I love how it says "Restaurants" but then displays an image with ice cream, makes a lot of sense 👍

Thank you for pointing these things out! I've removed Dockge from Uptime Kuma.

I've noticed the same thing. Every Intel N100-based machine costs ~200€ on Amazon.

That seems to sum up my question. Thank you!

I know, I just added the speed test because I can. If people want to use it, they can.

Congratulations, you are now being put on a watchlist!

Hey, thank you for your blog post. I'm definitely reconsidering my choices with Cloudflare tunnels. I will take a look at the VPS setup. Privacy is something that I really care about, so this would be pretty useful. I would definitely be ready to pay 3.29€ per month for the privacy aspects of this setup.

I prefer owning my server hardware than renting a VPS. I completely forgot that I couldn't port forward in my home network, so Cloudflare was my last-minute solution to that problem.

Njalla doesn't seem to be a good option according to this comment on a privacy-focused forum.

Thanks! I'm glad that I could show you some other services!

It's great for my needs. If you think about picking one up today, I wouldn't really recommend it. It just offers too little resources to be actually viable in the regular day. I use mine because I had it laying in the dust for a couple of years. Well, it's enough for my Mumble server and the bots I use for Discord and Matrix.

Sounds awesome! I've taken a look at Portainer and got confused on the whole Business Edition and Community Edition. What are you running?

I want my private information to be hidden in Whois requests. Also, I don't want to buy a domain from a registrar that seems very sketchy.

I've never heard of Intel N100 before, what's that? Just so you know, a Raspberry Pi 5 with 8 Gigabytes of RAM costs ~90€ in my country (Germany). I wouldn't really count that as overpriced. Could you show me some machine examples with Intel N100?

but the SD cards don't last long

This is what scares me the most. Ideally, I want a whole SSD to store data. I really don't want to lose any important data. I plan on hosting public services (like the services I've mentioned above) under my domain, so having a reliable drive would be really helpful.

Is a Pentium powerful enough? I recently found a YouTube channel called "Wolfgang's Channel" and he also has a home server with a Pentium. He says it is plenty enough for these kind of tasks.

Thank you! I appreciate the feedback!

Hi, thank you so much for trying to help me, I really appreciate it!

VPS wg0.conf:

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = REDACTED

PostUp = iptables -t nat -A PREROUTING -p tcp -i eth0 '!' --dport 22 -j DNAT --to-destination 10.0.0.2; iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source SERVER_IP
PostUp = iptables -t nat -A PREROUTING -p udp -i eth0 '!' --dport 55107 -j DNAT --to-destination 10.0.0.2;

PostDown = iptables -t nat -D PREROUTING -p tcp -i eth0 '!' --dport 22 -j DNAT --to-destination 10.0.0.2; iptables -t nat -D POSTROUTING -o eth0 -j SNAT --to-source SERVER_IP
PostDown = iptables -t nat -D PREROUTING -p udp -i eth0 '!' --dport 55107 -j DNAT --to-destination 10.0.0.2;

[Peer]
PublicKey = REDACTED
AllowedIPs = 10.0.0.2/32

Homeserver wg0.conf:

[Interface]
Address = 10.0.0.2/24
PrivateKey = REDACTED
 
[Peer]
PublicKey = REDACTED
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
Endpoint = SERVER_IP:51820

(REDACTED would've been the public / private keys, SERVER_IP would've been the VPS IP.)

Hmm, the keys do match on the two different machines. I have no idea why this doesn't work...

The command you provided for the VPS returns UDP listen needs -p arg, so I just added -p right before the port number and then it worked. Running the homelab command returns no port[s] to connect to... Not good.

I tried to open the port 22 on UDP (yeah, I am getting pretty desperate over here...) and still get the message no port[s] to connect to... Someone else on this post commented that I should stop using iptables for opening ports and start using something else as a firewall. Should I try this approach?

What do you mean with "clear out iptables completely"? Should I remove the iptables package with sudo apt remove iptables?

