You’ll need a TURN server to relay calls and provide signalling capabilities, which is needed most of the time. Here’s Synapse docs on it, and I’ll probably use coturn:
https://element-hq.github.io/synapse/latest/turn-howto.html
There’s also this new technology called Element Call, which uses a diffent tool called LiveKit. You should check it out too
https://github.com/element-hq/element-call/blob/livekit/README.md
You should add your DNS forwarder as its own node in Tailscale, and configure the tailnet to resolve DNS through it. That way you’ll be able to resolve both MagicDNS node names and your local domains, as well as being blocklist-enabled. Besides, I think you can also define custom A/AAAA records on your Tailscale console, skipping local records on Pi-hole altogether.
I’d also recommend Technitium for a new DNS solution, mainly because they’re going to add support for clustering soon. This could be highly useful if you want to configure blocklists once and sync them between different Technitium nodes. Should it works out, I’m thinking of installing it alongside every Tailscale exit node, for the benefit of synced blocklists, local domains, and exit-node geolocated IPs for external domains.
Missed the chance to call it Jelloseerr
It’s Jellover now
Rsync depends on OpenSSH, but it definitely isn’t SFTP. I’ve tried using it against an SFTPGo instance, and lost some files because it runs its own binary, bypassing SFTPGo’s permission checks. Instead, I’ve opted for rclone with the SFTP backend, which does everything rsync do and is very well compliant.
In fact, while SFTPGo’s main developer published a fix for this bug, he also expressed intention to drop support for the command entirely. I think I’m just commenting to give a heads up for any passerby.
Hi, I think OP wants their sibilings to directly connect to their PC, skipping any relays, even if it’s their VPS.
But if you are comparing setting up your own VPS instead of relaying through Tailscale’s DERP, then the answer is… it depends on the distance and whether you can establish VPS->Local VM direct connections.
I found opening a specified port for Tailscale on the VPS to help with direct connections with CGNAT’d peers. I’m not familiar with Pangolin, but I think the same principle applies as long as at least one address:port combination is agreed between Wireguard peers.
If I’m being honest though, before doing all this, try asking your ISPs for IPv6 to avoid these cumbersome things together.
If both your Jellyfin server and your siblings are behind residential CGNAT, then high chance your connections are relayed through Tailscale’s DERP servers. You can check with tailscale ping-ing your sibilings’ nodes.
If this is the case, you may consider selfhosting your own DERP somewhere close to you, but I’d argue the performance gains are minimal compared to the extra costs. Another solution would be to enable IPv6 for both you and your siblings, skipping NAT traversal. I just hope both ISPs support it and support it properly in $CURRENT_YEAR.
This is all assuming you can direct play (i.e. not transcoding) your media. If you’re transcoding, then it’s good to look into hardware acceleration like the other comment mentioned, too
try adding the sysctls parameters to your docker container too
Is there a way for a Wireguard peer to advertise AllowedIPs similar to Tailscale’s subnet routings? If that’s right, perhaps you can configure your host’s address as one of the AllowedIPs on the OpenWRT peer, and skip port forwarding too
Two separate functions should go into two separate nodes
and
As an (advanced) alternative to Gluetun + Tailscale I propose tswg (my project)
I’ve vaguely thought about this with Split DNS.
My concern would be the need to set up some non-Tailnet mechanism to expose it to the internet and keep it secure. Either port forwarding, Pangolin, or even using Funnel… all of which would be better off on a separate device (and maybe a separate VLAN)
It’d be an interesting idea for sure, perhaps for when I can get myself the separate Headscale-dedicated device. Although now I’d have to learn the “normal” zone-based networking ahah
That’s a nice thing with Wireguard yea. I’ll keep this in mind if ever I can grok Tailscale to do such things
The many small bugs make Matrix still bad - I wouldn’t recommend a non-tech user unless accompanied by a 24/7 admin. It is trying to improve but very slow because of reasons
Should’ve specifically asked the operators/hosters if they need a better answer. But this has more engagement so
Worth noting that there’s an open issue to support Wireguard peers into Headscale, so you could use it with e.g. a wg0.conf file from a commercial VPN
If you can selfhost and can use containers/docker, I wanna shamelessly plugin my solution: https://github.com/stratself/tswg. Basically mount a WireGuard config from Nord or any upstream VPN, and the container will tunnel traffic to said VPN when you choose it as an exit node.
There are other gluetun + tailscale solutions that are worth a look too
Ah right, completely forgot about that (80 for HTTP-01, 443 for TLS-ALPN-01). Is a bummer unfortunately
Thanks for the guide. How did you get the VPN forwarded port? I believe this depends on the VPN provider’s software?
Let’s Encrypt are rolling out IP-based certs, you may wanna follow its development. I’m not sure if it could be used for your forwarded VPN port, but it’d be nice anyhow
Edit: I believe encryption helps prevent tampering the data between the server and user too. It should prevent for example, someone MITM the connection and injecting malicious content that tells the user to download malware
I’ve poked around Homarr’s setup a bit, and it seems like it can run rootless after a few tweaks!
For anyone interested, I’ve written a POC and feature request here - https://github.com/homarr-labs/homarr/issues/3913
Hope it can be officially supported
Hi,
The client IP problem is a longstanding issue in podman’s virtual bridge networks.
As a workaround I’d run HAProxy rootless, using the
pastanetworking mode as that one allows seeing native client IP. With pasta’s-Tflag (see docs) I’d forward traffic to another caddy container binding to127.0.0.1:8080or something similar.This would coincide with your firewalld/HAProxy port-forwarding setup, but it has more rootlessness to it. It’s still not perfect and you’d still need to tweak sysctls, but I hope it may be useful