Letting Caddy reverse proxy through Linux AirVPN?

[Koalaman 1]

Hi,

I am a bit of a newbie to all this. Basically running Linux on a Raspberry with AirVPN Suite and using Goldcrest and Bluetit to connect and essentially use JellyFin.

All works fine, except obvs when I am connected I can't connect to Caddy from outside of my LAN because I am not in the same network and not using a VPN, say e.g. from my iPhone.

How can I configure this so that I can have Caddy running, AirVPN (suite) running and still be able to connect to my localhost to connect to JellyFin?

Again, apologies - Not a specialist.

[OpenSourcerer 1435]

Oh wow, a wild Caddy user appears! This makes me a bit happy, actually. I've been hosting all my things on Caddy for years now. Automatic HTTPS being the main feature, but also a simple config syntax, a markdown engine for static websites if you need it, HTTP/1-3 built-in – all and more in one binary, without even configuring it. Caddy replaces so, so many middlewares I'd have to configure when running things on Apache or nginx. If you want to serve a static file, you literally need just three lines of config: An address/domain name, root and file_server. But enough of that.

I don't think it's a Caddy problem, though. The default for Caddy is to listen to all addresses. You could post your Caddyfile for a more thorough analysis.

[Koalaman 1]

Hi yes thanks, I’m starting to love it. 

Look, all I have is this:

Linux raspberry 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr  3 17:24:16 BST 2023 aarch64

  GNU nano 5.4                            Caddyfile                                      
# The Caddyfile is an easy way to configure your Caddy web server.
#
# Unless the file starts with a global options block, the first
# uncommented line is always the address of your site.
#
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace ":80" below with your
# domain name.


xxx.duckdns.org {
reverse_proxy 192.168.86.43:8096
tls {
dns duckdns {duckdnsTOKEN}
}
}


I’m not to sure how to approach this so any info or help would be great!







 

[OpenSourcerer 1435]

On 8/23/2023 at 4:27 AM, Koalaman said:

with AirVPN Suite and using Goldcrest and Bluetit

What are the options? Or, can you post the goldcrest.rc contents, too? (redact password and key name, though)

[Koalaman 1]

Ahhh, I didn't even know there is a goldcrest.rc file to run. I have so far been doing it manually. Good to know - AND, thanks for all your help so far OpenSourcerer! 

I usually just connect with sudo goldcrest --air-connect --air-country netherlands 

Then I input my username and password and all sweet.

[OpenSourcerer 1435]

8 hours ago, Koalaman said:

I usually just connect with sudo goldcrest --air-connect --air-country netherlands 

So that means Network Lock is engaged. This is likely the source of your problems. Can you verify whether it works with -N off?
 

8 hours ago, Koalaman said:

Ahhh, I didn't even know there is a goldcrest.rc file to run

It's automatically written to .config/goldcrest.rc of the effective user running it (so with sudo it'd be /root/.config/goldcrest.rc). The docs are on the download page.

[Koalaman 1]

Hi mate, thanks getting this when trying:

 $ sudo goldcrest -N --air-connect --air-country netherlands
Goldcrest - AirVPN Bluetit Client 1.3.0 - 1 June 2023

2023-08-28 09:01:48 Reading run control directives from file /root/.config/goldcrest.rc
AirVPN Username: xxx
AirVPN Password for user xxx: 
2023-08-28 09:01:54 Bluetit - AirVPN OpenVPN3 Service 1.3.0 - 1 June 2023
2023-08-28 09:01:54 OpenVPN core 3.8.4 AirVPN linux arm64 64-bit
2023-08-28 09:01:54 Copyright (C) 2012-2022 OpenVPN Inc. All rights reserved.
2023-08-28 09:01:54 OpenSSL 3.0.8 7 Feb 2023
2023-08-28 09:01:54 Bluetit is ready
2023-08-28 09:01:54 Bluetit options successfully reset
2023-08-28 09:01:54 Option network-lock (N): Option requires a string argument

[OpenSourcerer 1435]

-N off

-N wants an argument – that argument can be iptables, nftables, pf or off.

[Koalaman 1]

So, running this: 

sudo goldcrest --air-connect --air-country netherlands -N no

Unfortunately doesnt let me connect to my xxx.duckdns.org domain to reverse proxy back to Caddy and connect to JellyFin. 

When I do not run the VPN it works. 

How can I best trouble shoot this to give you some more information?
 

Edited ... by Koalaman

[OpenSourcerer 1435]

14 hours ago, Koalaman said:

sudo goldcrest --air-connect --air-country netherlands -N no

I'm not sure if -N no has been accepted. Really use -N off.

