Hey, I want to expose my home services like Linkwarden and LangTool and I have been looking for ways to do so.
My IP is behind a CGNAT and obviously I can’t just open a port and use a Dynamic DNS.
I looked at services like tailscale, zerotier, netguard and so on, but I don’t want to turn on VPN’s on my phone or computer just so that I can access my local network.
I looked at Cloudflare Tunnels too but I don’t trust them enough since they can see the traffic and I can’t use a reverse proxy when using Cloudflare Tunnels.
I also thought about hosting Wireguard and a VPS but that also requires monthly costs and also a setup that I have to do.
After all of this research, should I just give five euros monthly for a Static IP from my ISP and be over with it?
I’d probably just pay the 5eu for a static IP. I’d still use Wireguard myself. That said, you could also do a VPS for a similar monthly fee and keep it out of your home.
Check if there’s a middleground of no CGNAT but dynamic IP.
I’ve been with a couple of different ISPs who put me behind CGNAT and simply moved me off it for free (to a dynamic publicly routable IP) when I asked. Just say it’s impacting your gaming, rather than that you want to host sevices at home. Can’t hurt to ask.
Then add a dyndns client/service into the mix and you’ll be fine for most things.
There’s rarely an absolute need for an actual static IP, and if there was you’d already know about it and not be having this discussion. GL.
I wrote a guide for this a few days ago if you’re interested. You can essentially use a VPS and Tailscale to expose the service. You would be using a Tailscale derp server with the CGnat so it’s not ideal for video stream but works great for small data streams.
For $5 a month I would not even think about it and just get the static ip , what is your time worth to you ? You won’t save much getting a vps instead of a static ip
FWIW, I use Cloudflare tunnels exclusively, and no longer have a use for a reverse proxy. It effectively acts as a proxy, as you can configure your inbound services to redirect to any local address/port.
I could get a static IP for $10/mo but instead I got a VPS for about $36/yr. I’d really like to be able to get ipv6 up and working but haven’t had much time to devote to it.
You would still have to open ports and configure port forwarding so will want to look at other security options. I use twingate, the configuration and set up was a breeze, it even wrote the docker compose file for the connector. I think Tailscale is similar and has less limitations but twingate was so easy and met my needs so I stuck with that.
I don’t know where are you from in Europe, but here in spain, I called my company and they just took me off the cgnat for gree, and now I have my dynamic ip, and a ddns service
I would yeah. Free dynamic dns is not convenient, so any type of service with value is not going to be free. If I could skip all that with a static ip, I would.
Just because you get a static doesn’t mean you shouldn’t use a VPN. I keep wireguard on 100% of the time( barring some places it causes issues, like Home Depot) and it’s great. I only expose stuff I care to share and everything else lives on my lan and accessible via my VON
Read up closely. Tailscale gets you through NATs AND has a public reverse proxy that they call a “funnel”. It is not limited to just the internal overlay network.
However you should want to use the overlay network. This way the services that are on the overlay network are not accessible to “the public”. So you might make a file publishing service public so you can attach links in an email but probably don’t want your password manager public.
You can definitely use cloudflare tunnels with a reverse proxy. That’s how I have it set up. All the public hostnames are redirected to my internal reverse proxy. A bit overkill and maybe useless, but doable.