I’m setting up a self-hosted stack with a bunch of services running on a home device. I’m also tunneling all the traffic through a VPS in order to expose the services without exposing my home IP or opening ports on my local network. Currently all my traffic is HTTP, and its path looks like this:
- Caddy proxy on remote VPS (HTTPS, :80 & :443)
- Wireguard tunnel
- Caddy proxy in Docker on homeserver (HTTP, :80)
- app containers in separate isolated subnets, shared with Caddy
I want to set up qBittorrent and other torrent apps, and I want all their traffic to pass through the proxies. Proxying traffic to the WebUI is easy, there’s plenty of tutorials; what I’m struggling with is proxying the torrent leeching and seeding traffic, which is the most important part since I live in a country that’s not cool with piracy.
Unless I’m misunderstanding, BitTorrent traffic is TCP or UDP, so I’d need Caddy to act as a Layer 4 proxy. There’s a community-maintained plugin that should support this. How would I configure it though? Do I need both instances to listen on a new port? Or can I open a new port on the VPS only, and forward traffic to the homeserver Caddy over the same port as the HTTP traffic (:80)? Are there nuances in proxying TCP traffic that I should be aware of?
A) Set up a wiregard VPN server in your remote instance. Or better, get a VPN provider, the VPS is kinda pointless.
B) Assuming you’re using docker as you should to run your home server’s service, use gluetun to connect to the VPN and route your docker traffic for the instances through gluetun. This will ensure that you have a dead man switch when/if the VPN goes down.
C) set-up a reverse proxy to access the various instance from the outside if that is something you need.
Here’s a fully developed config, you can use a jumping point.
https://github.com/geekau/mediastack
I have already set up all of that. My setup is similar to the one in this blogpost and it’s already working for various apps that only use HTTP. What I’m trying to do is to also route BitTorrent traffic (TCP/UDP) over the same setup without opening up entirely new paths.
Usually that’s done by the network routing. Add a default(?) route(?) or make the software bind to the vpn interface. I’m not sure. I think firewall rules can do the same thing. If you’re using docker, I’d advise you to use “gluetun” that seems to do everything for you.
Usually people do copyright violation with bittorrent. That means they tend to make sure the routing or dns doesn’t leak anything. I think that’s usually done by running the software inside of some containers or virtualization. If you do that your setup becomes simpler than inventing a dozen or so firewall rules. Either use gluetun or make the container bind to the vpn in its entirety. So practically the same setup everyone uses for pirating, just that you don’t pay for a VPN service, but do that (server) part yourself on your virtual server. Everything else is a good bit more elaborate and complicated…