19 votes

Routing around a VPN connection in Linux

10 comments

  1. [7]
    jonah
    Link
    Hello! Here is an article I wrote about how I was able to port forward some services from my home media server around the VPN it is connected to. This was a nice challenge for me, especially...

    Hello! Here is an article I wrote about how I was able to port forward some services from my home media server around the VPN it is connected to. This was a nice challenge for me, especially because my networking knowledge is more limited than it should be, and I had a hard time finding any articles or forum posts that had the same problem as me. I was able to find people with similar problems and piece together my own solution for my own problem.

    I am trying to get better at writing, so I'm trying to create some technical articles to improve that skill. I hope self-promo here is alright and that you find the article interesting and/or helpful. Thanks for reading!

    7 votes
    1. [2]
      JXM
      Link Parent
      Nothing wrong with a little self promotion… You did a great job. It was east to follow and understand as someone with a medium amount of network management knowledge.

      Nothing wrong with a little self promotion…

      You did a great job. It was east to follow and understand as someone with a medium amount of network management knowledge.

      4 votes
      1. jonah
        Link Parent
        Thank you for the feedback! I'm glad it was easy to follow.

        Thank you for the feedback! I'm glad it was easy to follow.

        2 votes
    2. [2]
      cfabbro
      Link Parent
      The occasional bit of self-promotion is fine on Tildes, yeah, so long as it's not the only thing someone does here. From the docs: https://docs.tildes.net/policies/code-of-conduct#self-promotion

      The occasional bit of self-promotion is fine on Tildes, yeah, so long as it's not the only thing someone does here. From the docs:

      Self-promotion

      If you have your own site/project/channel/etc. that you'd like to share on Tildes, that's generally fine (in moderation), but it shouldn't be the primary reason that you post on the site. Tildes is a community, not a free advertising platform. Sharing your own content is welcome as long as you're involved in the community, but don't just treat Tildes as a source of an audience.

      https://docs.tildes.net/policies/code-of-conduct#self-promotion

      4 votes
      1. jonah
        Link Parent
        Sounds good, thank you! It's been a while since I've read the docs. I should probably go through those again.

        Sounds good, thank you! It's been a while since I've read the docs. I should probably go through those again.

        2 votes
    3. [2]
      thereticent
      Link Parent
      Hi Jonah -- As a networking lightweight, fun read. Two thoughts... You may want to explain was mangle is. That's where I just pictured a black box, but I also didn't understand what that black box...

      Hi Jonah -- As a networking lightweight, fun read. Two thoughts... You may want to explain was mangle is. That's where I just pictured a black box, but I also didn't understand what that black box resulted in.

      A practical thought if you really do want to move to a secure tunnel: many vpns have sideloadable apps for the Fire TV stick. I've been using proton VPN on mine and was able to successfully connect from a relative's house over the weekend.

      Anyway, thanks for posting. Love this kind of technical problem solving essay

      2 votes
      1. jonah
        Link Parent
        Hi there! Thank you for the feedback! Regarding mangle, if you are curious, it seems that the mangle table is for modifying various pieces of the packet, particularly the IP headers. In other...

        Hi there! Thank you for the feedback!

        Regarding mangle, if you are curious, it seems that the mangle table is for modifying various pieces of the packet, particularly the IP headers. In other words, you are mangling the packet! I’m not super great at networking so that’s about where the wheels fall off for me.

        As far as VPNs go, I’ll see what I can do with our fire stick. If I can figure out a clean and easy way to connect to my home network from the stick, I’ll start working on a (new) networking solution.

        Thanks again for your feedback, I really appreciate it!

        2 votes
  2. [3]
    kru
    Link
    Maybe I misread the article, or you glossed over it, but I have to ask: Do you have your jellyfin machine exposed directly to the internet? If I went to byjonah.net:8082 (or whatever) would your...

    Maybe I misread the article, or you glossed over it, but I have to ask: Do you have your jellyfin machine exposed directly to the internet? If I went to byjonah.net:8082 (or whatever) would your router be routing my packets to your jellyfin server? If so, that seems dangerous.

    Consider routing all of your inbound connections through wireguard or tailscale to decrease your exposed surface area.

    Also, did you consider using stateful packing routing? The --state RELATED,ESTABLISHED to forward traffic from eno1 back to eno1 when its related to an existing connection? I'm not a network expert, so maybe those weren't germane to your use case.

    3 votes
    1. [2]
      jonah
      Link Parent
      Hello! Yes I do have it exposed directly over the internet. However I was very careful to not reveal the domain ;) Jellyfin also has a login system which I understand is not saying much, but it’s...

      Hello! Yes I do have it exposed directly over the internet. However I was very careful to not reveal the domain ;) Jellyfin also has a login system which I understand is not saying much, but it’s better than being completely open on the port.

      That being said, I really would like to move to a VPN system sooner rather than later, but the convenience of an open port is easy for me and more importantly, my less technically minded wife.

      movies.byjonah.net does sound cool though :P

      2 votes
      1. gco
        Link Parent
        I've got a service out of my home network as well and use Nginx Proxy Manager in front of it. Makes management of certificates much easier and also allows you to put some security measures in...

        I've got a service out of my home network as well and use Nginx Proxy Manager in front of it. Makes management of certificates much easier and also allows you to put some security measures in place (I have a mate running Crowdsec as well but I couldn't manage to get it working myself).

        3 votes