Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Accessing self-hosted services while using 3rd party VPN.
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Accessing self-hosted services while using 3rd party VPN.

As title says, how to solve the problem of accessing services hosted on a local network behind CGNAT while using a third party VPN, for example, Windscribe or ProtonVPN?

Tailscale comes as a potential solution for accessing these services behind CGNAT, but the problem is a mobile device can have only one VPN connection active. Using Mullvad exit nodes partially solves this issue, but constant captchas are a deal-breaker.

Moving these services from a home network to VPS is a partial solution too, but they would need to be exposed to a public internet, if I'm not wrong. Would rather prefer it being on a local network.

If there's anyone who is currently doing this, I would like to hear what's your experience and how did you solve it?

Comments

  • Set up a tailscale exit node on a VPS.

    Or you could probably construct your own VPN that routes local traffic through tailscale and everything else through the third-party VPN, hosted on some VPS. there might be some solution out there that already does this but I am not aware.

    For web services you could use cloudflare tunnels. Exposed to the public, but you can protect it through regular auth, mTLS, or zero trust.

  • cloudflared (tunnel, in their "zero trust" stuff) is the easiest and free, if your VPN cannot do split tunnel. Though your services are theoretically exposed to the internet via CF, it's protected by CF for both endpoint discovery and auth (token could be valid for up to a month). If you're worried about CF decrypting the https traffic for routing purpose, you can always use ssh socks5 tunnel inside the CF tunnel :)

    OTOH, I'd avoid using a VPN client that cannot do split tunnels properly, as moving internal traffic over the internet is wasting your internet bandwidth that could otherwise be used to download your linux ISOs :wink:

    Thanked by 1yoursunny
  • @CyberneticTitan said: Set up a tailscale exit node on a VPS.

    Yeah, that's the part how service from a local network would be accessible behind CGNAT, but maybe I didn't explain clearly. When mobile devices are on a home WiFi, local hosted services are accessible even that devices having active VPN connection.

    Intention of this thread is to find a way to have the same functionality while on a vacation, mobile data, hotel's WiFi etc...

  • oriendoriend Member
    edited January 10

    @vicaya said:
    cloudflared (tunnel, in their "zero trust" stuff) is the easiest and free, if your VPN cannot do split tunnel. Though your services are theoretically exposed to the internet via CF, it's protected by CF for both endpoint discovery and auth (token could be valid for up to a month). If you're worried about CF decrypting the https traffic for routing purpose, you can always use ssh socks5 tunnel inside the CF tunnel :)

    OTOH, I'd avoid using a VPN client that cannot do split tunnels properly, as moving internal traffic over the internet is wasting your internet bandwidth that could otherwise be used to download your linux ISOs :wink:

    Probably I didn't explain clearly in the first post. Please read the post above for further clarification of a situation. Split tunneling works fine, but it's not necessary on a local WiFi network.

  • edited January 10

    @oriend said:

    @CyberneticTitan said: Set up a tailscale exit node on a VPS.

    Yeah, that's the part how service from a local network would be accessible behind CGNAT, but maybe I didn't explain clearly. When mobile devices are on a home WiFi, local hosted services are accessible even that devices having active VPN connection.

    Intention of this thread is to find a way to have the same functionality while on a vacation, mobile data, hotel's WiFi etc...

    Not quite sure I understand, with Tailscale you can access devices behind CG-NAT. Then on the device you have connected to the Tailnet, say a phone, any external traffic goes from your phone to whatever network you are currently connected to, say exits the Hotel's ISP.

    With a Tailscale Exit Node all traffic is then routed to exit that particular node, so you now have the benefit of accessing local devices as well as having obfuscated general traffic. With this setup you'd need a VPS for which you want the traffic to exit from.

    https://tailscale.com/kb/1103/exit-nodes

  • edited January 10

    Now that I think about it you can probably install tailscale in docker, advertise it as exit, while using another docker container's network, where this one would be the one connected to a VPN. Then theoretically all tailscale exit traffic is routed through the third-party VPN.

  • kevindskevinds Member, LIR

    Setup a router, either at home or using a VPS that will do the routing for you,

    Connecting to the 3rd-party VPN and your home services.

  • If you have android, you can use multiple VPNs, either through the work profile feature or through a rooted phone.

  • @CyberneticTitan said:
    Now that I think about it you can probably install tailscale in docker, advertise it as exit, while using another docker container's network, where this one would be the one connected to a VPN. Then theoretically all tailscale exit traffic is routed through the third-party VPN.

    You mean to use Tailscale to connect to the home network and then route all the traffic from a mobile device through home server?

    @kevinds said:
    Setup a router, either at home or using a VPS that will do the routing for you,

    Connecting to the 3rd-party VPN and your home services.

    Any step by step or some other more detailed explanation maybe? Not sure how to achieve that.

    @wadhah said:
    If you have android, you can use multiple VPNs, either through the work profile feature or through a rooted phone.

    Devices aren't rooted and work profile wouldn't solve this unfortunately, as all the current data is necessary. Also work profile wouldn't allow 2 VPNs simultaneously.

  • @oriend said:

    @CyberneticTitan said:
    Now that I think about it you can probably install tailscale in docker, advertise it as exit, while using another docker container's network, where this one would be the one connected to a VPN. Then theoretically all tailscale exit traffic is routed through the third-party VPN.

