How would you proxy to your server?

stantropics

Hi everyone,

I am a long time reader but just recently registered for an account. First of all thanks for all the offers, input, discussions and the drama - let's not forget the drama.

I am searching for the best way to access services on a dedicated server. This server is behind a CGNat an only has a public IPv6 (no IPv4). Currently I am using a small VPS, running a reverse proxy on it and using a wireguard tunnel to proxy services running on the dedicated server. I feel like this is not the most performant solution but it works.
I do not want to access everything using a VPN as I want friends and family to access the services too. Also, I do not want to use cloudflare tunnels because I may also want to forward ports other than 80 and 443.

I am currently also evaluating a GRE tunnel (by @noezde). However, I am having some technical issues.

Thanks a lot in advance for your input and ideas.

rm_

@stantropics said: Currently I am using a small VPS, running a reverse proxy on it and using a wireguard tunnel to proxy services running on the dedicated server. I feel like this is not the most performant solution but it works.

How exactly is it not performant? Run iperf3 between the VPS and the dedi using VPN IPs to find out the actual network speed over WG. I feel WireGuard is far from being any kind of bottleneck, unless the VPS is really crappy and slow.

Hotmarer

You can always try something like zerotier/tailscale but these applications are more classified as VPNs. Tailscale has a very simple ability to share devices with friends, so this will be a plus for you. You can also create policies so that, for example, dad has access to port 80 and 8080 of the device, and mom only has access to port 4000.

You can use selfhosted managing tailscale system named headscale.

concept

Tailscale is the way to go. Easy to setup and their documentation is pretty good.

rm_

Nothing is easier to setup than something you already have set up. Tailscale uses the same WireGuard under the hood btw.

rafaelscs

i use netbird.io

totally_not_banned

I second @rm_ . There is nothing wrong with this setup OP. Sure you could investigate different VPN/tunnel technologies but if you'd gain much of anything by doing so is beyond questionable. Wireguard is already very performant and moving to GRE is unlikely to buy you any headroom. If you are experiencing performance problems it, as @rm_ said, likely comes down to the general VPS performance being lacking or some kind of configuration error (like for example a bad MTU setting somewhere).

bgerard

If you don't want to use tailscale servers you can also run https://github.com/juanfont/headscale

darkimmortal

The reverse proxy is redundant, you only need WireGuard and some nat firewall rules

rm_

@darkimmortal said: you only need WireGuard and some nat firewall rules

Assuming the dedi doesn't want to direct ALL of its outgoing traffic via the same WireGuard link, it might be tricky to impossible to do what you say. And if not doing NAT so that all external clients don't appear as coming from one single IP.

stantropics

@totally_not_banned said:
I second @rm_ . There is nothing wrong with this setup OP.

Thanks everyone for your assessment and ideas. Good to hear that the solution in general is not totally crappy.

@rm_ said:
How exactly is it not performant? Run iperf3 between the VPS and the dedi using VPN IPs to find out the actual network speed over WG. I feel WireGuard is far from being any kind of bottleneck, unless the VPS is really crappy and slow.

This was more of a gut feeling than some deep technical analysis. I would not guess the VPS is crappy as I am generally very happy with it (thanks @mxmla). However it is not very performant (~ 1/2 core, 2GB RAM) and the VPS is located in NL so currently all traffic travels from DE to NL and back most of the time.

Here is the iperf3 result:

Connecting to host xxx.xxx.xxx.xxx, port 5201
[  5] local yyy.yyy.yyy.yyy port 50742 connected to xxx.xxx.xxx.xxx port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  27.4 MBytes   230 Mbits/sec   33   1.24 MBytes       
[  5]   1.00-2.00   sec  27.5 MBytes   231 Mbits/sec    0   1.38 MBytes       
[  5]   2.00-3.00   sec  26.2 MBytes   220 Mbits/sec    0   1.49 MBytes       
[  5]   3.00-4.00   sec  26.2 MBytes   220 Mbits/sec    0   1.58 MBytes       
[  5]   4.00-5.00   sec  27.5 MBytes   231 Mbits/sec   29   1.17 MBytes       
[  5]   5.00-6.00   sec  25.0 MBytes   210 Mbits/sec    0   1.24 MBytes       
[  5]   6.00-7.00   sec  25.0 MBytes   210 Mbits/sec    0   1.29 MBytes       
[  5]   7.00-8.00   sec  27.5 MBytes   231 Mbits/sec    0   1.32 MBytes       
[  5]   8.00-9.00   sec  27.5 MBytes   231 Mbits/sec    0   1.33 MBytes       
[  5]   9.00-10.00  sec  25.0 MBytes   210 Mbits/sec    0   1001 KBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec   265 MBytes   222 Mbits/sec   62             sender
[  5]   0.00-10.06  sec   263 MBytes   219 Mbits/sec                  receiver

iperf Done.

@concept said:
Tailscale is the way to go. Easy to setup and their documentation is pretty good.

I agree in most cases and I am already using Tailscale. However, it is better if you have people who regularly access your services. It is not the best solution if I want to temporarily share some files in nextcloud with a friend or vacation pictures from immich with my mother in law.

To be honest the load on this infrastructure is like super low. I am not earning any money with it and it's for private use only, but I still want it to perform well and people who are using it to be happy. Do you think it makes sense to switch to a VPS with a 10GB uplink? Monthly traffic should be 1TB max currently.

totally_not_banned

@stantropics said:
Do you think it makes sense to switch to a VPS with a 10GB uplink?

It certainly wouldn't hurt but unless your server also has such an uplink it's kind of pointless. You'd probably gain more by making sure the connection between your server and the proxy VPS is good and said VPS actually being able to handle the amount of packets needed to archive high throughput.

Many people think that hardware accelerating encryption (not sure how much configuration Wireguard allows in that regard but it's probably something any semi-recent CPU will be able accelerate anyways) would make a huge difference but a major part of work is actually really CPU bound, so some oversold VPS running on an aging CPU is certainly not going to perform that well. RAM on the other hand isn't much of a factor at all. You could probably easily get away with something like 256MB or even less (more obviously not hurting either again - it's probably best to aim a little higher just to be sure).

Also watch the MTU on both sides of your tunnel and the external interface. If this somehow gets messed up you might pay a hefty performance penalty. Basically you want to avoid fragmentation at all costs. There isn't really some kind of one size fits all solution. All i can suggest you is to read up on that topic and draw the appropriate conclusions as to what's best for your setup.