Alright, I switched to ufw and... it's still not working. sigh

Should we just try something completely different? WireGuard doesn't seem to be working on my VPS. Someone in the comments mentioned tunneling via SSH, sounds interesting.

I've added some different ports for the future, but this is my ufw status:

Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
51820                      ALLOW       Anywhere                  
2333                       ALLOW       Anywhere                  
80                         ALLOW       Anywhere                  
81                         ALLOW       Anywhere                  
443                        ALLOW       Anywhere                  
80/tcp                     ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
51820 (v6)                 ALLOW       Anywhere (v6)             
2333 (v6)                  ALLOW       Anywhere (v6)             
80 (v6)                    ALLOW       Anywhere (v6)             
81 (v6)                    ALLOW       Anywhere (v6)             
443 (v6)                   ALLOW       Anywhere (v6)             
80/tcp (v6)                ALLOW       Anywhere (v6)

I've added the firewall rule and it still says no port[s] to connect to whenever I run echo "Testing" | nc -u SERVER_IP -p 51820. I feel like you're trying to stay on a sinking ship, so I would suggest to try another method to see if we even can get the whole "bypass CGNAT with a VPS" thing to work at all.

Update: I've tried setting up SSH tunneling instead and it STILL doesn't work. I contacted Hetzner support about this issue and I'm hoping that they can resolve the firewall issues that I'm having.

I do not get a response when pinging the VPS's WG IP from my homeserver. It might have something to do with the firewall that my VPS provider (Hetzner) is using. I've now allowed the port 51820 on UDP and TCP and it's still the same as before... This is weird.

How would that kind of a setup look like?

I have no idea how to properly manage the firewall with Hetzner. I've opened the ports on the Hetzner management page and I ran several iptables commands to allow traffic from those ports. Still doesn't work. This is weird!

How do I make the SSH tunnel forward traffic? It can't be as easy as just running ssh user@SERVER_IP in the terminal.

(I only need variant 1 btw)

Very interesting... How do I get started?

Does iptables count as a firewall? You said that I should "forget" iptables. Is it that bad? It came preinstalled on the VPS. Should I switch? And if so, how?

Alright, sounds good. What firewall are you recommending me to use? I would like to use a firewall that's easy to manage.

Edit: I went with ufw.

If you have a domain and connected it to Cloudflare, you can assign tunnels to specific subdomains. For example, I have Invidious running locally on my server with port 3000. I connected the server with a Cloudflare tunnel and pointed invidious.reallyaweso.me to http://192.168.0.17:3000, which is my local IP.

What is Portainer? You've said that it's a web UI, but what exactly does it provide you with?

This docker compose up -d thing is something I don't understand at all. What exactly does it do? A lot of README.md files from git repos include this command for Docker deployment. And another question: How can you automatically start the Docker container? Do you need a systemd service to run docker compose up -d?

Not really, pinging my homeserver via the VPS returns:

PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
From 10.0.0.1 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.0.1 icmp_seq=2 Destination Host Unreachable
ping: sendmsg: Destination address required
^C
--- 10.0.0.2 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1019ms

The biggest obstacle for me is the connection between the VPS and my homeserver. I have tried this today and I tried pinging 10.0.0.2 (the homeserver IP via WireGuard) and get this as a result:

PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
From 10.0.0.1 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.0.1 icmp_seq=2 Destination Host Unreachable
ping: sendmsg: Destination address required
^C
--- 10.0.0.2 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1019ms

Not sure why though.

Hi, whenever I try to enter the ports 80 and 443 at the beginning of the -R parameter, I get this error: Warning: remote port forwarding failed for listen port 80. How do I fix this?

What kind of TLD did you buy? Did you choose a TLD that's supported by the WHOIS privacy? I wanted to see if alexpewmaster.de was available, and it told me this:

⚠️   PRIVACY WARNING ⚠️

This TLD does not allow WHOIS privacy but generally redacts your personal information. This means that your personal contact information will be sent to the registry but it should not be made public.