What type of hardware are you using: Virtual machine What YunoHost version are you running: 12.1.40.1 How are you able to access your server: The webadmin
SSH Are you in a special context or did you perform specific tweaking on your YunoHost instance ?: I’m running an instance of Yunohost on Proxmox within a DMZ of my local network
Describe your issue
This is a bit of a general query regarding how to do something rather than a specific thing that is broken.
I run Openwrt as my main border router and a Proxmox instance behind it that runs a VM with Yunohost.
The Yunohost instance is in a DMZ isolated from my main lan. I can connect to my lan via VPN and access Yunohost but I am considering opening up direct access to Yunohost so that I can allow some functionality and apps to be accessed directly.
I’ve previously opened up access to a Yunohost instance on a VPS with its own public ipV4 where firewalls, domain name configuration was fairy straightforward.
In the case of self hosting the complicating factor is that the main public IP (and potentially domain name ) would be shared by both the Openwrt router and Yunohost instance.
How are people configuring their instance in these kind of situations?
Openwrt has its own webui (Luci) that I am not planning on exposing for external connections.
My initial thought was that external ports would be redirected to the yunohost instance and that internal dns for the domain would point the main domain.com to yunohost while it would also have subdomains for yunohost.domain.com and openwrt.domain.com that would point to the relevant host.
Am I thinking that this is harder than it is or am I missing something that I should be considering?
Share relevant logs or error messages
I don’t have any logs/error messages at the moment
I was in a similar situation. I changed my router web interface to accept connections on a non standard port and forwarded ports 80 and 443 to Yunohost. Now I have a Proxmox lxc running Caddy. Ports 80 & 443 are forwarded to Caddy which reverse proxies Yunohost and other lxc and vm addresses.
Ok yeah that did remind me that I had thought about that to. so basically running Openwrt 80/443 on some other ports (what would you suggest I really know nothing about port assignment)
I also know nothing about Caddy and haven’t really got into containers yet (Just being using VMs) should I be thinking about something else between yunohost and the ports forwarded from Openwrt?
Sounds like you need to keep it as simple as possible for now. Ignore the Caddy stuff and just change your router to accept web connections on some port of your choosing. You say that Yunohost is in the DMZ so there’s no need for port forwarding. Any web requests from the WAN on ports 80 and 443 will find it as long as the router is not listening on either of those.
Also internally is it better to point the internal dns for domain.com to yunohost or to the openwrt device and then forward the ports internally as well.
My thought for this second option was that perhaps from a dns server perspective openwrt does need to be the root domain internally.
maybe this could be a clean solution to the problem of freeing up ports 80/443 for YunoHost while keeping LuCI secure:
The basic idea is to configure OpenWrt so that LuCI listens only on 127.0.0.1:80 instead of all network interfaces. As a result, LuCI is no longer directly reachable from the network, and ports 80 and 443 become fully available for forwarding to YunoHost.
Access to LuCI is then established through an SSH tunnel:
Its also prompted me to think - and I haven’t searched the forums yet - but from a selfhosting / home server point of view - having one device running both your home router and home server would make installation and configuration so much easier.
Previously I had always been thinking about it as something like a Proxmox box running two VMs - one with Openwrt and one with Yunohost - and a standardised configuration between the two - but then I remembered there was an app to manage Wireguard tunnels on Yunohost - if other features such as WAN/LAN configuration etc were added you could almost run Yunohost as a single drop in replacement for your home router.