Moving. Again

📆: 06 Aug 2021
🏷: Blabla

So I am back on Vultr. Kind of. Not that I am disappointed with hetzner but I just want to run my stuff at home just like I was doing when I started getting more into being part of the Internet and before running your mail server from home became more or less impossible. I still like thinking of the internet as being a decentralized space. A space where anyone can found his own settlement.

I was also chewing the bone of self hosting for quite a while again and what hold me back the most was my own domain and my wish to run my own name servers. Up until lately I was running my setup either on 2 Vultr instances or two virtual machines on my hetzner setup in order to satisfy the requirement of having 2 nameservers available. Luckily I was finally able to collaborate in that regard with a friend of mine. He’s also running his own nameservers and he agreed to act as my secondary so I am even better off than before.

I thought about how to move my setup back into my home without having to have a business line and therefor a static IP. And I thought maybe others might have interest in doing the same so I started thinking about setting it up in way I could provide it as a service. Which was a good reason to get myself into docker. So I installed Alpine on vultr and started to build my own docker images as I don’t want to use 3rd party images which I don’t know how they have been setup and instead of spending my time auditing the images I wanted to spend my time learning docker.

Using a dynamic DNS provider was not an option for two reasons:

I wanted to send e-mails which is dead since decades if you are running your mailserver from a consumer dialup range
I wanted to be at least online wrt my mail setup and if possible at least partial for my blog

The idea was to run a per tenant mail relay and caching reverse proxy connecting back to your basement via wireguard. I got most of the parts running on my own docker images but honestly, progress was slow and having only limited time and basically no knowledge about docker I cut my losses and went back to running on OpenBSD which I just enjoy and I know how to hold the damn thing ;-)

The current setup has some drawbacks, though. No multi tenancy. No caching reverse proxy. If I ever want to go about having the setup as a service I figured whoever is interested might probably be able to spend some bucks for it and I can just as well run seperate vultr instances for every tenant. I still want to look into having a caching reverse proxy but at the moment I am just running relayd for connecting the world with my basement:

schematic network archtitecture — Schematic network architecture. Icons are from icons8

Turns out the architecture is actually pretty simple and including OS installation I was up and running with my primary nameserver, wireguard vpn, let’s encrypt setup and reverse proxy in 30-45 minutes. Right now e-mail is very critical for me so I didn’t touch that part but I am sure by the end of the month I moved away from hetzner completely and my data is back home. For my blog and IMAP daemons I am connecting to relayd which forwards my traffic to my basement. E-mails are just hitting my mail daemon on vultr which is digesting the mails and passes them down the lines and if need be just spools the mails until my basement is up and running again. This very website is already being provided from my basement and all that’s left to move is my mail setup. When that’s said and done I am not only back at home but also cutting my costs significantly.

The biggest problem so far was wireguard getting to pick up the VPN again after the ISP disconnect every 24h which I was able to solve with ifstated. The setup is working but my ifstated.conf needs some polishing but I will still share it with you.

init-state online 

wg_blinz_reachable = '( "ping -q -c3 198.51.100.1 >/dev/null" every 120 )'

state egress-down {
    run "ifconfig pppoe0 up ; sleep 5 ; ping -q -c3 198.51.100.1 >/dev/null"
    if wg0.link.up {
        if $wg_blinz_reachable {
            set-state online
        }
    }
}

state wg-blinz-down {
    run "ifconfig wg0 up"
    if wg0.link.up
        set-state online
}

state online {
    if pppoe0.link.down
        set-state egress-down
    if wg0.link.down
        set-state wg-blinz-down
    if ! $wg_blinz_reachable
        set-state wg-blinz-down
}

I also initially ran into a problem with wireguard being stateless and the tunnel breaking down if there hasn’t been any activity which lead to the website being unavailable pretty fast. First I did work around that by pinging my peer pretty much constantly. After reading through the wireguard part of ifconfig(8)’s man page I stumbled across wgpka option:

wgpka interval Set the interval of persistent keepalive packets in seconds. The default, zero, disables these. They can be used to maintain connectivity to a peer otherwise blocked to unsolicited traffic by an intermediate firewall or NAT device. For this, an interval of 25 seconds should suffice.

which solved this issue in a far better way than me having to execute ping via cron. Right now the setup seems to be stable but I’d really like to have a caching reverse proxy in order to minimize strain on my dialup line.

--EOF