this post was submitted on 20 Sep 2024
25 points (90.3% liked)

Selfhosted

40329 readers
368 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I'm setting up a self-hosted stack with a bunch of services running on a home device. I'm also tunneling all the traffic through a VPS in order to expose the services without exposing my home IP or opening ports on my local network. Currently all my traffic is HTTP, and its path looks like this:

  • Caddy proxy on remote VPS (HTTPS, :80 & :443)
  • Wireguard tunnel
  • Caddy proxy in Docker on homeserver (HTTP, :80)
  • app containers in separate isolated subnets, shared with Caddy

I want to set up qBittorrent and other torrent apps, and I want all their traffic to pass through the proxies. Proxying traffic to the WebUI is easy, there's plenty of tutorials; what I'm struggling with is proxying the torrent leeching and seeding traffic, which is the most important part since I live in a country that's not cool with piracy.

Unless I'm misunderstanding, BitTorrent traffic is TCP or UDP, so I'd need Caddy to act as a Layer 4 proxy. There's a community-maintained plugin that should support this. How would I configure it though? Do I need both instances to listen on a new port? Or can I open a new port on the VPS only, and forward traffic to the homeserver Caddy over the same port as the HTTP traffic (:80)? Are there nuances in proxying TCP traffic that I should be aware of?

top 20 comments
sorted by: hot top controversial new old
[–] MangoPenguin@lemmy.blahaj.zone 11 points 2 months ago* (last edited 2 months ago) (1 children)

Since you already have wireguard you don't need any proxies, just set up wireguard to route through the VPS and you should be good to go.

Or you could install a proxy server on the VPS and enter those settings into qBittorrent, if you don't want to use wireguard as a default route.

[–] andscape@feddit.it 1 points 2 months ago* (last edited 2 months ago) (1 children)

By "set up wireguard to route through the VPS" you mean having wireguard forward a port from the VPS to a port on the homeserver at its wireguard IP address?

qBittorrent will still need to publish the right IP address to peers though, right? So I will need to configure the proxy VPS's IP address in qBittorrent...

Also that means binding a port on the qBittorrent container directly to the homeserver localhost. I've managed to keep the app containers isolated so far and it'd be nice to keep that, but if proxying the traffic is too annoying I guess I can just say fuck it and go with it.

[–] TCB13@lemmy.world 1 points 2 months ago* (last edited 2 months ago) (1 children)

By “set up wireguard to route through the VPS” you mean having wireguard forward a port from the VPS to a port on the homeserver at its wireguard IP address?

Yes, he means that.

qBittorrent will still need to publish the right IP address to peers though, right? So I will need to configure the proxy VPS’s IP address in qBittorrent…

No. For most things qBittorrent does public IP detection. For the rest your VPS will be doing NAT between the WG interface and the public internet. This means your qBittorrent client sends outgoing packets with the source address of your WG private IP and then the VPS will change those to it's public IP address.

The thing you must be careful about is that you need to restrict qBittorrent to only send and receive traffic on the WG interface, otherwise it will be using both. You can do it in the settings, but the safest way is to do it at the container setup or systemd service level and completely hide any interface that isn't the WG one from it.

[–] andscape@feddit.it 1 points 2 months ago (1 children)

Wow thank you, this is the most useful reply I've received so far!

This means I don't need to mess around with QBT's "proxy" settings? I was pretty confused since the only options available are SOCKS/SOCKS5 and HTTP, but I'm guessing that's a different kind of proxy than what I need...

[–] TCB13@lemmy.world 1 points 2 months ago (1 children)

This means I don’t need to mess around with QBT’s “proxy” settings?

No, you don't. In short, trackers will look at the source address of the incoming connection on their side, that means you VPS IP because you're doing NAT on the VPS.

Just make sure qBittorrent is restricted to the WG interface and nothing else.

[–] andscape@feddit.it 1 points 2 months ago

Fantastic, thank you

[–] HappyTimeHarry@lemm.ee 4 points 2 months ago* (last edited 2 months ago) (1 children)

What you describe doesnt really make sense so ill suggest what i think you really want;

You want your vps to be the wireguard server, the local PC connects as a client this "proxies" your connection so torrent swarms see the IP of your vps.

If you want port forwarding it gets a bit complicated because you need to forward the vps port over wireguard, but this is optional so you dont have to worry if you can't figure it out.

Caddy doesn't really seem relevant unless you want to have a domain name that forwards to your home network.

[–] andscape@feddit.it 1 points 2 months ago

I indeed have a domain name pointing to the VPS IP, with Caddy managing TLS. Other apps are exposed this way, and I will do the same for the qBittorrent WebUI as well. I like having Caddy as a single gateway where I can apply security configs and monitor all traffic, I was hoping I would be able to pass torrent traffic through it as well but everybody seems very much against it.

I already have wireguard setup as you describe so I guess I'll just give up on passing torrent traffic through the proxies and just open a localhost port on the qBittorrent container...

