Traefik -> TCP -> Traefik

Hey there,

lets just start with my use case / problem I like to solve.

My situation is as follows:

  • My home-network is 'living' behind an isp-provided dslite tunnel
  • I am unable to route to my home-network directly, but would like to use some self-hosted services etc.
  • Thats why I am using WireGuard and a VPS to establish a direct connection (tunneled).
  • This works very well, and I am already using Traefik as a reverse proxy to connect to services-at-home through my domain.
  • What bugs me, is that data intensive services like Nextcloud, Jellyfin etc. always need to tunnel their traffic through my VPS, when their domain (name) is resolved from within my home network.
  • I could just set up Treafik on my home-server and connect a direct TCP route coming from all exposed VPS ports.
  • But:
    1. I would also like to serve a static portfolio-page directly from the VPS and
    2. I would like to serve error-pages if something happens to the WG tunnel or my home-internet-connection in general (which is quite common).

That's why I had the following idea:

  • Have two Treafik instances (Traefik_Home & Traefik_VPS)
  • Let them both hold domain certificates.
  • Let Traefik_VPS route all TCP but Host(domain.example) to Traefik_Home (TLS pass-through).
  • Let Traefik_VPS serve error Pages for unreachable Subdomains in case of a broken tunnel / unreachable TCP connection to Traefik_Home
  • In my home-network point all traffic that targets my domain to my Traefik_Home Instance (local DNS overwrite).

Question 1:

Is this even possible?

I have a setup similar like described above, with the difference, that Treafik_VPS is currently routing to my local services through WG. A TCP router to HostSNI(test.domain.example) has been set up in Treafik_VPS as well as an HTTP router Host(test.domain.example) on Treafik_Home.

It seems to me that Traefik_Home cannot register the test.example.com to route through Traefic_VPS with my DNS Service. I always run into ERR_NAME_NOT_RESOLVED. Both Traefik instances seem to hold correct certificates.

Question 2:

Given the configuration below, what am I doing wrong?

# TCP Route on Traefik_VPS
tcp:
  routers:
    rt_test:
      tls:
        passthrough: true
      entryPoints:
        - websecure
        - web
      rule: "HostSNI(`test.domain.example`)"
      service: srv_test
      priority: 1

  services:
    srv_test:
      loadBalancer:
        servers:
          - address: "10.0.0.n" # WG client IP
# HTTP Route on Traefik_Home
http:
  routers:
    rt_dns:
      tls:
        certResolver: main
      entryPoints:
        - websecure
      rule: "Host(`test.domain.example`)"
      service: srv_test

  services:
    srv_test:
      loadBalancer:
        servers:
          - url: "http://127.0.0.1:port"

Question 3:

Any better plan?

I am looking forward to any kind of input or direction for troubleshooting this mess. :slight_smile:

For the local services routing through the VPS, you would need a DNS record on your local network that points at your Traefik_Home device directly, otherwise your local devices have no idea that they can reach those services locally and go to the VPS IP that they obtain from your global DNS record.

Also are you sure that your Traefik_Home is listening on the WG interface? You didn't include your static config.

I think you also need to include the port in a TCP router? When I try a similar setup (I am running something very similar to this, using the http router, but am trying TCP now), I get the error:

level=error msg="In service \"local-svc@file\": address xxx.xxx.xxx.xxx: missing port in address" serviceName=local-svc entryPointName=websecure routerName=local@file

Adding a :443 to the end fixes the issue and the service works.

Dear @youngt2 thank you for alluding to this, you pointed to an important requirement in this setup, which I did not cover in my problem description nor in my depiction.

I do have my own DNS service running locally, which points all clients to my local Traefik instance.

1 Like

Thanks again :slight_smile:

This is quite silly, but you were on the right track :see_no_evil: All I had to do was to point to my websecure entrypoint of my traefik_home-instance. Thanks!

For other people finding this in the future:
Do not forget to deactivate CNAME registration!
LEGO_DISABLE_CNAME_SUPPORT=true

Or grab the Treafik_VPS certificate and replicate it locally, skipping the automatic certificate resolvement.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.