Introduction Ever wished you could route all your devices’ traffic through a single, secure VPN—without jumping through too many hoops? Meet Tailscale, a powerful yet user-friendly VPN service that easily links all your devices under one private network. In this guide, we’ll pair Tailscale with Gluetun on a VPS, creating a robust setup that routes your entire connection securely through another VPN provider. Prerequisites Make sure you have the following on hand before you start: A Tailscale account A VPS running Docker (no worries, we won’t use this VPS as an exit node; it’s just your secure hub) Recommendation: Hetzner offers excellent performance at a great price. (This is an affiliate link.) A VPN provider account (we’ll use Gluetun for this guide) Recommendation: Windscribe is a reliable, privacy-focused VPN provider. (This is an affiliate link.) Step-by-Step Instructions 1. Install Docker and Docker Compose on Your VPS First, install Docker with a handy one-liner, then add your current user to the Docker group: curl -fsSL https://get.docker.com | sh sudo usermod -aG docker $USER 2. Use This Docker Compose Configuration Create a docker-compose.yml with the following content. This configuration pulls in Gluetun for VPN functionality and Tailscale for seamless, private networking. Tailscale will advertise itself as an exit node, allowing you to route all traffic through it. volumes: ts-data: services: # For additional VPN service providers, see: https://github.com/qdm12/gluetun-wiki gluetun: image: qmcgaw/gluetun restart: unless-stopped container_name: gluetun cap_add: - NET_ADMIN devices: - /dev/net/tun:/dev/net/tun environment: - VPN_SERVICE_PROVIDER=${PROVIDER} - VPN_TYPE=wireguard - WIREGUARD_PRIVATE_KEY=${VPN_PRIVATE_KEY} - WIREGUARD_ADDRESSES=${VPN_ADDRESSES} - WIREGUARD_PRESHARED_KEY=${VPN_PRESHARED_KEY} - SERVER_REGIONS=${SERVER_REGIONS} tailscale-vpn-exit-node: image: tailscale/tailscale:latest container_name: tailscale-vpn-exit-node network_mode: service:gluetun environment: - TS_AUTHKEY=${TAILSCALE_AUTHKEY} - TS_EXTRA_ARGS=--advertise-exit-node # or --advertise-tags=tag:vpn - TS_STATE_DIR=/var/lib/tailscale - TS_HOSTNAME=vpn-${SERVER_REGIONS} volumes: - ts-data:/var/lib/tailscale devices: - /dev/net/tun:/dev/net/tun cap_add: - NET_ADMIN - NET_RAW restart: unless-stopped depends_on: gluetun: condition: service_healthy 3. Spin It All Up Fire up your new setup: docker-compose up -d 4. Connect Your Devices Install Tailscale on each device you want to secure. In the Tailscale admin panel, enable your newly created exit node. Connect to Tailscale—now your traffic will be safely routed through Gluetun. 5. Bask in Secure Browsing That’s it! Your devices are now shielded behind Gluetun’s VPN, with Tailscale delivering a seamless private connection experience. Browse, stream, and work securely on any network. Conclusion By pairing Tailscale and Gluetun, you’ve built a reliable, encrypted path for all your internet traffic. No complicated configurations or manual networks—just straightforward, powerful privacy. Further Reading tailscale hetzner windscribe gluetun-wiki
December 31, 2024 • 2 min read • 399 words
Introduction This article will show you how to automatically sync Traefik records with Cloudflare DNS using Traeflare. This is useful if you want to use Traefik as a reverse proxy for your services and you want to use Cloudflare as your DNS provider. It's done by using Traeflare, a tool that automatically syncs Traefik records with Cloudflare DNS. Prerequisites A Cloudflare account A Traefik instance An ubuntu server with Docker installed Docker compose installed A domain name that is managed by Cloudflare Steps Let's assume that you are working in the directory /home/ubuntu/traefik. 