I’m in desperate need of some help and would really appreciate any advice.
I’m trying to set up remote access to my self-hosted services using Nginx, but I’ve been struggling with this for several days now without success.
I have a domain registered with strato.de and I want to make my services accessible via subdomains like immich.mydomain.com. Both my router and Strato support DynDNS, which I’ve set up, so my domain does always point to my current public IP address.
I’ve installed Nginx and configured it to use port 80 for HTTP and port 443 for HTTPS. I’ve also forwarded both ports in my router to the machine running Nginx.
Despite this, I still cannot access my services from outside my home network, and in some cases, not even from inside it. I’ve already tried setting it up both without a dedicated DNS / Let’s Encrypt setup and also using Cloudflare and Strato’s own services. So far, nothing has worked.
At this point I’m not sure what I’m missing. Does anyone have an idea what could be wrong or what I should check next?
Here comes the obligatory warning that opening ports without fully understanding possible consequences is a big risk:
If you make a mistake, or the developer of whatever service you expose to the outside made one that can be exploited and used a stepping stone to attack other things on your internal network, you will not have a good time.
As to your issue, have you verified whether or not your ISP has put you behind a CGNAT? Something like tailscale can help mitigate that.
I’m pretty sure you won’t love my answer, but I’ve been trying to avoid Tailscale for a couple of reasons.
First, I want to share some services with family and friends, and adding everyone to my tailnet feels a bit impractical. Second, I’d like to keep using ProtonVPN when I’m outside my home network, which doesn’t play especially nicely with that setup.
That’s why I’m leaning toward making these services publicly accessible (with proper security in place, of course).
What’s your take on Cloudflare Tunnels? Wouldn’t that be a solid option for this use case?
How did you set up the reverse proxy forwarding? Basically, you only have one IP address for Ngnix and your Immich, just different ports. Did you switch the TrueNAS web GUI to a different port?
With a Fritz!Box, it’s difficult to securely open ports because Fritz!Boxes don’t support VLANs. Ideally, Ngnix should be in the DMZ.
That was one of the issues I ran into: both Nginx and the TrueNAS web UI were using port 80. I changed the TrueNAS UI to port 8080 and kept Nginx on port 80.
However, whenever I tried to set up a reverse proxy to something like my Immich instance (running as an app on port 30048), I kept getting an “Internal Error” message in the Nginx UI.
Hmm, in case you like to have a more sophisticated firewall solution than just using the fritzbox i would suggest the following: fritzbox → exposed host → pfsense.
Pfsense can be extended with quite some packages including: dns, dhcp, ntp, internal ca, acme, reverse proxy, dyndns client, pfblockerNG (similar to pihole), Snort (IDS/IPS) and of course a very complete firewall. Basically all the services you might want to have on your local network in one VM. Setting it up isn’t really self explanatory, but there are quite some video tutorials about setting up Pfsense on the web. Have been using that setup for more than a year now and haven’t had any real issues with it. The community edition is free and availiable as iso after registering at netgate.
PS: you might want to move the dns of your domain from strato to some other provider (e.g. cloudflare) cause if there has been no recent change strato still has no api for dns, so requesting wildcard certs is a manual process. And make sure to include both "*.mydomain.com" and "mydomain.com" in the cert.
sorry for the silence, i actually had surgery, which is why I wasn’t responding.
I was able to confirm what @neofusion was talking about: It turns out I have a DS-Lite connection and am behind CGNAT. As far as I understand, this means my IPv4 is not publicly reachable, so I can’t connect to it directly regardless of my configuration.
However, I think I found a solution. I will get myself a Linux Virtual Private Server. Strato offers Linux VPS instances starting at €1/month, which come with a static IPv4. I plan to run a service called Pangolin on that server and install a Client on my NAS to connect them via a WireGuard tunnel.
This setup then allows me to use Pangolin to connect to my Sevices via a WireGuard Tunnel from the Internet, and i can use Pangolin as a reverse proxy manager. I can then access all my internal services via custom subdomains with automatically managed SSL certificates. Additionally, I can secure everything behind a Zero Trust wall with authentication if needed, and even create user accounts in Pangolin to share access with friends and family.
I’m sure there are free alternatives, but this seems like a solid solution for my situation.
If anyone is considering doing the same, there are some good YouTube Tutorials on how to set it up with a VPS. Jim’s Garage has a good one in English. And Daniel Klozbücher / IT-ION GmbH has a good one in German.
Pangolin is definitely one way to address the CGNAT problem. Cloudflare Tunnels are another, and don’t require a separate VPS, but don’t give quite as many options, particularly in terms of authentication. Or, if it’s a relatively small number of users you’re expecting to serve, Tailscale could be another option. Lots of ways to skin this cat, depending on your specific needs.
