Beiträge von Casstg

The local block storage will match what is already provisioned in your server type as it is local to the machine your vps is on, so on my NVME server i got NVME storage, benchmarked exactly the same

Im not sure on the OP UFW setup but the first thing is do is lock down UFW so docker ports do not bypass the firwall. This is security 101 with regards to docker.

Follow this guide below and amend the lines to match your docker network IP. i.e lets say you set a custom network on 172.20.0.0/12 then ammend any lines that say 192.168.x.x with this ip instead

Lock down Docker Ports with UFW

Now rather than open port 80 443 to the whole server, further down the guide they explain how to use forward rules to the docker chain.

I Have servers with either SWAG or NPM so it works with either. so lets Say you have given a fixed docker IP of 172.20.0.100 to NPM, the forward rules would then be:

ufw route allow proto tcp from any to 172.20.0.100 port 80
ufw route allow proto tcp from any to 172.20.0.100 port 443
ufw route allow proto tcp from any to 172.20.0.100 port 81

This will now forward those ports directly to NPM and no where else on your server.

Whatever ports you publish now will only be reachable if you add a forwad rule like above otherwise they gain no access

Regarding Port 81, you only need this for initial setup, what you should do is set up a proxy host in NPM for NPM itself, add the SSL then access via the domain name. You can then remove the forward rule for 81.

With regards to Wireguard, i use a Wireguard and Wireguard-UI Stack and this works perfectly. i can give you the docker run command to see how they link, but basically the UI container actually connects to the Wireguard docker and its UI ports are published there. You then add a proxy host in NPM for the webui so its secured and add another forward rule like below

Lets say you have given the Wireguard Docker IP 172.20.0.50 and UDP port 51820, you would then publish a forward port as follows

ufw route allow proto udp from any to 172.20.0.50 port 51820

Obviously you can change"any" to a specific IP only if that suits.

If you want to add an extra layer of security then throw all your WEBUI dockers that dont need to be accessed from anyone else behind Authelia Docker 2FA. That locks it down nice and tight but is a pain to setup for the first time, and is a lot easier to setup with the SWAG proxy container than NPM

Wireguard can be a right pain, however i use two docker containers and it became a breeze and you can throw up instances really quickly. To be fair i run 4 dockers as i use NPM for SSL certs and proxying and 1 Authelia Docker to put the webui behind 2FA) however technically you can spin up the 2 dockers for Wireguard and Wireguard UI, do all your config in the ui (including downloading the connection files or scanning QR codes if mobile) and then just stop the wireguard UI docker until you need to add delete or make other changes. Doing it the latter way would take no time at all (up and running in less than 5 mins) and i can post the working docker run commands if any one is interested.

Hi

Have several roots servers and a few ARM servers elsewhere, looking at your ARM servers i wanted to clarify the Actual Bandwith

On the details page it states if the traffic averages 1000MBits/s in 24 hours then it will be temporarily reduced to 200Mbps

However if you add the item to cart, the agreement becomes "if the traffic averages 200Mbits/s in 24 hours then it will be temporarily reduced to 200Mbps"

I was wondering if something was up, Backups are at a crawl going out of the server, and my speed test to the server is seeing a fraction of the normal speed with high ping times

traceroute google.com
traceroute to google.com (142.250.186.142), 30 hops max, 60 byte packets
 1  202.61.xxx.x (202.61.xxx.x)  0.487 ms  0.459 ms  0.434 ms
 2  ae3-4019.bbr02.anx84.nue.de.anexia-it.net (144.208.211.10)  58.835 ms  58.819 ms  58.804 ms
 3  ae0-0.bbr01.anx84.nue.de.anexia-it.net (144.208.208.139)  62.090 ms  62.112 ms  62.097 ms
 4  ae2-0.bbr02.anx25.fra.de.anexia-it.net (144.208.208.141)  118.603 ms  118.584 ms  118.890 ms
 5  209.85.149.86 (209.85.149.86)  61.905 ms  61.981 ms  61.965 ms
 6  * * *
 7  fra24s07-in-f14.1e100.net (142.250.186.142)  62.330 ms 142.250.62.150 (142.250.62.150)  62.600 ms fra24s07-in-f14.1e100.net (142.250.186.142)  62.669 ms

traceroute de.pool.ntp.org
traceroute to de.pool.ntp.org (194.25.134.196), 30 hops max, 60 byte packets
 1  202.61.xxx.x (202.61.xxx.x)  0.556 ms  0.531 ms  0.475 ms
 2  ae3-4019.bbr02.anx84.nue.de.anexia-it.net (144.208.211.10)  66.453 ms  66.426 ms  66.398 ms
 3  ae0-0.bbr01.anx84.nue.de.anexia-it.net (144.208.208.139)  65.044 ms  65.018 ms  65.041 ms
 4  ae2-0.bbr02.anx25.fra.de.anexia-it.net (144.208.208.141)  65.883 ms  65.901 ms  65.977 ms
 5  80.156.161.185 (80.156.161.185)  64.876 ms  64.851 ms  64.826 ms
 6  f-eb4-i.F.DE.NET.DTAG.DE (62.154.16.102)  64.814 ms f-eb4-i.F.DE.NET.DTAG.DE (62.154.16.218)  64.778 ms  64.938 ms
 7  * * *
 8  80.156.161.230 (80.156.161.230)  63.899 ms  63.981 ms  64.139 ms
 9  172.29.2.6 (172.29.2.6)  68.981 ms  69.034 ms  69.048 ms
10  ntp1.sul.t-online.de (194.25.134.196)  68.744 ms  68.571 ms  68.700 ms