unRaide Posted January 25, 2018 Share Posted January 25, 2018 I've followed @gridrunner's awesome guide to setup @binhex's SabNZBd VPN docker which includes privoxy. I then proxied my radarr and sonarr dockers to use the privoxy proxy which seems to be working great. What i am trying to do now is be able remotely access the dockers that are using privoxy (sonarr, radarr) which isn't working. My VPN provider, airvpn, has a port forwarding feature which I'm able to use to access sab, but this doesn’t work for anything else. To be honest I'm not sure exactly how/if this can work? It seems like all vpn traffic is going to the sab docker and i then need to have privoxy forward it to the other dockers.... does that sound correct and is there any way to do this? Or is there any other ways to achieve this if i can't do it with my current setup? Thanks Quote Link to comment
kreene1987 Posted January 25, 2018 Share Posted January 25, 2018 (edited) I can access my stuff through LetsEncrypt reverse proxy. Are you using that? Edited January 25, 2018 by kreene1987 Quote Link to comment
JonathanM Posted January 25, 2018 Share Posted January 25, 2018 16 hours ago, unRaide said: My VPN provider, airvpn, has a port forwarding feature which I'm able to use to access sab, but this doesn’t work for anything else. If this works, then you should be able to point the port forward to the LE reverse proxy address instead. That would be pretty cool if it worked, I've never seen anybody set it up that way. How do you keep up with the endpoint IP address? Does airvpn assign you a static IP in their public IP space? Quote Link to comment
SpaceInvaderOne Posted January 25, 2018 Share Posted January 25, 2018 20 hours ago, unRaide said: I've followed @gridrunner's awesome guide to setup @binhex's SabNZBd VPN docker which includes privoxy. I then proxied my radarr and sonarr dockers to use the privoxy proxy which seems to be working great. What i am trying to do now is be able remotely access the dockers that are using privoxy (sonarr, radarr) which isn't working. My VPN provider, airvpn, has a port forwarding feature which I'm able to use to access sab, but this doesn’t work for anything else. To be honest I'm not sure exactly how/if this can work? It seems like all vpn traffic is going to the sab docker and i then need to have privoxy forward it to the other dockers.... does that sound correct and is there any way to do this? Or is there any other ways to achieve this if i can't do it with my current setup? Thanks 14 Hi Why not setup Openvpn-as docker container on your server then you can access the server and Docker containers using their local ip address. Quote Link to comment
unRaide Posted January 26, 2018 Author Share Posted January 26, 2018 (edited) 13 hours ago, kreene1987 said: I can access my stuff through LetsEncrypt reverse proxy. Are you using that? Yea, i've been meaning to look into this...might be a good time to do that now . Did you use Cyanlab's tutorial to set it up? Were you able to upgrade to UR 6.4 without issue? 11 hours ago, jonathanm said: If this works, then you should be able to point the port forward to the LE reverse proxy address instead. That would be pretty cool if it worked, I've never seen anybody set it up that way. How do you keep up with the endpoint IP address? Does airvpn assign you a static IP in their public IP space? Hmm, not sure how it works to be honest 6 hours ago, gridrunner said: Hi Why not setup Openvpn-as docker container on your server then you can access the server and Docker containers using their local ip address. Hi @gridrunner! I was thinking about doing that as well. So you mean that I would connect the Open VPN docker directly to my vpn provider, is that correct? From the little i've read online it seems that some people discourage connecting your UR server directly to your VPN as they say it poses a security risk where other VPN users could gain access to your server? Is that accurate? Btw... really love your tutorials!!!! I've literally spent the last three weeks going through them one by one setting up my server Edited January 26, 2018 by unRaide Quote Link to comment
JonathanM Posted January 26, 2018 Share Posted January 26, 2018 23 hours ago, unRaide said: My VPN provider, airvpn, has a port forwarding feature which I'm able to use to access sab, but this doesn’t work for anything else. So what IP and port do you connect to when you are outside your LAN that allows access to sab? Quote Link to comment
unRaide Posted January 26, 2018 Author Share Posted January 26, 2018 (edited) 4 hours ago, jonathanm said: So what IP and port do you connect to when you are outside your LAN that allows access to sab? You connect to <custom name>.airdns.org:<generated port> Custom name can be a shortcut you specify like sab.airdns.org:43323 would be the full url. They also allow you to map the external generated port to a specific local port of your choosing. How this actually works i have no idea :) Edited January 26, 2018 by unRaide Quote Link to comment