1. Prepare the environment variables Create a file called .env and add the following environment variables: Variable Description Default TRAEFIK_API_URL Traefik API URL http://traefik:8080 CF_API_URL Cloudflare API URL https://api.cloudflare.com/client/v4 CF_ZONE_ID Cloudflare Zone ID CF_API_EMAIL Cloudflare API Email CF_API_KEY Cloudflare API Key CF_DNS_API_TOKEN Cloudflare DNS API Token DOMAIN_NAME Domain Name RECORD_TYPE Cloudflare Record Type CNAME PROXIED Cloudflare Proxied true PRUNE_RECORDS Prune Records true 2. Update your docker-compose.yml file Assuming that you already have a Traefik service running and defined like the following in your docker-compose.yml file: services: traefik: image: traefik:v2.10 container_name: traefik ports: - 80:80 - 443:443 volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - /etc/localtime:/etc/localtime:ro - ./traefik.yml:/etc/traefik/traefik.yml:ro - ./config:/etc/traefik/config:ro - ./acme:/etc/traefik/acme - ./logs:/var/log env_file: .env labels: - traefik.enable=true - traefik.http.services.traefik.loadbalancer.server.port=8080 # Add Traeflare here traeflare: image: ghcr.io/m4tt72/traeflare:main container_name: traeflare env_file: .env # Reference the environment variable file here restart: unless-stopped depends_on: - traefik whoiam: image: containous/whoami container_name: whoami labels: - traefik.enable=true # Traefik will automatically pick this up, generate routes for it, certificate, and also inform Traeflare to create a DNS record for it. # Your other services With a directory tree that looks like this: . ├── acme │ └── acme.json ├── config │ └── config.yml ├── logs │ ├── access.log │ └── traefik.log └── traefik.yml And with the configuration files in the directory: traefik.yml global: checkNewVersion: false sendAnonymousUsage: false entryPoints: http: address: :80 http: redirections: entryPoint: to: https scheme: https permanent: true https: address: :443 http: tls: options: default certResolver: cloudflare log: level: DEBUG format: common filePath: /var/log/traefik.log accessLog: format: common filePath: /var/log/access.log api: insecure: true dashboard: true providers: docker: endpoint: unix:///var/run/docker.sock exposedByDefault: false watch: true defaultRule: Host(`{{ .ContainerName }}.example.com`) file: directory: /etc/traefik/config watch: true certificatesResolvers: cloudflare: acme: email: your-email@example.com storage: /etc/traefik/acme/acme.json dnsChallenge: provider: cloudflare delayBeforeCheck: 10 config/config.yml tls: options: default: minVersion: VersionTLS13 sniStrict: true As you can see, we have a Traefik service that is defined in our docker-compose.yml file and a Traeflare service that is defined in our docker-compose.yml file. There is also a whoami service that is defined in our docker-compose.yml file, we added traefik.enable=true to the labels of this service so that Traefik can automatically pick it up, generate routes for it, certificate, and also inform Traeflare to create a DNS record for it. Note: Make sure your container, in this example whoami, has a label traefik.enable=true AND a container_name defined. 3. Start the Traeflare service Run the following command to start the Traeflare service: docker-compose up -d 4. Check the Traeflare logs Run the following command to check the Traeflare logs: docker-compose logs -f traeflare You will see that Traeflare has created a DNS record for the whoami service: 5. Check the Cloudflare DNS records and service URL Go to your Cloudflare account and check the DNS records, you will see that Traeflare has created a DNS record for the whoami service. You can also go to the URL of the whoami service and you will see that it's working. Conclusion In this article, we discussed how to automatically sync Traefik records with Cloudflare DNS using Traeflare. We installed Traeflare and configured it to automatically sync Traefik records with Cloudflare DNS. Further reading Traeflare References Traefik Cloudflare Docker
December 16, 2023 • 4 min read • 614 words
