YNH manages certs, would it expect to allow an incoming connection from Lets Encrypt, forwarded along to Yunohost (and obviously without being connected with Wireguard)?

5

Yunohost is fine with the main domain being a subdomain (or even a totally unrelated domain).

Another option would be to register the domains for private IPs in your DNS besides your regular records ponting at public IPs.

Indeed. So :

  • Yunohost asks Letsencrypt (outgoing connection, either via VPN or direct at your choosing) “What would you like me to do to prove it’s me?”
  • Letsencrypt answers on that connection: “Give me a file with this name at that location on the server that can be found at your domain”
  • Yunohost writes a file in the www directory and tells Letsencrypt: “OK, here you go”
  • Letsencrypt asks DNS where to find this server, finds the IP of your VPS and connects. Your VPS picks up the connection, forwards it (as all traffic) to the configured endpoint over VPN where it reaches your YNH
  • Nginx on Yunohost receives a request for the specified file, and serves it to Letsencrypt via the tunnel
6

Ahh okay. So unless I’m missing something, for this to work out of the box with YNH, I’d need to:

  • somehow have Lets Encrypt be a peer on the VPN, which wouldn’t make sense
  • set up a way to only requests to *.internal.example.com/.well-known/ to reach YNH without being a peer on the VPN (not sure if this is possible either)

Or, I could manually manage certificates, say by using acme.sh with a DNS-01 challenge, receiving certs, and copying or linking to places that YNH expects to find them. For now, this seems like a compelling option.

7

By the way, thanks for taking the time to respond and help out @wbk!

1 Like
8

No, indeed, it would not.

Maybe I misunderstood your goal. The goal that most people have with a VPN leading to a VPS in front of their Yunohost, is to have the benefits of hosting at home, without possible drawbacks of prying eyes on the IP of their home Internet connection.

Your last remark makes me guess that you want to keep everything closed for the outside world, including the VPS. The VPN on the VPS would ‘just’ become your anchor for connecting to the home network (and Yunohost services), but not any (Yunohost or other) services would be publicly available.

Is that correct?

9

Yep, this is exactly correct.

10

Ah, that changes the situation! And, to my knowledge, breaks certificate renewal by Yunohost and might throw up some other warnings in diagnostics as well.

With Yunohost more geared towards self-hosting public services than towards private NAS-like behaviour, I think you will need to look into "out of band’ management of some things as you suggested in your initial post. In hindsight, it had helped if somewhere was mentioned that nothing will be publicly available :stuck_out_tongue:

DNS-01 is the easiest (only automatic?) way in that case, since Letsencrypt can’t reach your infrastructure either. I recall using this successfully in combination with a DNS A record pointing to a private IP (ie, 192.168.1.100).

TL;DR, back to your initial question:

  1. Not contstantly, I think, Diagnosis will be less helpful (false positives). It depends on the apps you install (Matrix or Mastoden will be slightly lonely without connections from the outside, but will work for your internal messaging)
  2. Yunohost relies on the HTTP-01 challenge, you’ll need to ‘roll your own’ solution. DNS-01 can issue wildcard domains, so you wouldn’t need to implement signing automation for each domain (only distribution of the resulting certificate).

In any case, when you start a thread in the future, don’t forget to mention “private network, no publicly available services” or somesuch under “Did you perform any tweaks on your Yunohost”, even though it is not a tweak on your Yunohost itself :wink: )