Wisdom from a technomage
2025-01-03
A month ago, while I was looking for some help online on how to set up this very website, (asking around on lemy), I got a very insightful response to a question I had.
My initial query was about an issue I had configuring port forwarding on my router so that I may serve this content to the web. I wanted to get my website online somehow, and the easiest way I could think of was to open a port on my router and forward my machine to it. At that point I had already had some accomplishments that motivated me to push a bit further and take the next step. I had already spun up a virtual machine with debian on my beautiful Makiimoto desktop computer, then I created a bridge so that I could access my debian machine from anywhere in my local network, not just my computer. After that I configured nginx and wrote a raw html page (with 3 pesos of css) that I could serve to anyone in my LAN.
Then I decided to publish my ugly html page for everyone to see. So I got working on my router's configuration. I did some tinkering with port forwarding for my debian server, so I set it to port 8080 (because that's what the tutorial I was watching recommended) and then opened a web browser, wrote my server's ip address and... Nothing. I tried again, configured nginx and router for port 80, crossed fingers and yet again, nothing there.
Seeing that I hadn't quite accomplished much, I decided to ask people on the internet who might know better. I wrote this post and waited for comments to come in. I got a lot of very useful and insightful ideas. For example, someone sugested that I host my website on the dark web (which isn't as bad an idea as it sounds, and it might actually be more secure than what I was trying to accomplish here), and then someone else told me that ISPs block port forwarding by default.
This is it! It must be it.
It was a quarter past midnight. I rang my ISP. I waited a couple of minutes on the line enjoying the most beautiful, high quality music (this is sarcasm) but I wasn't even sure they'd pick up the phone, I kinda did it as a joke, since Lena (my girlfriend) was with me at the time and she was having a good laugh at my computer-nerd antics. But alas, I somehow got to a human being. The womnan on the other side of the line sounded very kind and seemed to humour my antics as well. She told me that the public ip service had a fee and that I could sign up for it at any time, even right there and then if I wanted to, and heck yeah I wanted that. So I bought it and did absolutely nothing with it for the rest of the night because I was tired and had to catch a bus at sunrise. So off we went to sleep.
It was always about the friends we made along the way...
What happened afterwards was rather pathetic since after hours of configuration I still couldn't see my webpage.
But there was this one post online, by user u/[email protected]. Who said the following:
I was in your shoes a few years ago, so I think I can give at least some insights: Regarding VPNs, Tailscale is based on Wireguard, but makes configuration a whole lot easier, especially if you have devices with changing addresses. You do still need an account with them, but from there you simply install tailscale on every device you want to access via your VPN, and they should automatically get assigned IP addresses (100.x.x.x). Entering this assigned IP from any other device connected to your Tailscale network will give you a direct connection between the two. With a bit of fiddling you can also enable subnet forwarding, allowing you to for example connect to devices on your home network that don't support installing software on them, but at least for your current setup I don't think that's necessary. It is fun to play around with though, and opens up a whole new world of possibilities. I use it to remotely manage my parent's Router for example, since merlin-wrt and many managed switches don't easily support additional software.
Cloudflare Tunnels are Kind of similar to a VPN, only that you don't connect your own devices with eachother, but instead connect your server(s) directly to cloudflare, who then take over the task of actually getting your data on the internet. The advantage of this is that you technically don't even need a public IP address, since any requests and answers will be forwarded through the “VPN”, and only cloudflare needs to be publically accessible. This does require you to buy a Domain though, since that is what the forwarding will be based on. In the same vein, but if you want to do things “more manually”, I'd also recommend you look into Reverse proxying, if you haven't already. That's basically what turns “site1.example.com” and “site2.example.com” into different requests, usually to different IPs and/or Ports on your private network, allowing you to have multiple things running under one domain. Personally I use the “Nginx Proxy Manager” running in a Docker Container for this, mainly because it's nice and easy to get your head around, but there are several newer Options like Traefik or Caddy that I also want to look into at some point.
After this wall of text, I hope you have fun playing around with all of this stuff, I know I had, and I really learned a lot about networks and the internet in general. Oh, and don't be too stubborn to completely start from scratch occasionally, sometimes it's just the easiest solution…
In hindsight, now that I've done a bit more research, I learned that my network is inside a CGNAT. Which means there is at least another layer of private IP addresses that I had to go through to get to the public web, and that this has been a long-standing practice in the industry due in part to IPv4 addresses being depleted. I also learned that we all should have a public IPv6 address (known as global) that I could use to host websites and whatnot, it just needs some configuring and tinkering on the router side. The security implications of course, need to be addressed; since I'm my own firewall and I'm completely free to shoot myself in the foot if so I wished.
In the end, I did follow Technikus' advice and took the Cloudflare tunnel route. I still want to do the reverse proxy thing, but I haven't had the time to read on it, and the IPv6 route looks promising as well. So I'll keep updating this on the go.