Introduction This article will show you how to monitor a website for changes. This is useful if you want to be notified when a website changes, for example, when a new blog post is published, a black friday sale starts, or an item is back in stock. Prerequisites A Telegram account An ubuntu server with Docker installed Docker compose installed Steps 1. Create a Telegram bot Open Telegram and search for @BotFather Send /newbot to @BotFather Enter a name for your bot Enter a username for your bot Copy the token that @BotFather gives you 2. Create a Telegram chat Open Telegram and search for @userinfobot Send /start to @userinfobot Send /my_id to @userinfobot Copy the chat id that @userinfobot gives you 3. Create a Docker compose file On your ubuntu server, create a file called docker-compose.yml with the following content: version: "3.9" volumes: data: services: changedetection: image: dgtlmoon/changedetection.io:dev container_name: changedetection hostname: changedetection volumes: - data:/datastore environment: - PORT=5000 - PUID=1000 - PGID=1000 - WEBDRIVER_URL=http://browser-chrome:4444/wd/hub - PLAYWRIGHT_DRIVER_URL=ws://playwright-chrome:3000/?stealth=1&--disable-web-security=true - BASE_URL=http://localhost:5000 restart: unless-stopped ports: - 5000:5000 browser-chrome: hostname: browser-chrome image: selenium/standalone-chrome-debug:3.141.59 environment: - VNC_NO_PASSWORD=1 - SCREEN_WIDTH=1920 - SCREEN_HEIGHT=1080 - SCREEN_DEPTH=24 volumes: - /dev/shm:/dev/shm restart: unless-stopped playwright-chrome: hostname: playwright-chrome image: browserless/chrome restart: unless-stopped environment: - SCREEN_WIDTH=1920 - SCREEN_HEIGHT=1024 - SCREEN_DEPTH=16 - ENABLE_DEBUGGER=false - PREBOOT_CHROME=true - CONNECTION_TIMEOUT=300000 - MAX_CONCURRENT_SESSIONS=10 - CHROME_REFRESH_TIME=600000 - DEFAULT_BLOCK_ADS=true - DEFAULT_STEALTH=true 4. Start the Docker containers On your ubuntu server, run the following command to start the Docker containers: docker-compose up -d 5. Add a website to monitor Open a web browser and navigate to http://localhost:5000 Paste the URL of the website you want to monitor in the URL field Click Edit > Watch Under time between checks, select your preferred interval Under the Request tab, set Fetching method to Playwright Chromium/Javascript via 'ws://playwright-chrome:3000/?stealth=1&--disable-web-security=true' and Wait seconds before extracting text to a number higher than 15 Under the Notifications tab, enter the Telegram chat id and token you copied earlier as the following format: tgram://<token>:<chat-id> Click Save You should now receive a notification when the website changes. Conclusion In this article, you learned how to monitor a website for changes. This is useful if you want to be notified when a website changes, for example, when a new blog post is published, a black friday sale starts, or an item is back in stock. Resources changedetection.io
November 28, 2022 • 2 min read • 386 words
Introduction In this article, we will discuss how to secure your home network with Pi-hole. We will cover the following topics: Introduction Prerequisites Setting up Pi-hole Conclusion Prerequisites A server running Ubuntu 20.04 or later Docker installed Setting up Pi-hole Installation To install Pi-hole, run the following command: docker run -d \ --name=pihole \ --restart=always \ -p 53:53/tcp \ -p 53:53/udp \ -p 80:80 \ -p 443:443 \ -v /path/to/pihole:/etc/pihole \ -v /path/to/dnsmasq.d:/etc/dnsmasq.d \ -e TZ=America/New_York \ -e WEBPASSWORD=your-password \ pihole/pihole:latest Configuration To configure Pi-hole, open your browser and go to http://your-ip/admin. You will be prompted to enter the password you set in the docker run command. Once you have entered the password, you will be able to access the Pi-hole dashboard. Changing DNS settings on your devices To change the DNS settings on your devices, go to your router's settings and change the DNS settings to the IP address of your Pi-hole server. Windows To change the DNS settings on Windows, go to Control Panel > Network and Internet > Network and Sharing Center > Change adapter settings. Right-click on your network adapter and select Properties. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties. Select Use the following DNS server addresses and enter the IP address of your Pi-hole server in the Preferred DNS server and Alternate DNS server fields. macOS To change the DNS settings on macOS, go to System Preferences > Network > Advanced > DNS. Click the + button and enter the IP address of your Pi-hole server in the Server field. Linux To change the DNS settings on Linux, go to System Settings > Network > Network Connections. Right-click on your network adapter and select Edit Connections. Select IPv4 Settings and click Add. Enter the IP address of your Pi-hole server in the DNS field. Android To change the DNS settings on Android, go to Settings > Network & Internet > Wi-Fi. Select your Wi-Fi network and click Modify network. Select Show advanced options and enter the IP address of your Pi-hole server in the DNS 1 and DNS 2 fields. iOS To change the DNS settings on iOS, go to Settings > Wi-Fi. Select your Wi-Fi network and click Configure DNS. Select Manual and enter the IP address of your Pi-hole server in the Primary DNS and Secondary DNS fields. Conclusion In this article, we discussed how to secure your home network with Pi-hole. We installed Pi-hole and configured it to block ads and malware. We also configured Pi-hole to use Cloudflare's DNS servers. Further reading Pi-hole Pi-hole on Docker Hub
November 26, 2022 • 3 min read • 428 words
Introduction This article will guide you through the process of securing your server. It will cover the following topics: Automatic updates SSH Fail2ban UFW Automatic updates Automatic updates are a great way to keep your server up to date. It will automatically install security updates and bug fixes. It will also automatically reboot your server if needed. Installation To install automatic updates, run the following command: sudo apt install unattended-upgrades Configuration To configure automatic updates, run the following command: sudo dpkg-reconfigure -plow unattended-upgrades You will be asked to choose the update settings. You can choose the default settings by pressing enter. Automatic reboots To enable automatic reboots, run the following command: sudo sed -i 's|//Unattended-Upgrade::Automatic-Reboot "false";|Unattended-Upgrade::Automatic-Reboot "true";|g' /etc/apt/apt.conf.d/50unattended-upgrades Automatic reboots with delay To enable automatic reboots with a delay, run the following command: sudo sed -i 's|//Unattended-Upgrade::Automatic-Reboot-Time "02:00";|Unattended-Upgrade::Automatic-Reboot-Time "02:00";|g' /etc/apt/apt.conf.d/50unattended-upgrades SSH SSH is a protocol that allows you to connect to your server remotely. It is a very powerful tool, but it can also be dangerous if not configured properly. It is recommended to disable password authentication and to use SSH keys instead. To configure SSH, run the following command: sudo nano /etc/ssh/sshd_config Edit the following lines: Port 2025 #Change me PasswordAuthentication no ChallengeResponseAuthentication no PermitRootLogin no PubkeyAuthentication yes Restart SSH: sudo systemctl restart ssh Use public/private key authentication To use public/private key authentication, you will need to generate a key pair on your local machine. To do so, run the following command: ssh-keygen -t rsa -b 4096 You will be asked to enter a file in which to save the key. Press enter to use the default file. You will also be asked to enter a passphrase. It is recommended to enter a passphrase. Once you have generated the key pair, you will need to copy the public key to your server. To do so, run the following command: ssh-copy-id -i ~/.ssh/id_rsa.pub [server ip] You will be asked to enter the password of the user you are connecting to. Once you have entered the password, you will be able to connect to your server without entering a password. Fail2ban Fail2ban is a tool that will block IP addresses that try to login to your server with the wrong credentials. It will also block IP addresses that try to access your server with SSH. Installation To install Fail2ban, run the following command: sudo apt install fail2ban Configuration To configure Fail2ban, run the following command: sudo nano /etc/fail2ban/jail.local Add the following lines: [sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 3600 Restart