I’d like to leverage a Linux VPS as a means to work around CG-NAT. The goal would be to run my reverse proxy for my self hosted services on the VPS, forwarding traffic to the server on my homelab network via the ZeroTier tunnel. This seems rather straight forward as the VPS could have routes to my internal subnets via the ZT tunnel (which terminates on my OpnSense router). However, what confuses me is the sort of “split brain” scenario the server hosting my services would be in with regards to local and non-local traffic. Ideally, I’d want the outbound traffic to use the same path via the VPS as an “Exit Node”. And I gess the next question would be how does one deal with access to the hosted services internally? Seems that traffic would need to traverse the tunnel, hit the reverse proxy, and turn back around.
Would I be better off keeping my reverse proxy local and using the VPS as some sort of router/firewall appliance to bypass the CG-NAT?
Grateful for any insight. I see mention of this being easier on something like Tailscale. However, I really like ZeroTier, particularly the fact that it acts as a simple Ethernet Interface with respect to my router.
I use the basics of this architecture, not for general network routing, but for adding connection reliability to some of my self-hosted servers.
My setup is slightly more complicated, but the basics are that the VPS hosts the reverse proxy and it redirects to the internal servers locally via the Zerotier tunnel. In regular use, the local network is connected with a dual-WAN connection, fiber + 4G. When on the fiber connection, the Zerotier connection is direct, but when it fails over to 4G, it’s behind CGNAT. Zerotier can make the connection and the reverse proxy can still get to the locally hosted servers, but it’s going through a Zerotier TCP relay. This is fine for my lightweight web sites, but too slow for any kind of media distribution.
Assuming you’re not looking for big bandwidth and your web apps can perform acceptably with the additional latency and bandwidth limitations of going through a relay, this is a reasonable solution.
There remains the option of IPv6 connectivity on the 4G connection but I haven’t dug into the details of getting that to work, but in the future that’s the logical solution (even if access to your web sites is via IPv4, the Zerotier tunnel could be over IPv6, permitting direct connections over 4G).
I do have another setup where the local site connections to the VPS go through CGNAT using Wireguard, and Zerotier is only used for remote management. This is a reasonable solution for a VPS with a fixed IP. Zerotier’s big advantage of portability when your public IP changes is not really useful here so the mixed approach can be useful.
Thanks Erik. This sounds very interesting and somthing I may still look to implement. That being said, in the end, I was able to figure out the mechanics of terminating a Cloudflare Tunnel at the host running my reverse proxy on local network. This seems to get the job done.