Also, are you by chance trying to access Jellyfin on the same computer you're connected to AirVPN with?

[Koalaman 1]

Hey mate, Jesus, I am so closed to giving up. Now when I try this, I get: 

koalaman@raspberry:~ $ sudo goldcrest --air-connect --air-country netherlands -N off
Goldcrest - AirVPN Bluetit Client 1.3.0 - 1 June 2023

2023-08-30 09:36:00 Reading run control directives from file /root/.config/goldcrest.rc
AirVPN Username: Koalaman
AirVPN Password for user Koalaman: xxx
2023-08-30 09:36:06 ERROR: D-Bus service org.airvpn.server is not available

When I connect with Eddie client it works, but what I need to do is initially unlock something by putting in my OS password, maybe the keychain? And then I always need to kill openvpn initially, sudo killall openvpn, then I can connect via the GUI.



 

[OpenSourcerer 1435]

13 hours ago, Koalaman said:

2023-08-30 09:36:06 ERROR: D-Bus service org.airvpn.server is not available

Try su.

$ su -c "goldcrest --air-connect --air-country netherlands -N off"

 

13 hours ago, Koalaman said:

When I connect with Eddie client it works, but what I need to do is initially unlock something by putting in my OS password, maybe the keychain?

Eddie asks for the sudo password first. If Profile data protection is set to Password, Eddie then asks for that password. If it's set to secret-tool, then the password for the keychain is requested. Otherwise, Eddie does not ask for anything else.
Don't know about why you'd need to kill openvpn. Is Connect at startup enabled?

[Koalaman 1]

Hey mate, yeah not too sure, using the su -c command gives me the same error. Maybe we could troubleshoot in a different way? Discord or something? Makes it easier? I am in Australia.

Edit: Restarted and used the command and it worked - Now testing Caddy.

Edit 2: OMG you're a bloody legend mate! IT WORKS FINALLY! T H A N K YOU!!!

Now could you explain to me why and how and what? 😃

So basically what I did is just reboot then I use the actual command that you gave me initially su -c "goldcrest --air-connect --air-country netherlands -N off"
Then I just navigate to the Kathi folder and started with caddy start.

And I just use my phone to connect outside of the network via cellular and it seems to work just fine.

So here in there, my raspberry pi freezers, so it would be great to create a bash screw that I just need to click once that does all these connections for me, so the system is up and running again.

Edit 3: Nope actually I was wrong - must have been in the cache and loaded from there or fallen back onto my local WIFI. Again, it works when I have terminated my VPN session, but as soon as I connect to AirVPNs servers, it won't load my reverse proxy URL anymore. I don't need to update the AirVPN ip address in duckdns.org do I every single time I connect to AirVPN's servers?

Right now duckdns is just pointing to my reg ip and Caddy somehow uses it.

Need to trouble shoot somehow.

[OpenSourcerer 1435]

9 hours ago, Koalaman said:

Hey mate, yeah not too sure, using the su -c command gives me the same error. Maybe we could troubleshoot in a different way? Discord or something? Makes it easier? I am in Australia. 

All the ways to directly contact me are on my About me page, see my signature. I do have Discord which is not listed; if that's more convenient for you, drop me a private message.
 

[flat4 79]

On 8/24/2023 at 1:27 PM, OpenSourcerer said:

Oh wow, a wild Caddy user appears! This makes me a bit happy, actually. I've been hosting all my things on Caddy for years now. Automatic HTTPS being the main feature, but also a simple config syntax, a markdown engine for static websites if you need it, HTTP/1-3 built-in – all and more in one binary, without even configuring it. Caddy replaces so, so many middlewares I'd have to configure when running things on Apache or nginx. If you want to serve a static file, you literally need just three lines of config: An address/domain name, root and file_server. But enough of that.

I don't think it's a Caddy problem, though. The default for Caddy is to listen to all addresses. You could post your Caddyfile for a more thorough analysis.

No help here, but with this comment I am testing out caddy, for possibly a replacement for SWAG

[OpenSourcerer 1435]

4 hours ago, flat4 said:

No help here, but with this comment I am testing out caddy, for possibly a replacement for SWAG

You're in for a bag of treats with this one. The much more specialized use cases, like uWSGI or AJP, are not available, though.
Also, people and especially projects usually provide configs for Apache and nginx only, so with some applications you'd need to really dive into the docs to configure them similarly to those configs. Nextcloud would be of note here: It's geared towards Apache, so part of its security concept is written in the .htaccess. Caddy doesn't care about that file, so its contents must be coded into the Caddyfile. Took me some time initially.