[–] hendrik@palaver.p3x.de 2 points 2 months ago (2 children)

I think what you're trying to do is called a VPN. Set up a VPN that tunnels all the torrent traffic to and from the virtual server.

[–] 0x0@programming.dev 2 points 2 months ago

That's Wireguard, no?

[–] andscape@feddit.it 2 points 2 months ago (1 children)

Yes I already have that set up with Wireguard, what I'm figuring out is how to route traffic through it.

[–] interurbain1er@sh.itjust.works 4 points 2 months ago* (last edited 2 months ago) (1 children)

A) Set up a wiregard VPN server in your remote instance. Or better, get a VPN provider, the VPS is kinda pointless.

B) Assuming you're using docker as you should to run your home server's service, use gluetun to connect to the VPN and route your docker traffic for the instances through gluetun. This will ensure that you have a dead man switch when/if the VPN goes down.

C) set-up a reverse proxy to access the various instance from the outside if that is something you need.

Here's a fully developed config, you can use a jumping point.

https://github.com/geekau/mediastack

[–] andscape@feddit.it 0 points 2 months ago (1 children)

I have already set up all of that. My setup is similar to the one in this blogpost and it's already working for various apps that only use HTTP. What I'm trying to do is to also route BitTorrent traffic (TCP/UDP) over the same setup without opening up entirely new paths.

[–] hendrik@palaver.p3x.de 1 points 2 months ago* (last edited 2 months ago)

Usually that's done by the network routing. Add a default(?) route(?) or make the software bind to the vpn interface. I'm not sure. I think firewall rules can do the same thing. If you're using docker, I'd advise you to use "gluetun" that seems to do everything for you.

Usually people do copyright violation with bittorrent. That means they tend to make sure the routing or dns doesn't leak anything. I think that's usually done by running the software inside of some containers or virtualization. If you do that your setup becomes simpler than inventing a dozen or so firewall rules. Either use gluetun or make the container bind to the vpn in its entirety. So practically the same setup everyone uses for pirating, just that you don't pay for a VPN service, but do that (server) part yourself on your virtual server. Everything else is a good bit more elaborate and complicated...

[–] just_another_person@lemmy.world 1 points 2 months ago (1 children)

I think you're missing the point of what a proxy is. You don't need a proxy in this scenario if you're connected with Wireguard...

[–] andscape@feddit.it 1 points 2 months ago (1 children)

I'm guessing what you mean is setting up port forwarding in Wireguard...

The thing is ideally I would want all connections in and out of my homeserver's Docker network to go through the local Caddy proxy, so the app containers are isolated. That still means having at least the local Caddy acting as a TCP proxy, even if the VPS Caddy is bypassed. If that's too much of a hassle though I can instead just expose a port on the qBittorrent container directly to the homeserver's localhost, and forward that with wireguard to the VPS.

[–] just_another_person@lemmy.world 1 points 2 months ago (1 children)

Nooooo...that's not what I'm saying.

I'm seriously not trying to be rude here, but I went and read the rest of the thread just now. Your understanding of processes, networks and VPNs is wildly misinformed. I think you need to spend some time learning about each before you go and dismiss what everyone is telling you here, which is that you're trying to make an overcomplicated and very inefficient VPN right now.

Running a torrent client through a proxy doesn't isolated a process. Especially not when you're pushing the traffic through a local proxy. You also don't need to forward any ports.

Connect to the VPN, make sure your traffic is routing there properly, and you're done. OR, you really want a proxy, you setup a proxy. You don't need both, and neither gains you any security. If you're concerned about process isolation, that's a whole other thing you should read up on.

[–] andscape@feddit.it -1 points 2 months ago (1 children)

Resetting the "time since last being told I don't know shit on the internet" back to 0 once again...

I already have an existing and working setup used for other apps, it's close to the one described in this blogpost. Yes, it's complicated and inefficient, but it has reasons to be. I want to keep my qBittorrent configuration as close to this setup as reasonably possible for consistency. If your point is that it's counterproductive to follow this setup then... fair enough. I can just route traffic from the VPS to an exposed port on the local qBittorrent container over Wireguard, but that wasn't my preferred solution.

Running a torrent client through a proxy doesn’t isolated a process.

I was talking about network isolation, not process isolation.

make sure your traffic is routing there properly

That was pretty much what I was asking for help with.

[–] just_another_person@lemmy.world 0 points 2 months ago

Well everyone here is telling you what the problem is. If you're trying to go by every step in that blog post you linked, that's wrong for what you're trying to do. That's a reverse proxy for HTTP requests.

[–] Decronym@lemmy.decronym.xyz 1 points 2 months ago* (last edited 2 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
HTTP Hypertext Transfer Protocol, the Web
IP Internet Protocol
NAT Network Address Translation
SSL Secure Sockets Layer, for transparent encryption
TCP Transmission Control Protocol, most often over IP
TLS Transport Layer Security, supersedes SSL
UDP User Datagram Protocol, for real-time communications
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)

[Thread #981 for this sub, first seen 20th Sep 2024, 10:15] [FAQ] [Full list] [Contact] [Source code]