izarkhin

Thanks for the idea! Do you happen to know a good write-up for how to configure it to use with unRAID? Also, do I understand it correctly that CloudFlare doesn't work with duckdns subdomains (i.e. [mysubdomain].duckdns.org)?

Yes, I get that. Going forward I will not forward SSH port and only use SSH over VPN (which I already have set up on my router). I only mentioned Plex as an example. There are other dockers that I share, such as calibre, and I also run a WordPress site, so I will need to forward at least port 443. I guess my real question was: "Short of fully locking my server down behind VPN, what is the most secure way for allowing extended audience to access content on my server"? I thought letsecrypt/nginx was secure enough. Is it not?

I tried that. Nothing seemed to help, SSH requests kept coming even after I stopped all dockers, until I changed IP and rebooted.

Yeah, but that means whatever device is used for access should be configured for VPN, right? For example, my work place doesn't allow VPN, my friends & family use my Plex server, etc.

OK, I stopped all dockers, disabled port forwarding, removed Win10 VM and changed IP address. SSH attempts seem to have stopped. However, I would like to eventually be able to access at least some dockers via reverse proxy. My understanding is that, unless I forward SSH port or a docker contains malware, it should be relatively safe with letsecrypt/nginx, right? Now that Win10 VM is out of the picture, how do I proceed with figuring out which docker contains malware?

I haven't booted my Win VM at least 2 years, so I don't think that's it. Here is my list of dockers: binhex-delugevpn binhex-sabnzbdvpn cadvisor calibre-web DokuWiki duckdns Grafana HandBrake hydra Influxdb Krusader letsencrypt MakeMKV-RDP mariadb medusa organizr organizrv2 phpmyadmin plex telegraf radarr

Thanks! I read up on it some. Do I understand it correctly that the idea is that you set up wireguard, then forward its port and use it as the tunnel to access nginx/letsenctypt, so you can keep accessing your dockers via reverse proxy? What is the advantage compared to setting up regular VPN on my router? Sorry, I'm new to this. There are quite a few guides on setting up wireguard but nobody tells you how to use it afterwards.

it's not really helpful. what security measures?

Thanks for looking into this. I updated to 6.8.2 (was 6.8.0 before) and attached the diagnostics. Oh, and one more thing: the provider said that suspicious traffic originated from port 55612. tower-diagnostics-20200212-0825.zip

Hi guys! I really hope someone can help me here. I received an email from my Internet provider stating that they detected malware traffic coming from my WAN IP. It prompted me to check my router logs and I see a lot of traffic going from my unRAID IP address to all kinds of weird sites. Unfortunately, my Advanced Tomato router only gives me timestamp, originating IP and domain accessed. What can I do to identify the source of the problem? Are there any tools for selective traffic monitoring that provide more info? Thanks!

How did you fix it exactly? I'm having the same issue. Update: issue fixed. Thank you for pointing to CTF being the root cause! I've been fiddling with my router settings for almost 3 weeks now

NAT Loopback is set to "All" and NAT Target - to "MASQUERADE" (as they have been before), so I don't think that's it. Here is an abbreviated output of the "iptables -n -L -v -t nat" command: Chain PREROUTING (policy ACCEPT 5731 packets, 389K bytes) pkts bytes target prot opt in out source destination 92 5686 WANPREROUTING all -- * * 0.0.0.0/0 [public IP] Chain POSTROUTING (policy ACCEPT 26 packets, 1620 bytes) pkts bytes target prot opt in out source destination 5110 330K MASQUERADE all -- * vlan2 0.0.0.0/0 0.0.0.0/0 Chain WANPREROUTING (1 references) pkts bytes target prot opt in out source destination 1 44 DNAT icmp -- * * 0.0.0.0/0 0.0.0.0/0 to:[Advanced Tomato IP] 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:[unRAID IP]:[letsencrypt HTTPS PORT] 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:[unRAID IP]:[letsencrypt HTTP PORT] My understanding is that, according to this, all outbound requests for my duckdns subdomain from LAN should be pre-routed to [public IP] and then post-routed back to letsencrypt. Am I wrong?

Hi guys! I really hope somebody can help me here. I switched from Comcast to AT&T Gigabit last week. AT&T forces you to use their own gateway. I configured it for IP passthrough in order to keep my Advanced Tomato wireless router setup. Now I can't access my duckdns subdomain from LAN. Externally everything still works. Here are the symptoms: [mysubdomain].duckdns.org works fine externally [mysubdomain].duckdns.org from LAN says "Establishing secure connection..." and then "This site can't be reached" I can successfully ping [mysubdomain].duckdns.org from LAN and get public IP back I can successfully trace [mysubdomain].duckdns.org from LAN duckdns.org website shows the correct public IP my Advanced Tomato router shows the correct public IP address forwarded to its WAN port I restarted letsencrypt container and didn't see any errors in the log I restarted duckdns container and didn't see any errors in the log I didn't make any changes, other that replacing Comcast cable modem with AT&T gateway and configuring it for IP passthrough. I. e. port forwarding, nginx config, etc. are still the same and it worked fine before What am I missing? How can I troubleshoot?

Was anybody able to solve this? I'm having the same issue. I copied WebAPI-0.4.0-py3.7.egg to the /conf/plugins directory, restarted the container, but the plugin doesn't show up in WebUI. Please help!

Yeah, it definitely has something to do with language. I tried adding an English language show and it worked fine. Any thoughts?