Love this! Have been doing something similar with HAProxy + Cloudflare Tunnels, but would love to move off it at somepoint. Super curious to give it a run soon. Thanks for sharing!
I have been considering cloudflare a bit, but it’s basically a mitm no?They decrypt your entire traffic then. It’s a lot of trust to put in cloudflare…
You could try IPv6.rs (shameless plug). We provide a routed IPv6 IP and reverse proxy for IPv4. We made it easy to run servers with Cloud Seeder [2], our open source server manager.
What I want is a transparent reverse proxy for both IPv4 and IPv6. Ideally it should work with encrypted SNI and ECH, using a static IP, because this is where the internet is going and anything else is probably a dead end I would like to avoid investing time in today.
Ideally, it has some simple firewall IDS/IPS capabilities (limit destination ports, limit source IPs…).
My threat scenario is, once someone has my home IP, they can cut off my internet very easily, just brute force traffic to my IP will clog my internet access.
The same would work via the above described reverse proxy, but I can diagnose it and turn off the proxy. My self hosted services will be down but at least I have Internet. If my home IP is known, there isn’t much I can do… My ISP doesn’t rotate the IP of a user very often (think months).
Currently I feel that cloudflare tunnelling is less worse than the above described risk, but it’s far from ideal, hence looking for alternatives.
IPv6.rs doesn't work with ESNI because you'll have to decrypt the encrypted packet to read it. Cloudflare decrypts your traffic so it can read it.
> If my home IP is known,
IPv6.rs hides your home IP. The only exposed IP will be the IPv6 IP you receive from IPv6rs. The reverse proxy proxies to your IPv6 address, so your home IP will never be exposed (and technically you could change the IPv6rs IP if you wanted to at ANYTIME).
If you're interested in giving it a shot I can give you a coupon that discounts significantly!
Im sorry if it’s a trivial question, but why does a “dumb” forwarder have to decrypt the packet? I only need to tunnel/forward it, static destination IP, there are no decisions taken on the base of the SNI as far as I can tell.