easy-rsa VS docker-swag

Easy-rsa to the rescue. Been using it for a while, works great and makes life easier :)

Link: https://github.com/OpenVPN/easy-rsa

Summary from that page:

easy-rsa is a CLI utility to build and manage a PKI CA. In laymen's terms, this means to create a root certificate authority, and request and sign certificates, including intermediate CAs and certificate revocation lists (CRL).

No, OpenVPN relies on the CA trust model. Anyone signed by the CA has access, unless they have been revoked (CRL): https://github.com/OpenVPN/easy-rsa/blob/master/doc/EasyRSA-Renew-and-Revoke.md

Then make do with the CLI. There might be some tooling to help you, e.g. https://github.com/OpenVPN/easy-rsa

Hey folks. I'm one of the authors for Mastering OpenVPN, the author of Troubleshooting OpenVPN, and the maintainer of EasyRSA. In light of Apollo and other 3rd party apps going dark on the 30th, I figured I'd "turn in my notice" on Reddit and do the normal sysadmin data dump/brown bag before I'm gone. I've really enjoyed this group and hope things get sorted in the long run.

Correct. That applies to OpenVPN. There's a tool that OpenRSA maintains that help with creating those certificates, EasyRSA: https://github.com/OpenVPN/easy-rsa

Regarding the keys, csr and certificates it's pretty easy to manage them with easy-rsa (https://github.com/OpenVPN/easy-rsa)

$ git clone https://github.com/OpenVPN/easy-rsa.git

Depending on your use case, either https://github.com/FiloSottile/mkcert or https://github.com/OpenVPN/easy-rsa

If you can add CAs to the hosts that will access this server, you can be your own certificate authority. mkcert is good, as mentioned elsewhere, or you can go all out: https://github.com/OpenVPN/easy-rsa

I have a NAS on .0.181 and a swag container (on a different port than nginx) on .0.180 that points to my public facing services. For obvious reasons, I don't want my public domain to point to any other ports/addresses on my home network. Additionally, as elegant as swag is, it requires authentication and so won't work for simple local DNS. I now have one local domain for each server and an nginx instance on each that resolves to my different services on each.

OP is even linking the Github... https://github.com/linuxserver/docker-swag

I have an UnRAID server with a few services (Jellyfin, Nextcloud, etc.) running on it behind Linux Servers' SWAG reverse proxy container, which is built on Nginx and Let's Encrypt. This is pointed to a DuckDNS link, which is then pointed at my domain with a CNAME. So I can access Jellyfin, for example, at jellyfin.mydomain.com. A few weeks ago, due to seemingly unrelated issues, I got a new modem/router, an Arris SURFboard G34. For the first few weeks, everything was working as before. But now, when on my LAN, I can't get to my services at the proxied domain. It times out every time. There are no errors in SWAG's logs, nothing seems amiss in the router's web interface, and the services are available both at their IP:port address and, when not on my LAN, I can access them at the domain no problem.

Reverse proxy, probably? I use Docker SWAG, setup here, with DuckDNS and it works really well for me. There are of course many ways to reverse proxy, as I linked to earlier.