Fail2ban: sudo systemctl restart fail2ban UFW UFW is a firewall that will block all incoming connections by default. It will only allow connections to the ports that you specify. Installation To install UFW, run the following command: sudo apt install ufw Configuration To configure UFW, run the following command: sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow ssh sudo ufw allow http sudo ufw allow https sudo ufw enable Conclusion This article has covered the following topics: Automatic updates SSH Fail2ban UFW You can now secure your server. Next steps Secure your home network Self-host your own media streaming service
November 25, 2022 • 3 min read • 536 words
Introduction In this article, we will discuss how to self-host your own media streaming service. We will cover the following topics: Introduction Prerequisites Setting up the media streaming service Conclusion Prerequisites A server running Ubuntu 20.04 or later Docker installed Setting up the media streaming service Jellyfin Jellyfin is a free and open-source media server that can be used to stream your media to your devices. It is a fork of Emby and Emby Theater. Jellyfin is a self-hosted alternative to services such as Plex, Netflix, and Kodi. Installation To install Jellyfin, run the following command: docker run -d \ --name=jellyfin \ --restart=always \ -p 8096:8096 \ -p 8920:8920 \ -v /path/to/config:/config \ -v /path/to/media:/media \ jellyfin/jellyfin Configuration To configure Jellyfin, open your browser and go to http://your-ip:8096. You will be prompted to create an account. Once you have created an account, you will be able to access the Jellyfin dashboard. Deluge Deluge is a lightweight, Free Software, cross-platform BitTorrent client. In this guide, we will use Deluge to download media files. Installation To install Deluge, run the following command: docker run -d \ --name=deluge \ --restart=always \ -p 8112:8112 \ -p 58846:58846 \ -v /path/to/config:/config \ -v /path/to/downloads:/downloads \ linuxserver/deluge Prowlarr Prowlarr is a free and open-source indexer manager for usenet and torrent indexers. It is a self-hosted alternative to services such as Sonarr, Radarr, and Lidarr. Installation To install Prowlarr, run the following command: docker run -d \ --name=prowlarr \ --restart=always \ -p 9696:9696 \ -v /path/to/config:/config \ -v /path/to/downloads:/downloads \ linuxserver/prowlarr Configuration To configure Prowlarr, open your browser and go to http://your-ip:9696. You will be prompted to create an account. Once you have created an account, you will be able to access the Prowlarr dashboard. Sonarr and Radarr Sonarr and Radarr are free and open-source media servers that can be used to automatically download and manage your media. They are self-hosted alternatives to services such as Netflix, Amazon Prime Video, and Hulu. Installation To install Sonarr, run the following command: docker run -d \ --name=sonarr \ --restart=always \ -p 8989:8989 \ -v /path/to/config:/config \ -v /path/to/downloads:/downloads \ -v /path/to/tv:/tv \ linuxserver/sonarr To install Radarr, run the following command: docker run -d \ --name=radarr \ --restart=always \ -p 7878:7878 \ -v /path/to/config:/config \ -v /path/to/downloads:/downloads \ -v /path/to/movies:/movies \ linuxserver/radarr Configuration To configure Sonarr, open your browser and go to http://your-ip:8989. You will be prompted to create an account. Once you have created an account, you will be able to access the Sonarr dashboard. To configure Radarr, open your browser and go to http://your-ip:7878. You will be prompted to create an account. Once you have created an account, you will be able to access the Radarr dashboard. Conclusion In this article, we discussed how to self-host your own media streaming service. We covered the following topics: Introduction Prerequisites Setting up the media streaming service Conclusion References Jellyfin Deluge Prowlarr Sonarr Radarr Docker Ubuntu Linux LinuxServer
November 24, 2022 • 3 min read • 487 words
Website created by Yassine Fathi © 2024