I’m starting a project to make my home hosted services exposure to the internet a little easier to keep secure.
I have various web services such as Immich, JellyFin, and a few other services that either have high storage needs and this would be expensive in the cloud, or things that use more private data. Many of these are exposed to the internet. This network has a domain assigned and each service is assigned a subdomain. These are running in a K0s Kubernetes cluster on a separate VLAN from my home devoces on a couple of NUCs and a raspberry pi. And use Traefik reverse proxy and Keycloak OIDC.
I also have a few VPS’s running things that need faster responses or don’t store as much data. This has a separate domain.
Right now I have an OPNSense router that is the target of all the home domain’s traffic using dynamic DNS and that forwards it to Traefik on the Kubernetes cluster.
I’d like to instead close off the home network a bit more so I don’t have to devote so much to security and can just drop a lot of the malicious connections coming in regularly. I also have the problem that my ISP still only offers 6rd for IPv6 which is basically useless. So I was considering several tunneling technologies that would have the exit node on a VPS. But also need to be able to access the services while at home without the traffic exiting the network.
I’ve narrowed in on headscale/tailscale and pangolin. I really like that pangolin uses traefik because I’m already familiar with it and it’s already in use in both my domains.
So I’m going to start working on setting up pangolin to see how it goes, but I haven’t seen many examples and I haven’t seen any that use Kubernetes on the internal network side. Sure I could set up a separate docker instance to host the services, but I really like that kubernetes is able to load balance so that one of my NUCs is almost always in low power mode during off hours when no maintenance tasks are running. So I don’t want to put other non-kubernetes services on there nor do I want to have to set up a totally separate server if not necessary.
I haven’t dug in too deep yet, so I was hoping to see if anyone else had any experience with setting up pangolin with kubernetes on the internal network side?
I’m currently exploring a very similar dilemma. I’m working on standing up a k3s cluster in my homelab to start moving some services over there. I’ve been using pangolin for a little while and it works great for simple docker vm setups and such.
What I’ve ended up doing (and this is just experimenting so take it with a grain of salt) is disabling traefik on my k3s cluster (personally don’t like traefik myself and prefer caddy) and just have pangolin manage subdomains and host routing. Then I threw MetalLB on the cluster (based on personal familiarity) and ended up recreating the “docker vm” IP address scheme. I have MetalLB manage IP addresses, and assign services to a specific LB that corresponds to the IP I want the service to have. Then just pop in that LB IP and the services port into pangolin and voila.
All that said, I’m still not entirely satisfied with the solution. I personally prefer subdomain routing and auth to be handled by separate systems (e.g. caddy + authelia) but pangolin acts as a one stop shop.