The Challenge.#
So about the constraints on my network... I am in a situation where I do not control the firewall or routing tables upstream and with the way things are going I feel like it will likely become harder and harder to deal with this situation as time goes on. My home network is currently constrained not only by one firewall but two. One of which acts as fail-over for the network whenever the cable internet goes down(Which is frequently.) So not only do I have no control over the firewall or the routing tables, I also have a situation with my public IP changing out of nowhere which could be fixed with dynamic DNS (DDNS). Even if I were to have the cable internet firewall forward port 443/80 the fail-over internet connection would stop everything dead in it's tracks as it is a wireless solution that utilizes Carrier Grade Nat or what is commonly called CG-NAT. So what to do if I can not control my upstream firewall, routing tables, public ip or really anything past my personal router?
Well really there are a few options.
At the top of the list is cloud hosting services such as github pages or any of the cloud hosting services.
The problem with those are that I am broke. Like very broke and even if I wasn’t I am cheap and much prefer to handle as much of a process as I possibly can on my own. It isn’t ideal at times but it allows me to challenge myself, learn and problem solve when time is not a constraint.
Here comes IPFS.#
IPFS is a really cool tool that can absolutely be used in this situation. It is fantastic for caching files or even directories. I mean at the end of a day what is a static website but a simple directory structure? It is one of the coolest tools I have seen come out of the whole decentralized movement. That is cool and all but there are a few problems with how it works at it's core. The first problem is that the directory is being cached across systems in a distributed manor. It is really cool because once it propagates it will keep your entire website cached throughout the IPFS network. That sounds like it is purely a positive attribute to have however whenever you need to roll out changes it will take time to propagate. So generally making updates is quite slow. To a degree that is something that I can live with however it can cause fragmentation of the experience of the site. If you are someone to make an update and immediately want to share it then it isn't exactly ideal. Again though, It is something that I could live with especially since it is completely free. Another problem is when the changes are made then your IPFS link is essentially dead since you need to re-propagate. This problem is however solved with using IPNS links instead. It basically assigns a static link to a directory that is allowed to swap out data whenever the host makes changes. I did exactly this with the very first website I made using IPFS. It worked well despite the slow propagation.
Fast forward 2 months.#
My site has not really been getting a lot of traction which was fine by me. I was concerned about the relatively strict bandwidth limitations on the free Cloudflare IPFS gateway. I was also caching this site at home on my own IPFS node. Sometimes part of the site would just not load and in general it was not the best experience. A new issue became apparent to me. I/O wait on one of my servers was just a little out of control. For those who are not familiar with the term, I/O wait is basically the time that the cpu is waiting to execute on other tasks while it's idle due to input and output operations being delayed or taking longer than expected.
To further elaborate, I/O wait represents a period during which the CPU is not actively engaged in executing useful work because it’s temporarily halted as it waits for data from storage devices. The culprit.. Kubo…(IPFS) Welp, that was fun. Time to kill and disable the node. I am sure that there are specific params that could be configured for the IPFS node to ensure that runaway I/O wait isn’t going to chip away at my drives read write cycles as fast but at this point I decided that IPFS should be reserved for another time to revisit.
Fast forward to today.#
I am back at it again! Making another Hugo site. Here we go...
Since then I have spent a lot of time having fun with container configurations. During this time I came to the conclusion that I did not want to rely only on authentication for my network security. In doing so I took up more interest in software defined networks virtual container networking. In doing so I found myself with a very specific workflow and preference in how I distribute access and authentication to my private network. In doing so I took particular interest in the zero trust mesh vpn network protocol Tailscale. I have reservations about relying on any specific organization for connectivity or authentication however I agree with the messaging that they presented in this article they posted. I always have some air of skepticism however they advocate for FOSS implementations of their management server as stated by this blog post here. Knowing that there is at least a FOSS management server available to host for myself in the event that Tailscale inc. decides to mess up brings me comfort enough to use their proprietary management server. So at this point I am utilizing container networking and structures for most of my self-hosted services. The clear option here now is to explore the rarely talked about funnel function built into Tailscale. To be clear this solution isn’t perfect. I am restricted to using only the domain that Tailscale provides. I have a plan on how to fix this issue as I continue to migrate my hosted services over to Tailscale. There are some restrictions when it comes to passing udp but in this case… it works and it works well!
If you are curious what the process actually looks like.#
So here I am now with a website/blog that allows me to pass traffic out via a vpn in the form of a reverse proxy. They handle NAT traversal, they hand out a domain and they handle SSL via automatic caddy integration. All of these things together make it a very fast, simple and effective option to use to distribute my website. The best part about it all is that it is very portable. I have a write-up on my Forgejo remote git repo that details everything. If you’re interested in doing something similar for yourself then just check my git repo posted below.
Here is a video detailing the process for using my own custom domain.#
I wanted a good place to share my Docker compose examples to help people deploy foss or environments in a quick and painless way. These serve as templates to get started with specific deployment examples.
editors note.
: I am sure that there are other ways of getting past network restrictions. IPV6 of course is supposed to flatten the plane so that nat isn’t required however from the research I have done it seems that it isn’t viable unless your ISP allows it in the first place which again returns to the issue that you have no control of your upstream network. If there is anything that I might have missed then feel free to reach out to me directly. I am always happy to talk and potentially widen my horizons.