[flat4 79]

4 minutes ago, OpenSourcerer said:

You're in for a bag of treats with this one. The much more specialized use cases, like uWSGI or AJP, are not available, though.
Also, people and especially projects usually provide configs for Apache and nginx only, so with some applications you'd need to really dive into the docs to configure them similarly to those configs. Nextcloud would be of note here: It's geared towards Apache, so part of its security concept is written in the .htaccess. Caddy doesn't care about that file, so its contents must be coded into the Caddyfile. Took me some time initially.

that Caddyfile took me a bit, read and read and it would not work. one of  my many tries i created a Caddyfile folder not the same.

so far I got a few containers being proxied

I'm done sorry to hijack the OP thread

 

[OpenSourcerer 1435]

Just now, flat4 said:

I'm done sorry to hijack the OP thread

Well, I'm letting it slide…
If you've got questions about Caddy and especially its config, drop me a private message.

[cheapsheep 6]

How is "xxx.duckdns.org" in your Caddyfile even working? Is it really like that or more like "xxx.duckdns.org:{AirVPN.port}"?
I think you have to specify it as well, otherwise Caddy uses 443 as standard tls port which will not work? 

[Koalaman 1]

3 minutes ago, cheapsheep said:

How is "xxx.duckdns.org" in your Caddyfile even working? Is it really like that or more like "xxx.duckdns.org:{AirVPN.port}"?
I think you have to specify it as well, otherwise Caddy uses 443 as standard port which will not work? 

This is my Caddy file: 
 

# The Caddyfile is an easy way to configure your Caddy web server.

#

# Unless the file starts with a global options block, the first

# uncommented line is always the address of your site.

#

# To use your own domain name (with automatic HTTPS), first make

# sure your domain's A/AAAA DNS records are properly pointed to

# this machine's public IP, then replace ":80" below with your

# domain name.

 

 

xxx.duckdns.org {

reverse_proxy 192.168.86.43:8096

tls {

dns duckdns {DUCKDNSToken}

}

}

[cheapsheep 6]

Yes, i know. But how is this working? Can you specify a redirect port (which is your AirVPN forwarded port) in DuckDns?

[Koalaman 1]

1 minute ago, cheapsheep said:

Yes, i know. But how is this working? Can you specify a redirect port (which is your AirVPN forwarded port) in DuckDns?

I haven't specified any pros for Caddy specifically in the AirVPN dashboard. I have for Qbittorrent though. 

Seems to be working absolutely fine if AirVPN is off. It's just when I am connected that "I can't get through" from outside of my network.

[cheapsheep 6]

20 minutes ago, Koalaman said:

Seems to be working absolutely fine if AirVPN is off. It's just when I am connected that "I can't get through" from outside of my network.

That's the point. It can't get through because you are behind AirVPN and Caddy expects the connection coming to port 443 (tls) which is not possible when you're connected to Air.

This shouldn't be a problem because the tls cert is requested through duckdns.

Your setup should be fully working behind Air once you create a new forwarded port in your client area and use it in your caddy file: xxx.duckdns.org:{Air.forwared.port}

Than you can access your service by using https://xxx.duckdns.org:{Air.forwared.port}
 

[Koalaman 1]

Just now, cheapsheep said:

That's the point. It can't get through because you are behind AirVPN and Caddy expects the connection coming to port 443 (tls).

This shouldn't be a problem because the tls cert is requested through duckdns.

Your setup should be fully working behind Air once you create a new forwarded port in your client area and use it in your caddy file: xxx.duckdns.org :{Air.forwared.port}
 

Going to try this now mate. Does it matter which port? So you're saying in Air's client area I can setup say (random) port: 6969
Then in my Caddyfile I change it to:
 

xxx.duckdns.org {

reverse_proxy 192.168.86.43:6969

tls {

dns duckdns {DUCKDNSToken}

}

}

Is this correct?
 

[cheapsheep 6]

2 hours ago, Koalaman said:

Going to try this now mate. Does it matter which port? So you're saying in Air's client area I can setup say (random) port: 6969
Then in my Caddyfile I change it to:
 

xxx.duckdns.org {

reverse_proxy 192.168.86.43:6969

tls {

dns duckdns {DUCKDNSToken}

}

}

Is this correct?
 

No. The revese_proxy still has to point to 8096 which is Jellyfins port:
 

xxx.duckdns.org:6969 {

reverse_proxy 192.168.86.43:8096

tls {

dns duckdns {DUCKDNSToken}

}

}

And then access it by using https://xxx.duckdns.org:6969