    You mean to use Tailscale to connect to the home network and then route all the traffic from a mobile device through home server?

    Yes it can be your home server or another VPS or if you are savvy with routing/docker networking it can be even the third-party VPN.

  • @CyberneticTitan said: Yes it can be your home server or another VPS

    In that case, wouldn't the traffic have ISP's IP or IP of VPS (meanwhile it needs to have IP of VPN)? Or you meant to connect home server/VPS to 3rd party VPN and basically to go like this: mobile devices connected over tailscale to home server -> home server connected to VPN -> public internet?

  • @oriend said:

    @vicaya said:
    cloudflared (tunnel, in their "zero trust" stuff) is the easiest and free, if your VPN cannot do split tunnel. Though your services are theoretically exposed to the internet via CF, it's protected by CF for both endpoint discovery and auth (token could be valid for up to a month). If you're worried about CF decrypting the https traffic for routing purpose, you can always use ssh socks5 tunnel inside the CF tunnel :)

    OTOH, I'd avoid using a VPN client that cannot do split tunnels properly, as moving internal traffic over the internet is wasting your internet bandwidth that could otherwise be used to download your linux ISOs :wink:

    Probably I didn't explain clearly in the first post. Please read the post above for further clarification of a situation. Split tunneling works fine, but it's not necessary on a local WiFi network.

    If your VPN's split tunnel works fine, then you just need to put tailscale network (for your self-hosted services) on the exclude list. This setup would work anywhere in the world, while take advantage of local network thanks to tailscale's magic.

  • @oriend said:

    @CyberneticTitan said: Yes it can be your home server or another VPS

    In that case, wouldn't the traffic have ISP's IP or IP of VPS (meanwhile it needs to have IP of VPN)? Or you meant to connect home server/VPS to 3rd party VPN and basically to go like this: mobile devices connected over tailscale to home server -> home server connected to VPN -> public internet?

    Ah, got it. You want to use VPN and tailscale at the same time, without having to switch VPN profiles, which is not possible on certain mobile devices (e.g., iOS based), where only one VPN connection can be active. In this case, I would use tailscale on the device and use PAC to forward traffic to a socks proxy (reachable via tailscale) running on your home network or a VPS that runs the VPN, which could even be picked for nearest location with some js fu.

    This is a reasonably general solution, as you can setup many different VPNs running in different VMs and have the PAC to forward traffic to different VPNs based on URL patterns.

  • @vicaya said:

    @oriend said:

    @CyberneticTitan said: Yes it can be your home server or another VPS

    In that case, wouldn't the traffic have ISP's IP or IP of VPS (meanwhile it needs to have IP of VPN)? Or you meant to connect home server/VPS to 3rd party VPN and basically to go like this: mobile devices connected over tailscale to home server -> home server connected to VPN -> public internet?

    Ah, got it. You want to use VPN and tailscale at the same time, without having to switch VPN profiles, which is not possible on certain mobile devices (e.g., iOS based), where only one VPN connection can be active. In this case, I would use tailscale on the device and use PAC to forward traffic to a socks proxy (reachable via tailscale) running on your home network or a VPS that runs the VPN, which could even be picked for nearest location with some js fu.

    This is a reasonably general solution, as you can setup many different VPNs running in different VMs and have the PAC to forward traffic to different VPNs based on URL patterns.

    If you only have one VPN besides tailscale, you can install both tailscale and the VPN on a server (or VM/VPS), and configure the server as a tailscale exit node. VPN on the node will forward the exit traffic to your VPN provider. The destination providers will see your traffic coming from the VPN IPs.

  • edited January 11

    @oriend said:

    @CyberneticTitan said: Yes it can be your home server or another VPS

    In that case, wouldn't the traffic have ISP's IP or IP of VPS (meanwhile it needs to have IP of VPN)? Or you meant to connect home server/VPS to 3rd party VPN and basically to go like this: mobile devices connected over tailscale to home server -> home server connected to VPN -> public internet?

    No, the whole purpose of an exit node so that your traffic is routed elsewhere. You should read the earlier link.

    If your tailscale exit node is a VPS, the traffic will exit from that VPS. This will be a simple and easy way to obfuscate your traffic especially if you don't have experience with routing or docker networking. You could drop your VPN for this VPS instead.

    If you can further route the tailscale exit node traffic through a VPN client (i.e. gluetun or wireguard client etc), then it will appear as if you are using that VPN. You wouldn't need a separate VPS to do this.

    In either case you still have access to devices on the tailnet.

  • kevindskevinds Member, LIR

    @oriend said: Any step by step or some other more detailed explanation maybe? Not sure how to achieve that.

    Can't provide a step-by-step without knowing what you are working with. Not going to for free and don't want to be supporting it anytime a piece has an update and breaks something.

    Setup a VPN server on a VPS, your phone connects only to this VPN server.

    This VPS then connects to your home VPN network and routes the traffic for your home, to your home.

    This VPS also connects to your 3rd party VPN and routes all traffic not for home out the VPN.

    That is the framework you are wanting correct? If you have a plan you should be able to find the instructions to set it up.

Sign In or Register to comment.