What do you guys use to expose private IP addresses to the web? I was using the npm proxy manager with Cloudflare CDN. However, it stopped working after I changed my router (I keep getting error 521). Looking for an alternative to Cloudflare cdn so I can access my media server/self-hosted services away from LAN.

(Tailscale doesn’t work for me at all)

This is what I want to achieve: https://youtu.be/c6Y6M8CdcQ0?feature=shared

I literally followed this tutorial to make it work the first time.

  • tritonium@midwest.social
    link
    fedilink
    English
    arrow-up
    18
    arrow-down
    1
    ·
    edit-2
    9 months ago

    Wireguard.

    Unless you actually have a need for the public to access the services then you shouldn’t be exposing them. If it’s just you and a few household members that need access then you should be using ddns and wireguard, or similar.

    My phone auto connects with wireguard as soon as I leave my home ssid, so I never lose access to my services.

    • chiisana@lemmy.chiisana.net
      link
      fedilink
      English
      arrow-up
      4
      ·
      9 months ago

      Does Wireguard have a centralized server that the server at home connect to in order to expose itself? If not, I don’t see how it’d work for OP, because at this point, based on info shared, I’m inclined to think OP is having trouble exposing ports (be it ISP imposed or knowledge gap) as opposed to having issue with the service / vendor.

    • PunkiBas@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      9 months ago

      My phone auto connects with wireguard as soon as I leave my home ssid, so I never lose access to my services.

      How do you do that? Tasker?

      • thatsnothowyoudoit@lemmy.ca
        link
        fedilink
        English
        arrow-up
        6
        ·
        9 months ago

        I’m on iOS and do the same thing.

        The WireGuard app has a setting to “connect on demand”. It’s in the individual connections/configurations.

        You can then set either included or excluded SSIDs. There’s also an option to always connect when you’re on mobile/cellular data.

        I imagine the Android app is similar.

      • LifeBandit666
        link
        fedilink
        English
        arrow-up
        2
        ·
        9 months ago

        Not OP but I’ve been playing with Wireguard (and failing) for a short while and have noticed an option in my Android Phone’s settings to always connect to this VPN. Probably that

  • chiisana@lemmy.chiisana.net
    link
    fedilink
    English
    arrow-up
    8
    ·
    9 months ago

    521 usually means they cannot reach your server properly. Was the router change due to a new ISP, and does the new ISP block port 80/443? Did you re-make all the relevant port forwarding rules? Changing CDN won’t change anything if your ports are closed/not responding as expected.

    • fahad@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      9 months ago

      Changing to a new internet plan, so they had to replace the router. Also, I did reopen ports 80 and 443, and I tested them. They’re working. What I noticed was Cloudflare changing the

      A IP address to proxied (before it was the private server IP address, I got error 522 back then. I followed the tutorial again but got 521 error).

      • chiisana@lemmy.chiisana.net
        link
        fedilink
        English
        arrow-up
        4
        ·
        edit-2
        9 months ago

        521 = Origin server down; I.e. the port is not open and/or the IP address is incorrect all together.

        522 = Origin server time out; I.e. the port might be open but no content is being sent back.

        If you’re seeing 521, then Cloudflare cannot establish a connection to port 80/443 on your IP address in the A record. Bearing in mind that in order for someone from outside of your LAN (i.e CloudFlare) to have access to your services, they must be able to reach the service, so this value should be your external IP address, not an internal address. Once you have your external address keyed into the record, have someone else not in your home try to access that IP/port combination and see what happens. If they cannot access, then port forwarding is not setup or your ISP is blocking, or you’re behind some CGNAT. If they can access, then something else is at play (origin IP filtering comes to mind).

      • dudeami0@lemmy.dudeami.win
        link
        fedilink
        English
        arrow-up
        2
        ·
        9 months ago

        This might help, sorry if it doesn’t, but here is a link to CloudFlares 5xx error code page on error 521. If you’ve done everything in the resolution list your ISP might be actively blocking you from hosting websites, as it is generally against the ISPs ToS to do such on residential service lines. This is why I personally rent a VPS and have a wireguard VPN setup to host from the VPN, which is basically just a roll your own version of Tailscale using any VPS provider. This way you don’t need to expose anything via your ISPs router/WAN and they can’t see what you are sending or which ports you are sending on (other than the encrypted VPN traffic to your VPS of course).

