I currently have my home services set up in a way I like, and think I understand. I have an S12 pro w/ *arr, Overseerr, Immich, paperless, etc running. The only things exposed are immich, paperless, and overseerr. This is via swag/dockerproxy over a cloudflare tunnel. This makes it so I don’t have to do anything on the cloudflare end or my router to add a new service. DockerProxy picks up a new container, swag configures a reverse proxy automatically (assuming it recognizes the container, but it also supports custom configs) using the container_id as the subdomain.
I’m looking at setting up a VPS to host authentik and uptima kuma (to start - maybe ntfy in the future). What I’d like to do is have the public interface on these containers use the same cloudflare tunnel I’m currently using… or a second one, if necessary. For the interface back to my home server, I’d like to use Tailscale. I already have it running on my home server, and I expect I’ll install it on my VPS. The goal here is the “public” connection uses the cloudflare tunnel, and the backend connection is over tailscale.
I’ve tested that I can spin up swag/dockerproxy on a second box in my lab and it will connect to cloudflare. I have not yet tested standing up a container on that box to see if the proxy works as expected.
So, questions:
- Tailscale on VPS: container or no? Obviously, if I can’t install it locally, I’ll put it in a container
- How to I configure a container to use these 2 networks? I’m fairily good on getting the cloudflare part working. The TS part is new to me, and all the documentation I’ve seen doesn’t really cover other containers using the tailnet.
- Am I overthinking this? If I put these services on tailnet alone, will the cloudflare tunnel… tunnel back and forth to/from clients not on tailnet?
You must log in or register to comment.
I’m not sure I understand what you are trying to do, since you’re gonna have a vps, why not move your reverse proxy over to it and have that as the only entrypoint to your network using tailscale or wireguard for it to connect to your home services?
Can you make it work? Yes
Should you make it work? No
It’s going to flakey beyond belief for a number of reasons, and you’ll need some pretty complex routing to make it work how I think you’re describing. I would look at using a clustered setup for your auth instead so you never get locked out due to network issues.
So I learned today that I need to play with the conflate tunnel if I want two systems using one domain. I’m hoping a second api key will help. Honestly, until I tested the second server on the tunnel, that’s been rock solid. Or are you saying using both networks will inject flakiness?
Also, I appreciate the suggestion of clustered with, but none of this is mission critical. If it’s down until I can login/fix, I’m ok with that. Only a 2-3 people using it.
Just reread you comment and I guess it’s the network that will cause issues. To be clear, I think I can make the cloudflare portion work one way or another (I have a second domain i can use if necessary). If my thinking is correct the tailnet communication would be over that IP space - not trying to route to my LAN net. Unless I’m missing something.