Easiest? Tailscale., set it up on the server and each client you want to access it and it creates auto-resolving P2P VPN tunnels between them all.
Wholeheartedly support Tailscale or similar solutions. Reverse-proxy or VPN are just too complicated (for me, at least).
I also use Tailscale and even bought mullvad access through them. Definitely the easiest and most valuable subscription I have.
Probably what you're looking for is the following setup:
docker <-> services <-> reverse proxy <-> VPN <-> Internet
80 and port 443. There are several choice and you have to somehow stick with it, because each reverse proxy has it's up and downsides and learning curve:Those are the 3 big players I'm aware of.
This is also a big part and probably this is the route of a tinkerer and have lot of personal time to spare... There are easier AIO routes that will probably save you time and energy. (Others will point you to the right direction)
You will rapidly understand the necessity of DNS. Reaching out to your services by IP:PORT will annoy you over time, even if you save them as bookmarks. Also if you don't assign a static IP to your containers they will change every time you restart them or reboot your server. Not very practical !!
Here you have 2 choices:
I personally chose the tinkerer route and learning process. But I have time to spare and while I prefer this route... It's very time consuming and involves a lot of web crawling and books reading.
If you are interested I can recommend you a good ebook on how to setup your own mini-CA :).
Hope it helps, you are halfway through !
Nice explanation =). I am not OP but I am curious about one point: you seem to have the reverse proxy on your homeserver, not on the VPS.
Is wireguard enough then to tunnel HTTPS traffic to your reverse proxy? Or do you need a more sophiscated tunnel (e.g. ngrok, boringproxy).
P.S. I actually assumed that your VPN entry point is a VPS with a public, static IP. Therefore I understood that your were talking about two servers: the home server with the reverse proxy and a VPS as wireguard entry point. Please correct if this is wrong.
Hi there ! Sorry my English is not that good, but I'm doing the best I can !
Actually, I do not have a VPS. I use an old spare laptop as server which handles everything.
I have Wireguard barebone installed with a a second external wireguard interface and some iptables to send all traffic to ProtonVPN.
All my containers,on the same laptop, are directly reachable via this configuration and HTTPS is handle by Treafik with my self-signed local certificates (root CA with intermediate CA).
Eg: From my mobile over WiFi or 4G I can access all my containers where ever I'm. My endpoint in my Wireguard's confirguration (on my phone) being my home's public IP.
I hope I answered your question? If not I'm willing to give you a diagram of my setup, this will probably clear up the confusion/question? And will probably be way more explicit than my broken English ๐.
Reverse proxy that handles TLS/HTTPS. Caddy is pretty easy to set up, or you could use a cloudflare tunnel (or other tunnel) to expose the services across a different IP; in case you're worried about DDoS, or revealing your IP address.
You'll want a domain for the reverse proxy; I assume you already have one.
https://jellyfin.org/docs/general/networking/caddy/
This is instructions for domain.tld/jellyfin; but I use a subdomain jellyfin.domain.tld
I use my domain name provider's own services for updating my semi-dynamic IP address (it basically never changes unless I have a multi-day power outage)
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Beginning of January 1st 2024 this rule WILL be enforced. Posts that are not tagged will be warned and if not fixed within 24h then removed!