JonathanM Posted January 26, 2018 Share Posted January 26, 2018 5 hours ago, unRaide said: You connect to <custom name>.airdns.org:<generated port> Custom name can be a shortcut you specify like sab.airdns.org:43323 would be the full url. They also allow you to map the external generated port to a specific local port of your choosing. How this actually works i have no idea That's pretty cool! If you map the local port to the one you set up for nginx, you could access all your reverse proxied apps through it. Since you can't control 443 or 80 at their end, you wouldn't be able to use the LE docker, but you could set up the plain nginx docker, and you could still use SSL, but you would have to be satisfied with self signed certificates. All this assumes running the VPN connection to airvpn outside of the sabnzbd vpn docker, either using your router or possibly the openvpn plugin. I don't know of a way to accomplish it using @binhex's VPN enabled dockers. Also, you would need to keep track of the generated port so you would know what to use for the url. Quote Link to comment
binhex Posted January 26, 2018 Share Posted January 26, 2018 1 hour ago, jonathanm said: That's pretty cool! If you map the local port to the one you set up for nginx, you could access all your reverse proxied apps through it. Since you can't control 443 or 80 at their end, you wouldn't be able to use the LE docker, but you could set up the plain nginx docker, and you could still use SSL, but you would have to be satisfied with self signed certificates. All this assumes running the VPN connection to airvpn outside of the sabnzbd vpn docker, either using your router or possibly the openvpn plugin. I don't know of a way to accomplish it using @binhex's VPN enabled dockers. Also, you would need to keep track of the generated port so you would know what to use for the url. i personally wouldn't recommend using the port forward function of your vpn provider as a way of connecting to internal applications, firstly the port can change (yes im aware airvpn has a set port but most dont), and secondly you loose any fine control over when that port is open and who can connect, much better to define this on your router and either port forward directly to the application or reverse proxy, but each to their own. and yes @jonathanm using the port forward in the docker images i have produced is not possible, they are highly secured using iptables so its a no go, at least not without a fork and a lot of time and effort it isn't :-). Quote Link to comment
JonathanM Posted January 26, 2018 Share Posted January 26, 2018 3 minutes ago, binhex said: and yes @jonathanm using the port forward in the docker images i have produced is not possible, they are highly secured using iptables so its a no go, at least not without a fork and a lot of time and effort it isn't :-). I figured as much, and it's not the proper way to do it anyway. However, 3 minutes ago, binhex said: much better to define this on your router and either port forward directly to the application or reverse proxy, but each to their own. If you have that option, fine, but there have been instances where folks couldn't modify their router, or their ISP is using NAT, so it's interesting to me that it is possible, and even semi easy to accomplish remote access through a 3rd party VPN connection. I don't see it as massively more insecure than forwarding directly through your own router, unless I'm missing something. As soon as you take the VPN down, you are unreachable, and you should still be able to filter based on incoming IP's if you wanted. I see it as an intriguing alternative for those who don't control their external IP. Quote Link to comment
unRaide Posted January 26, 2018 Author Share Posted January 26, 2018 7 hours ago, binhex said: i personally wouldn't recommend using the port forward function of your vpn provider as a way of connecting to internal applications, firstly the port can change (yes im aware airvpn has a set port but most dont), and secondly you loose any fine control over when that port is open and who can connect, much better to define this on your router and either port forward directly to the application or reverse proxy, but each to their own. and yes @jonathanm using the port forward in the docker images i have produced is not possible, they are highly secured using iptables so its a no go, at least not without a fork and a lot of time and effort it isn't :-). 6 hours ago, jonathanm said: I figured as much, and it's not the proper way to do it anyway. However, If you have that option, fine, but there have been instances where folks couldn't modify their router, or their ISP is using NAT, so it's interesting to me that it is possible, and even semi easy to accomplish remote access through a 3rd party VPN connection. I don't see it as massively more insecure than forwarding directly through your own router, unless I'm missing something. As soon as you take the VPN down, you are unreachable, and you should still be able to filter based on incoming IP's if you wanted. I see it as an intriguing alternative for those who don't control their external IP. Thanks guys! So just for my own clarification there are a few ways of tackling this: Setup VPN at Router I'd love to do this unfortunately my router isn't powerful to