Thanks for the help. This is enough to get me started

With Crafty you can bind a specific port.

I use tailscale for public access, and have set it up so tailscale users can access the domain.

I guess what I’m asking for is NPM but for tcp.

No I’m not.

I have tailscale setup for external access. (I have dns records already in my domain provider pointing to a tailscale ip, so a device on my tailnet can access my domain. ie an authorized tailscale device can access nginx.example.com)

I want to know what I have to do to get minecraft.example.com to resolve interenally.

Oh fascinating. I’ll have to look into that

Cool okay.

What about the CNAME one?

For 4 II, its CNAME Name: @ Target: ???

What is the target supposed to be?

Edit: putting “@” for name on the A record, once saved, it changes to my domain instead of @, in your screenshot

A good dashboard helps with not remembering port numbers also. And can look slick

Holy crap thank you so much. I was literally thinking of figuring out how to do exactly this EARLIER TODAY!

Thank you again for this write up. I have almost all of what you wrote already done (cloudflare, NPM and tailscale setup) but haven’t hooked Tailscale and NPM together yet.

I have gluetun+socks5 containea running, then in an app, I put in localip:port into a proxy field. Then that app will use that connection for internet. Browsers on desktop also support proxies. So if you want a specific browser to always use the VPN, this is a very simple way to do that.

https://source.android.com/docs/security/features/private-space

Its not bad using the official wireguard app. Its definitely noticable. On the android battery screen it’ll show around 5% after a full day of use and it on always

For an external VPN like mullvad, I run my own proxy. Again it’s only available from my VPN or inside my network.

It uses socks5 and gluetun docket containers and in apps that support proxies, I can add my proxy to it and it’ll route that traffic through the paid VPN.

Or, a work profile (see shelter) or androids new private spaces. If you have private spaces, it uses a seperate network. So if you have a VPN installed outside the private space, it won’t work on apps inside the space. So, what you could do is have a paid VPN inside private spaces, and use it and a web browser or whatever there, and use your server’s VPN outside the private space.

Lmk if you want any of my docker composes

I keep it running always. Partly to access stuff at home, and party to get the ad-blocking from pihole.

Do not expose stuff unless you fully understand the security risks

Correct. But also public access should be considered advanced

I have setup the same thing as a temp measure, but i believe that something like Authelia or Keycloak should replace and be better than Cloudflare’s email OTP.

True. I would like to add another authentication.

I guess my question is how trustworthy is built-in authentication? I’m not really talking about vulnerabilities, but that’s a part of this, but how much trust can I put into a small projects login page being secure?

Oh yea I forgot about matrix. Maybe setting up a bridge would work. Thanks for the reminder I’ll look into this

good question. friends use discord.

Huh I’ll have to give Kodi a shot. I’ve already got a bunch of Debian experiance and have jellyfin so leaning kodi shouldn’t be too bad.

👀

Files won’t change and are hundreds of GBs