docker-samples/diy-tunnel/README.md

# DIY Tunnel

I **love** Cloudflare Tunnels and routinely use them to expose my self-hosted services to the Internet.  However, there are a couple of limitations that make them less than ideal for some use-cases.

1. They work best with HTTP/HTTPS services.  Other services like SSH / rando-TCP-service require the *clients* to run `cloudflared`.  This prevents running public-facing non-HTTP services via. Cloudflare Tunnels.
2. Cloudflare is the *man-in-the-middle*.  They manage the TLS certificates and, were they evil, they could inspect traffic.

This folder has some sample wireguard configuration to allow a cheap cloud-VPS to forward traffic through a wireguard tunnel to a private server.

* The VPS does not own/manage TLS certificates or any data.
* It supports any TCP services
* The connection is made from the private server to the public VPS, so only the VPS requires a static IP.  The private server can hide behind a VPN and move networks with impunity.
* Through some network trickery, packets are forwarded from the VPS to the private server.  The implication is that the private server sees the actual source IPs for the traffic which allows things like fail2ban to work appropriately.

Requirements:
1. One public facing machine (like a VPS) with a static IPv4 address
2. One private machine running your services
3. Wireguard installed on each (`apt install wireguard` for you Debian/Ubuntu folks)

Steps:
1. Generate keys for both the public and private server.
   1. `wg genkey | tee privatekey | wg pubkey > publickey`
2. Copy `private/wg0.conf` to `/etc/wireguard/wg0.conf` on your private server.  
  * Update the ports `80,443` to be whatever ports you want to pass through.
  * Add the private key for the public server, and the public key for the private server.
3. Copy `public/???/wg0.conf` to `/etc/wireguard/wg0.conf` on your public server.  
  * Update the ports `80,443` to be whatever ports you want to pass through.
  * Add the private key for the private server, and the public key for the public server.
  * Update the public IP for the public server (replace all 999.999.999.999) with your VPS IP
4. Start wireguard on each machine: `wg-quick wg0 up`
5. Enable wireguard on boot on each machine: `sudo systemctl enable wg-quick@wg0`

## Testing:
1. From public server, can ping private IP `ping 10.0.0.2`
2. From private server, can ping public IP `ping 10.0.0.1`
3. Run a webserver on the private server...
   1. From public server: `curl http://10.0.0.2` should work
   2. From workstation: `curl http://publicIP` should work
   3. From the private server: `curl http://publicIP` should also work

That's about it.
many new containers. work in progress 2024-11-02 20:09:56 +00:00			`# DIY Tunnel`

			`I love Cloudflare Tunnels and routinely use them to expose my self-hosted services to the Internet. However, there are a couple of limitations that make them less than ideal for some use-cases.`

			1. They work best with HTTP/HTTPS services. Other services like SSH / rando-TCP-service require the clients to run `cloudflared`. This prevents running public-facing non-HTTP services via. Cloudflare Tunnels.
			`2. Cloudflare is the man-in-the-middle. They manage the TLS certificates and, were they evil, they could inspect traffic.`

			`This folder has some sample wireguard configuration to allow a cheap cloud-VPS to forward traffic through a wireguard tunnel to a private server.`

			`* The VPS does not own/manage TLS certificates or any data.`
			`* It supports any TCP services`
			`* The connection is made from the private server to the public VPS, so only the VPS requires a static IP. The private server can hide behind a VPN and move networks with impunity.`
			`* Through some network trickery, packets are forwarded from the VPS to the private server. The implication is that the private server sees the actual source IPs for the traffic which allows things like fail2ban to work appropriately.`

			`Requirements:`
			`1. One public facing machine (like a VPS) with a static IPv4 address`
			`2. One private machine running your services`
			3. Wireguard installed on each (`apt install wireguard` for you Debian/Ubuntu folks)

			`Steps:`
			`1. Generate keys for both the public and private server.`
			1. `wg genkey \| tee privatekey \| wg pubkey > publickey`
			2. Copy `private/wg0.conf` to `/etc/wireguard/wg0.conf` on your private server.
			* Update the ports `80,443` to be whatever ports you want to pass through.
			`* Add the private key for the public server, and the public key for the private server.`
			3. Copy `public/???/wg0.conf` to `/etc/wireguard/wg0.conf` on your public server.
			* Update the ports `80,443` to be whatever ports you want to pass through.
			`* Add the private key for the private server, and the public key for the public server.`
			`* Update the public IP for the public server (replace all 999.999.999.999) with your VPS IP`
			4. Start wireguard on each machine: `wg-quick wg0 up`
			5. Enable wireguard on boot on each machine: `sudo systemctl enable wg-quick@wg0`

			`## Testing:`
			1. From public server, can ping private IP `ping 10.0.0.2`
			2. From private server, can ping public IP `ping 10.0.0.1`
			`3. Run a webserver on the private server...`
			1. From public server: `curl http://10.0.0.2` should work
			2. From workstation: `curl http://publicIP` should work
			3. From the private server: `curl http://publicIP` should also work

			`That's about it.`