I’ve vaguely thought about this with Split DNS.
My concern would be the need to set up some non-Tailnet mechanism to expose it to the internet and keep it secure. Either port forwarding, Pangolin, or even using Funnel… all of which would be better off on a separate device (and maybe a separate VLAN)
It’d be an interesting idea for sure, perhaps for when I can get myself the separate Headscale-dedicated device. Although now I’d have to learn the “normal” zone-based networking ahah
That’s a nice thing with Wireguard yea. I’ll keep this in mind if ever I can grok Tailscale to do such things
The many small bugs make Matrix still bad - I wouldn’t recommend a non-tech user unless accompanied by a 24/7 admin. It is trying to improve but very slow because of reasons
Should’ve specifically asked the operators/hosters if they need a better answer. But this has more engagement so
Worth noting that there’s an open issue to support Wireguard peers into Headscale, so you could use it with e.g. a wg0.conf file from a commercial VPN
If you can selfhost and can use containers/docker, I wanna shamelessly plugin my solution: https://github.com/stratself/tswg. Basically mount a WireGuard config from Nord or any upstream VPN, and the container will tunnel traffic to said VPN when you choose it as an exit node.
There are other gluetun + tailscale solutions that are worth a look too
Ah right, completely forgot about that (80 for HTTP-01, 443 for TLS-ALPN-01). Is a bummer unfortunately
Thanks for the guide. How did you get the VPN forwarded port? I believe this depends on the VPN provider’s software?
Let’s Encrypt are rolling out IP-based certs, you may wanna follow its development. I’m not sure if it could be used for your forwarded VPN port, but it’d be nice anyhow
Edit: I believe encryption helps prevent tampering the data between the server and user too. It should prevent for example, someone MITM the connection and injecting malicious content that tells the user to download malware
I’ve poked around Homarr’s setup a bit, and it seems like it can run rootless after a few tweaks!
For anyone interested, I’ve written a POC and feature request here - https://github.com/homarr-labs/homarr/issues/3913
Hope it can be officially supported
Thanks for the advice. I’m already using podman rootless with custom subuid/subgid, which should achieve the same thing
I agree that the file sync is good. They (and owncloud afaik) are the only ones supporting virtual files on windows where you only download files when needed, saving storage space.
I suppose these fancy file features (bidirectional syncing, advanced conflict resolution etc) are targeted to the enterprise, not home users. So it’s natural they’d include it with a bunch of bells and whistles that are half as good
Owncloud had a rewrite called oCIS (Owncloud Infinite Scale). Then it was bought by Kiteworks. Then many of the core devs switched to a new product/company called Opencloud. There’s been quite some history over the past few years
Hey, glad you got it working. I’m late to the party, but I got a similar solution here: https://github.com/stratself/tswg. Basically just mounts your own wg.conf to the container and get Tailscale connected over it
Since Wireguard is peer-to-peer, I suppose the “intended” way is to install Tailscale on every client. But it is possible to use the router as a VPN gateway as per this [OpenWRT guide])https://openwrt.org/docs/guide-user/services/vpn/tailscale/start#force_lan_traffic_to_route_through_exit_node). Hope you get it working anyhow
Two separate functions should go into two separate nodes
and
As an (advanced) alternative to Gluetun + Tailscale I propose tswg (my project)