handle anything above 3Mb/s which is a fraction of my avail bandwidth Setup Open-VPN docker and connect directly to AirVPN and use their port forwarding to reach services externally Easiest solution but may not be as secure as #1 Setup reverse proxy LE docker to access all services remotely @jonathanm you mentioned that i wouldn't be able to use LE if connecting through AirVPN as they don't allow using ports. That said it is possible to map the external port to any internal port.Would i be able to use this to setup LE? Alternatively, could i use a different port altogether i.e. 8443? Continue to use @binhex's sabvpn docker to route all traffic through privoxy to vpn AND setup reverse proxy LE docker to access all services remotely This seems as secure as #1 although I'm not sure if its actually possible? Similar to #3 I'm wondering if i continue to route all docker traffic through sabvpn would I then be able to setup a "normal" LE reverse proxy for remote access seeing as i wouldn’t be going through AIrVPN i.e. using duckdns or something similar? As you can probably tell i have just enough knowledge on this stuff to make it dangerous so any additional guidance would be greatly appreciated!! I'm really just looking for the most secure, convenient, and maintenance free way of encrypting all my media docker containers as well as having a way to access all unraid services remotely. Thanks Fyi, here is the help for AirVPNs port forwarding: Quote Link to comment
JonathanM Posted January 26, 2018 Share Posted January 26, 2018 I vote for option 5, set up OpenVPN as a host instead of a client on your unraid and connect to it. If you don't have a static IP from your ISP, you would probably want to set up a duckdns or similar. Quote Link to comment
SpaceInvaderOne Posted January 27, 2018 Share Posted January 27, 2018 Yes exactly what @jonathanm says. Set up OpenVPN-as so you can connect to your server from a remote location securely. This is very different from using a VPN provider such as airvpn. Using airpn/pia etc you are connecting to them as a client and they are the server. Running OpenVPN-as (the as stands for access server) will allow you to connect to your local LAN (so your unRAID server, Docker containers etc) just the same as when you are at home. You would continue to use @binhex containers sabvpn, delugevpn as these are for outgoing connections and connect through a commercial vpn as a client. So you would by doing this, be running an OpenVPN server to access your stuff. And secondly an OpenVPN client to anonymously connect the docker containers through ie sabvpn. Hope that makes sense. Quote Link to comment
unRaide Posted January 27, 2018 Author Share Posted January 27, 2018 3 hours ago, gridrunner said: Yes exactly what @jonathanm says. Set up OpenVPN-as so you can connect to your server from a remote location securely. This is very different from using a VPN provider such as airvpn. Using airpn/pia etc you are connecting to them as a client and they are the server. Running OpenVPN-as (the as stands for access server) will allow you to connect to your local LAN (so your unRAID server, Docker containers etc) just the same as when you are at home. You would continue to use @binhex containers sabvpn, delugevpn as these are for outgoing connections and connect through a commercial vpn as a client. So you would by doing this, be running an OpenVPN server to access your stuff. And secondly an OpenVPN client to anonymously connect the docker containers through ie sabvpn. Hope that makes sense. Hi guys, thx again for the guidance... Forgot to put that one on the list as it scored low on my convenience scale . Not loving the idea of having to always connect to the VPN before using any services but that said i can live with it if you guys aren’t excited about 1-4? Given this option how are you guys accessing your Plex/Emby server remotely? Do you just have the port exposed? I have a few family/friends that connect to my server who would be pretty bummed if i cut them off Quote Link to comment
witalit Posted May 4, 2019 Share Posted May 4, 2019 On 1/27/2018 at 1:24 AM, SpaceInvaderOne said: Yes exactly what @jonathanm says. Set up OpenVPN-as so you can connect to your server from a remote location securely. This is very different from using a VPN provider such as airvpn. Using airpn/pia etc you are connecting to them as a client and they are the server. Running OpenVPN-as (the as stands for access server) will allow you to connect to your local LAN (so your unRAID server, Docker containers etc) just the same as when you are at home. You would continue to use @binhex containers sabvpn, delugevpn as these are for outgoing connections and connect through a commercial vpn as a client. So you would by doing this, be running an OpenVPN server to access your stuff. And secondly an OpenVPN client to anonymously connect the docker containers through ie sabvpn. Hope that makes sense. Is this when OpenVPN is installed as a docker? I found when I install it as a docker I am unable to access other docker IP's and someone responded before to say its a restriction with macvlan. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.