Hello all, I have been hosting several of my own servers for years now and everything works great. I have my own domain name pointed at my home connection, got my reverse proxy just right, etc, etc, everything is peachy.
The problem is my ISP! I moved to a new house about 2 years ago, and there have been non stop dropouts with my internet ever since. And my ISP is showing zero interest in trying to actually fix it.
So I’m considering changing providers, The problem is from my understanding port forwarding just simply isn’t possible with many these guys, and even when it is, they often block ports such as 80, and 443.
So my thought is this;
Rent a VPS, point my domain at the VPS, setup a VPN server on the VPS and connect a Client on one of my servers to the VPS. This should open my whole network up to the VPS, then I move my reverse proxy to the VPS and I should be good to go regardless of what internet connection I have.
My concern is that I’ve never done this before, I don’t know what ports are generally open on a VPS or what security issues I may run into. I also don’t know what software would be the easiest, or most stable for the job.
I’ve looked into things like pagekite but I don’t want something that has to be run on each individual server. I want things to remain as “normal” as possible, just using a different entry point.
Edit:
I should add that I already have ZeroTier setup to access my whole network when a client connects, so I can probably use that. And setup a ZeroTier client “in the cloud”
I have also looked into a service like Portmap.io if anyone has any recommendations on that.
I think your approach is reasonable. I have a similar setup using a routed IPSec tunnel to my VPS. A reverse proxy runs on the VPS, which inspects the hostnames of requests in order to direct connections to backend servers running on my local LAN. I use HAProxy in TCP mode for this purpose, to maintain end-to-end encryption between the client and the backend serer. You can accomplish something similar with the Nginx stream module, IIRC.
My concern is that I’ve never done this before, I don’t know what ports are generally open on a VPS or what security issues I may run into.
It depends on the template used to instantiate the VPS, but generally all ports are open. Some VPS providers include an external firewall that can be configured from the web UI, but it’s generally expected that administrators set up their own stateful firewalls using iptables/FirewallD/UFW/etc in addition to this.
Naturally, extending your LAN to a remote datacentre introduces some security concerns. For example:
A public IPv4 address (and potentially an IPv6 GUA).
An additional system to maintain and secure.
Thousands of SSH connection attempts daily.
Potential security issues introduced by your provider’s configuration.
By default, your VPS filesystem will probably not be encrypted.
You will need to secure your VPN properly (e.g. authentication and authorisation).
The VPS may potentially have routes to your trusted LAN networks, if configured for this purpose.
As for the best VPN software to use, I am only familiar with Strongswan (on pfSense) and Libreswan (on CentOS). Strongswan has more features than Libreswan, but neither have great documentation. Troubleshooting IPSec is a PITA, so you may consider looking for other solutions. For authentication, I use mutual RSA with Let’s Encrypt certificates as the secret. You could get away with a pre-shared key in most cases.
One other concern of this approach is DNS. Ideally, you want to have split-horizon DNS configured so that each system in your LAN (including the VPS) can resolve the hostnames of your servers (but not the VPS) to their respective private IP addresses. You don’t want your reverse proxy to forward connections to itself, because service.example.com resolves to its own public IP address. You also don’t want your local tunnel endpoint to try to establish the tunnel through the non-existent tunnel, because vps.example.com resolves to a private IP address. A workaround to avoid this concern is to hardcode private IP address in your reverse proxy configuration.
You mentioned Portmap.io, which is a managed service designed specifically for this purpose, though I have no experience with it. It’s certainly worth considering if you don’t intend to use your VPS for anything besides remote access.
I have a VPS running an OpenVPN server, and a rpi as vpn-client to route vpn network to home network. Didn’t actually use reverse proxy on the vps, but I do use it to access my home network.
Do VPS’ have port forwarding or something similar? Or are all ports open? I’m a bit new to dealing with “the cloud” and I’m concerned that if there are open ports on the VPS and the VPS has an active VPN commotion with my home network that I may be exposing more than I intend.
Upvote for using haproxy in TCP mode or nginx for reverse proxying HTTP/SSL traffic. I do this with a few VPSes to onsite-hosted services. (Also, haproxy can be used for proxying SMTP – another useful trick if you’re stuck behind a residential connection!)
Do VPS’ have port forwarding or something similar? Or are all ports open?
All ports are open by default. The first thing i do when i spin up a VPS is install UFW firewall and limit which ports i want open, and what IPs can access them.