Reverse Proxy & Home Internet
I really love my network at home and the small network I've built over the past few years up in the cloud. It's gone through a number of machinations to suit my needs, but I've decided to finally start writing things down in case they help someone in the future (or me in case I screw it up).
To start this little series, I want to call back out my LOVE for cloudron.io. I'm an avid fan of the community and have even packaged some apps. I also use Cloudron to host my teeny, little "get beer money" business (here) as well as where I do all my dev work.
I also love building and breaking things, so, some time ago, I bought a recycled Dell PowerEdge server off Ebay. I souped it up thusly:
- Ripped out all the storage and the storage controller (too much power and noise)
- Added a NVMe multiplexer thing and dropped 4 NVMe drives in bifurcation mode in BIOS so both physical processors can work with all 4 drivers.
- Souped up the RAM from the pansy ass 64GB of RAM to 256GB of RAM.
- Installed Server Core onto an onboard USB drive from IronKey and used Storage Spaces to smoosh those four drives into one phat drive.
The full specs of the above server will be important later, but for now, just know, I got gear and it runs...at my house! Now for the network. One must have access to home from afar (even though with the pandemic, that doesn't happen too often), so I rewired the whole house Ubiquiti style. I may have even talked about that previously ;) It's hooked up to the Internet and, of course, my frankenserver.
Now to the point of all this madness - the internet. I've long been an unhappy customer of Spectrum. $100/mo for just internet to get less than half of the advertised speed is just dumb. Typically, it was 350 down and 50-60 up. Not terrible, but I'm also not a fan of the company itself. What to do? Well, I happen to be a HUGE fan of T-Mobile. My family currently has like 9 lines with them and several hotspots. So, when they announced T-Mobile Home Internet a few months ago, I was all over that. Had to wait though, because the 5GUC towers were still being put up in my town, and only arrived a few weeks ago - huzzah!
Gimmie some of that T-Mobile Home Internet and shut off Spectrum - at HALF the price! So, what's I get? 290 down and 50 up with TTL hovering around 11. That's INSANELY cool - not fiber (that's not an option), but look at those speeds. I'm told that the speeds will actually increase to be like my tethering/phone UC speeds around 800 down and 150 up soon, so, yah! Here's the rub though, and I'm told a fix is in the works:
- IPv6 is disabled - that's just dumb, and as I monitored the device, it actually got an IPv6 address the other day, but I still don't yet have a delegation. Soon I'm sure since that just literally lit up.
- This one sucks - the network is double nat'ed - I don't think they are gonna fix this any time soon, but it was ALMOST a deal breaker. I was able to work around parts of it for things like XBox gaming, but that was really dumb. And it makes accessing my home network IMPOSSIBLE from afar. No VPN, and surely no hosted websites. Or so they say.
There is a fabulous tool I've discovered called NetMaker which allows you to sling servers together with a mesh of Wireguard connected clients. Wireguard, of course, is a highly efficient "vpn" like solution that is much better than traditional VPN. I've long since wanted to use NetMaker to secure the comms between all of my servers scattered around the cloud. So, I am killing two birds with one stone.
This literally took 5 minutes and I had point to point mesh network between ALL of my servers. How does this help me with no IPv6 and DoubleNat? Because, unlike a traditional setup where I try to hole punch, port forward, etc (cause TMO blocks ALL inbound traffic), this is a persistent outbound connection to other servers.
Now, my server at the house has a solid and stable connection to another server. Now enter reverse proxies! I really SUCK at config files. They make me angry and want to hurt things. Enter another fabulous tool: nginix-proxy-manager. This tool give me a GUI that lets me set up proxy hosts on another server, in my case, my "doodlenode" server in the graphic above. AND, it handles certbot for me, so my Let's Encrypt certs are golden:
So, this does a few great things:
- All INBOUND traffic to my home server now lands on my "doodlenode" server out in the cloud.
- Certbot issued a wildcard cert for all my cloudron apps sitting on my home server (which is slightly problematic but I'll explain later)
- I then reverse proxy all of that traffic into the wireguard interface running on doodlenode to the wireguard IP address (10...) of my doodlecloud server.
BOOM.
So, what else can this do for me? Well, now that my home server is back on the internet, I can continue with my fun plans for world domination by using my mesh network to help control all of the things. That's for next time :)