Nextcloud AIO + Selfhosted-gateway : simple bastion VPS with reverse proxy and auto-SSL through wg tunnel

[alex-galey]

TLDR : How to set-up a public bastion server gateway for your local Nextcloud with a VPS in a couple of commands.
With auto SSL certifcate on your domain and encrypted traffic flowing through the public VPS gateway.

Why ? I didn't want to expose my public IP and didn't want to use this low-end ISP box as a router / firewall. A bastion server on a public VPS serves the purpose of being the entry point in my local Nextcloud server.

Tailscale feels great and thought of going there first, also thanks to the great Howto from flll in these discussions.
I didn't really like the not-so-open part about their infrastructure layer after saying open open open... Also thought about Netbird or other of these great networking systems. But hey, I don't have such a networking infrastructure and not sure yet to need one.

I started to set-up a wg tunnel and reverse proxy on the gateway and had a couple of issues while getting hands dirty. I came across THIS awesome project which just allow to automate the tunneling and reverse proxy set-up with simple docker services : https://github.com/hintjen/selfhosted-gateway

(nextcloud-aio net) [Local srv] (frontend net) <== WG tunnel ==> [Gateway] <== Public request on domain.com

After setting-up your VPS and firewall (Please check their simple but complete documentation) :

git clone https://github.com/hintjen/selfhosted-gateway
cd selfhosted-gateway
make docker
make setup
make gateway

You need a key to ssh from your local Nextcloud server in your gateway and probably to add this key in the agent :

eval $(ssh-agent -s)
ssh-add .ssh/your-key
git clone https://github.com/hintjen/selfhosted-gateway
cd selfhosted-gateway/
make docker
make link [email protected] FQDN=example.com

The last command outputs a couple of lines to add to AIO compose.yml with wg keys to route the tunneled traffic to the link container. Remove the basic auth and TLS if you want SSL auto provisioning by link container on your local server.

Your compose should be similar to this one :

---
services:
  link:
    image: fractalnetworks/gateway-client:latest
    environment:
      LINK_DOMAIN: example.com
      EXPOSE: nextcloud-aio-apache:11000 # Add this to route the traffic to the AIO frontend container
      GATEWAY_CLIENT_WG_PRIVKEY: xxx= # generated by selfhosted-gateway
      GATEWAY_LINK_WG_PUBKEY: xxx= # generated by selfhosted-gateway
      GATEWAY_ENDPOINT: x.x.x.x:1234
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
     networks:
      - frontend_net # Add this additional network to separate frontend and AIO backend networking

  nextcloud-aio-mastercontainer:
    image: nextcloud/all-in-one:latest
    init: true
    restart: unless-stopped
    container_name: nextcloud-aio-mastercontainer
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    ports:
      - 8080:8080
    environment:
      APACHE_PORT: 11000
      APACHE_ADDITIONAL_NETWORK: frontend_net # For aio-apache to join the frontend network
      SKIP_DOMAIN_VALIDATION: true

volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer
    
networks: # You need to create the frontend network, which is not in default AIO composer
  frontend_net:
    name: frontend_net

Et Voilà :)

Working public-facing local Nextcloud server with auto SSL certificate without fiddling in your ISP appliance.

Next iterations, I want to achieve :

• TURN forwarding for Nextcloud talk
• Harden the local <-> gateway tunnel with mTLS if it makes sense
• Access the local instance locally with SSL, maybe with an extra reverse-proxy layer

Thanking this team and contributors for this simple yet powerful project to get rid of any Cloudflare, Tailscale or what else third-party networking layer to achieve a secure bastion server for Nextcloud instances. And virtually any TCP/UDP routing, they have example with ssh.

And obvisouly to Nextcloud team and contributors for the software of the century !

I am open to constructive feedbacks, especially if a statement is not exact.
Also I'll try my best for help or clarifications.