this post was submitted on 24 Mar 2025
17 points (100.0% liked)

Selfhosted

45345 readers
947 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
17
Restricted Tailscale docker instance (lemmy.world)
submitted 1 week ago* (last edited 1 week ago) by [email protected] to c/[email protected]
10 comments fedilink hide all child comments
 

My ISP uses CG NAT which is stopping me from reaching my internal network, so I'm thinking about using Tailscale to allow me to connect to my server and hence to my internal network.

But I'm not very comfortable giving 100% access to Tailscale to my internal network, so I was thinking if I could limit it only to what it requires to connect to the internet and to a wireguard service running in the same container. This would in turn connect to a wireguard server in the container's host and provide me with full network access.

I know, as long as they have a service running in the server, even if inside a container, they can always be able to access the host. But even do I would feel safer if at least tried to contain it.

Does anyone know if this is possible? And can it be done through Docker Compose?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 2 points 1 week ago (1 children)

Just setup wireguard on your server, add masquerading and ip forwarding. That single wireguard in, will give you full access to your lan

[–] [email protected] 5 points 1 week ago (1 children)

He can't open ports because of the ISPs setup.

[–] [email protected] 1 points 1 week ago* (last edited 1 week ago)

Edit NVM, read up on it. Seems like you have to run PCP protocal on IP4 to bypass thr CGNAT issues.

You can use any open port and port forward at the router, or is CG NAT only 80