[Feature] Add VPN to access from outside

[Sigri44]

Actually VPN is for service have access to internet tough VPN.

But think another feature can be added, is to need VPN to access service (like Wireguard), and configurable from config.yaml, to check if service need to have VPN access to be join from ext (like deluge or other private access).

[jfroment]

(sorry for the delay)

Yes you're right, it should be a better option than opening ports on your router if you host your services at home.
See for example the discussion summarized here on this Reddit's thread.

In fact you can already add a wireguard custom service by adding a file in services/custom/wireguard.yaml

services:
  wireguard:
    image: lscr.io/linuxserver/wireguard
    container_name: wireguard
    restart: always
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
      - SERVERURL=auto
      - SERVERPORT=51820
      - PEERS=1
      - PEERDNS=1.1.1.1
      - INTERNAL_SUBNET=10.13.13.0
      - ALLOWEDIPS=0.0.0.0/0, ::/128, 0.0.0.0/1, 128.0.0.0/1
    volumes:
      - configwireguard:/config
      - /lib/modules:/lib/modules
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1

volumes:
  configwireguard:
    driver: local-persist
    driver_opts:
      mountpoint: $HOST_CONFIG_PATH/wireguard

and in your config.yaml

[...]
  - name: wireguard
    enabled: true
    vpn: false
    customFile: custom/wireguard.yaml
    traefik:
      enabled: false
      rules: []
[...]

These are example of a previous test of mine but I'm not sure they're still valid. They can serve as a good basis to work with though.

But what is missing from the seedbox stack for now:

• Capability to select which services are only accessible from VPN
• Better than Wireguard? Tailscale integration
• Make it optional / selective
• DNS integration to work with any provider. That's tough to implement in order to keep the seedbox generic enough.

But I will keep this item in mind. In fact I'd love it for myself, so I will make some tests.

[Sigri44]

I do think that on the privacy side it could be fun, but I don't know how it's possible to keep DNS access only via a VPN.

But it could be secure if the VPN isn't connected so nobody can see/access the service, and you have to make the connection to access all the LAN services.

If you need to, you can take inspiration from dappNode (they use wireguard) and require no accessibility outside VPN, access is very restricted.
And they have a command like dappnode_status which gives the QRcode and/or privateKey and generated config that you just need to copy/paste into your local wireguard to connect directly to the node.

[Permanently]

One thing I recommend doing is using Tailscale. What I've done personally is popped on my own Headscale co-ordination server with my own domain, so that only bits that I want accessible without VPN are routed on public DNS. Everything else, I've put through Headscale's DNS, so I can only access internal services (Sonarr, Radarr, etc) when connected.

If you pop it on a free Oracle Cloud server, it runs completely fine.

[Sigri44]

https://github.com/wg-easy/wg-easy

[Qbaakr]

If you need it, you can also make a VPN connection to your router, even without a static IP. Currently, many routers have this option, and whether it be Tailscale, wireguard or OpenVPN - it does not matter.
There are plenty of tutorials on the internet.
A It's useful, for example, on vacation if you don't want to connect to the bank directly from the hotel network ;)