website logo freya

Back

InnerNet

So what is even a InnerNet? Sometimes also known as a IntraNet, is an inernal network of computers contained from the outside network. They can be used to host services, software, applications, and more, but not give access to the outside world. If you can connect to a service from any public ip, we say thats on the public internet. Even if the application is secured and it’s open to the public going....

Hey i exist!!!!

...anyone can access it. We all have herd of the times when companies internal services were accidentally made publically available to the outside web, and then how they end up getting pwned (im looking at you hospitals).

But why would I want it?

Well the main reason is it seemed fun. I like to do new things at times, and It seemed like a cool project. Also I want very keen on keeping many of my internal services public. Yes they were secured by single sign on though my authentik instance, but I really didnt feel like anyone should be able to send any http request to my nextcloud instance, or any other service im running. Ive already seen what can happen to mail servers (foreshadowing), so Id like to keep as much stuff internal that I possibly can.

Network Architecture and Design

Well how does it work?!

Well its fairly simple. I run a dual DNS setup, my own CA, and wireguard to add the ability to vpn into the network. First, I run Bind on my network which runs as my internal DNS server. This reroutes any domain name under "in.freya.cat" to the device on the network that is hosting that service. For example "cloud.in.freya.cat" is routed to my server that is running my internal Nextcloud instance. Now If I was right, you might of just tried to access my nextcloud, but instead you should of gotten something that says ACCESS DENIED!

You have been blocked! Haha. This is where the 2nd DNS comes in. Since my domain is registered through cloudflare, any DNS request gets routed to my Hetzner VPS which acts as a public sinkhole for my entire internal network. If you try accessing any of my services, you cant. Instead of getting the right ip, you get hetzner. And even if you knew the ip, it wouldn’t matter since they are LAN ips and arent even port forwarded outside my network. This is also why I use wireguard, as It allows me to vpn into my network and access my services even while im away from home.

Root CA?

You might of notices I briefly mentioned that I run my own Certificate Authority, but you may be asking why? Who does that? For what reason would you need to? And I totally agree with you. I’d rather not host it if I didn’t need it, but I do have a reason. Since all my internal domains are routed to my hetzner, my internal network cant complete ACME challenges. Since it cannot complete ACME challenges, Lets Encrypt wont give me a certificate for my domain. So I decided to run my own cerficiate authority. Now I don’t do anything crazy, I just run step-ca inside of docker. This is great because since I use Caddy for my reverse proxy, Caddy can auto request new certificates from StepCA, and everything is automated. The only thing I have to do is install my root certificate on my devices, for which I have three. And now I have https on my internal network!

Overview

Overall, this setup allows me to run many services I want to internally. I can run my plex server, nextcloud, photo hosting with immich, sso with authentik, irc, document hosting, file syncing with syncthing, and still more to list. And with my setup, no one besides me and who I let on my network can even deam about accessing my services. This increases my security, and really was just a ton of fun to figure out and setup.

Though make sure to setup wireguard to not nat every network device or theoretically it will break dockers ip routing, and theoretically it will cause containers to see all ips as internal, and theoretically services like mailcow, an email server, will not require authentication since its totally comming from mailcow, and theoretically your email server can become an open realy. Theoretically though.