Skip to content

VPN Configuration

Jump to bottom
Phil Jaenke edited this page May 22, 2023 · 1 revision

Because the Internet is often a terrible place with service provided by even worse, many users employ a VPN to protect their privacy and improve their security posture. TaleCaster is built with this in mind and is designed to live either behind your existing VPN setup, or to integrate with common VPN providers.

IMPORTANT LIMITATIONS

  • If you are using PostgreSQL on a separate host, you will need to manually add an appropriate static route.
  • Avoid using cloud provider remote filesystems with a VPN (e.g. Amazon EFS)

OpenVPN

All containers support OpenVPN natively, and will work with any OpenVPN-compatible provider. Setting it up in TaleCaster is easy.

  1. Place your OpenVPN configuration file in /talecaster/shared - you can call it anything you want!
  2. If your VPN requires a username and password, create a password file and place it in /talecaster/shared
  3. Enable OpenVPN for the containers you want to use the connection by setting SHORTNAME_VPN_CONFIG=/talecaster/shared/YourConfigFile.conf in your environment file.
  4. That's it!

This example enables two different VPNs for NNTP, Torrent, and Frontend:

NNTP_VPN_CONFIG=/talecaster/shared/vpn_provider.conf
TORRENT_VPN_CONFIG=/talecaster/shared/vpn_provider.conf
FRONTEND_VPN_CONFIG=/talecaster/shared/my_vpn.conf

Do NOT store usernames and passwords in other locations or use symlinks. Any password file should be mode 0700 and owned by uid 0, gid 0. (OpenVPN must run as root within the container.)

Improvements Underway

Unfortunately, OpenVPN has some fairly substantial limitations which make it difficult to get away from the 'password file' method. Work is underway to use docker-compose secrets to store usernames and passwords.

WireGuard

Work is ongoing to add WireGuard support. We do not have an ETA at this time.

NordVPN

We actually like NordVPN for most folks. They provide a service that is easy for nearly anyone to not only sign up for, but make use of, at a reasonable price. If you want to try them out, we'd appreciate you using our referral link (which adds time to our subscription. We wish we got that phat Youtuber lewt.)

OpenVPN

This is currently the only supported way of using NordVPN with TaleCaster. Since NordVPN now uses shared certificates for all servers, we recommend using their selector to pick an initial server and then adding several alternates to the configuration by hand, and using remote-random. UDP will generally offer the best performance, but all protocols and ports are supported.

NordVPN Client f/k/a NordLynx

This is the one thing we do NOT like about NordVPN; their closed-source 'proprietary' client, which really is just a WireGuard implementation. We like the speed and security. We do not like that they refuse to provide WireGuard configuration files, despite repeated requests to do so. And because they refuse to port to Alpine, nordvpn does not work. Work is ongoing to extract WireGuard configurations in at least a partially automated fashion.

CloudFlare ZeroTrust / CloudFlare Tunnel

We will not support CloudFlare "VPN" due to their extensive data collection (invalidating the 'private' part,) multiple undisclosed security vulnerabilities, and their well-established history of providing services to and defending groups engaged in hate speech and terrorism.

ZeroTier

ZeroTier is a freemium peer-to-peer VPN solution for building private mesh networks. Of particular note is it's relative ease of use compared to other options. ZeroTier's 'root' nodes only provide routing information between member nodes, so actual traffic remains point-to-point. This can make it a good solution for people who want to share content with family members in other homes. ZeroTier support will be added as an experimental feature in 2023. Note that ZeroTier can co-exist with other VPNs and should not be used as an Internet gateway itself. It is to connect other networks to your TaleCaster infrastructure.

Preliminary ZeroTier Setup

IMPORTANT: these experimental tags are not currently available publicly! (Because, seriously. It's not even close to working yet.) Note: you must create the network in ZeroTier Central first. We recommend assigning a unique /24 which is not 192.168.192.*.

Access Control must be set to PRIVATE and never public!

  • ZeroTier configuration files must be placed in /talecaster/shared/zerotier
  • Do not move files across systems connected by ZeroTier! ZeroTier is intended to provide interface and file access, NOT storage infrastructure.
  • Set EXPERIMENTAL_ZEROTIER=enable in your environment
  • Set zerotier-networkid as a docker-compose secret with your networkid
  • (OPTIONAL) Set zerotier-token as a docker-compose secret to use -T$zerotier-token during join

Copyright (C) 2016-*, Phillip R. Jaenke and contributors. All rights reserved.

Clone this wiki locally