  • AbidanYre@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    ·
    9 months ago

    Can I ask why tailscale doesn’t work?

    I have a headscale instance running in oracle’s free tier and can get to everything else through that.

    • fahad@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      9 months ago

      I have tried to connect to Tailscale multiple times; it goes smoothly through all steps, but the IP addresses it gives you don’t work for me: This site can’t be reached

      I was mainly interested in headscale but that didn’t work either; I even tried their docker.yml

  • Big P
    link
    fedilink
    English
    arrow-up
    6
    ·
    9 months ago

    Zerotier, although it’s similar to tailscale so you might have issues with it too

  • Lem453@lemmy.ca
    link
    fedilink
    English
    arrow-up
    4
    ·
    9 months ago

    For services that I want exposed, I use traefik reverse proxy (jellyfin etc).

    For things that warrant an extra layer of security I use wireguard and then also traefik reverse proxy with HTTPS but it’s only accessible locally (vault warden).

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    1
    ·
    edit-2
    9 months ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    CGNAT Carrier-Grade NAT
    HTTP Hypertext Transfer Protocol, the Web
    HTTPS HTTP over SSL
    IP Internet Protocol
    NAT Network Address Translation
    SSL Secure Sockets Layer, for transparent encryption
    VPN Virtual Private Network
    VPS Virtual Private Server (opposed to shared hosting)

    6 acronyms in this thread; the most compressed thread commented on today has 15 acronyms.

    [Thread #588 for this sub, first seen 11th Mar 2024, 01:45] [FAQ] [Full list] [Contact] [Source code]

  • ronmaide@lemm.ee
    link
    fedilink
    English
    arrow-up
    2
    ·
    9 months ago

    Are you testing that the ports are open with your phone on a cellular network and not WiFi within the same network? Your router may be doing a loop back NAT which “forwards” the ports internally but isn’t necessarily forwarding the ports externally.

    Did you change ISPs at all? I think I read that the router was new—is it a router/modem combo? If the ISP has changed it’s possible the new one doesn’t allow traffic on those ports, which is the case for my ISP. No amount of forwarding rules will change that.

    If you have a separate modem/gateway and router it’s possible there are firewall rules on the device closer to the WAN in which case you may need to ask your ISP if they can put the modem in “pass through mode” in order to allow the traffic. That’s probably not the technical term for it—I think behind the scenes they either just disable the firewall or put the router address into DMZ, but that description has worked with me in the past with L1 support for them to know what I’m trying to accomplish.

  • fahad@lemmy.worldOP
    link
    fedilink
    English
    arrow-up
    2
    ·
    9 months ago

    Thanks everyone for your help.

    I have fixed it by not using the npm proxy manager and only Cloudflare tunnels.

    This video helped me

    The only issue this method has is the upload limit of 100mb

    I’m using services such as:

    • Immich
    • Nextcloud
    • Jellyfin
    • Valutwarden
    • PipedLinkBot@feddit.rocksB
      link
      fedilink
      English
      arrow-up
      1
      ·
      9 months ago

      Here is an alternative Piped link(s):

      video

      Piped is a privacy-respecting open-source alternative frontend to YouTube.

      I’m open-source; check me out at GitHub.

  • BearOfaTime@lemm.ee
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    2
    ·
    8 months ago

    I see you’ve found a solution.

    For others who come across this, Tailscale with the Funnel option enabled is another approach.

    Funnel enables non-Tailscale clients access to specified clients resources. So people don’t need the Tailscale client installed to access say, a web server in your Tailscale network.

  • psy32nd@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    5
    ·
    9 months ago

    Create an aws account (new if already have) to use it’s 12 months free tier, setup OpenVPN Access Server (tbh easy process), go to admin panel and enable dmz. Connect to the server from your local machine with an openvpn client. It can be used to open as many ports as you want.