Exposing Clearnet through VPS Tunnel

What I’m trying to do is point a subdomain to my Umbrel so that I can use it on the go without needing to rely on Tailscale.

I’m currently hosting a few other services as follows and I’m hoping I can make it work for Bitcoin and Lightning too:

Internet > domain name > VPS > WireGuard tunnel to home network > Nginx proxy manager > self-hosted service

SSL termination happens in my home with the reverse proxy.

Ideally I’d like to be able to point e.g. lnd.domain.tld to my VPS, then have it forward the request down the WireGuard tunnel where my reverse proxy would route that request to whatever port on my Umbrel.

I know Umbrel can be set up in hybrid mode to support both Tor and Clearnet, but am I able to expose it using this existing setup? If so, what changes would I need to make to the hybrid mode guide to get it working?

1 Like

This is pretty much exactly what will get you what you outlined.
And here is the same, but in addition with LNBits on top of the VPS.

Best of luck!


Thanks for this. That first article is great. Unfortunately it’s not consistent with my setup. I’ve already got a tunnel set up between my VPS and home network using selfhosted-gateway. Right now the tunnel routes everything to nginx proxy manager which handles the last mile. selfhosted-gateway is built on docker containers and establishes tunnels between individual containers… i.e. map this subdomain pointed at your VPS, to this particular container via your VPN tunnel. In my case I’ve got *.domain.tld pointed at my nginx proxy manager container.

Going through this guide, it seems like most things worked, but I was unable to configure my node to route traffic back out through my VPS tunnel as the tunnel terminates on a different host, in a container, on a segregated docker network. Running curl https://api.ipify.org on my Umbrel returned my home IP address, not my VPS IP address. So I ended up reverting to vanilla lnd.conf so as not to leak my home IP.

I think for this setup to be feasible for me I’d need to get another VPS and set up a separate tunnel on bare metal (not docker). Would be a fun project, but I don’t know if I can make it work using nginx proxy manager. Probably easier for me to just keep using Tailscale even though 1) it’s not truly self-hosted, grr and 2) it’s annoying to have to keep reconnecting to my tailscale network whenever I want to use my node!

To be clear this is totally a vanity project; was more curious to see if I could make it work. If I’ve missed something big, do let me know.

I’m not a docker expert, but it sounds like you need to create a docker bridge to get the packets where you want them to end up. This is explained in some detail over here.

Unfortunately my Umbrel is on a different machine than the docker host that’s running nginx proxy manager. I know enough to be a danger to myself and others, but I don’t know if I want to go faffing about with OS configurations just to make it work as that Docker article suggests. I want to keep my Umbrel pretty stock bc I don’t want future updates to break a fragile setup.

This is probably the push I need to build out a node from scratch on the same server that’s running the rest of my services. Will likely keep my Umbrel running for the culture but I think I need something a bit more flexible to do something like this.

Thanks for the advice!

1 Like

I hear you. FWIW I moved on to raspibolt to a NUC a year ago. Never looked back, because I now know everything my node’s doing and feel more in control.


I just got finished installing all the guts of Raspibolt (bitcoin-core 0.24.x and c-lightning) on an Ubuntu VM running off of my NAS’ storage pool and am waiting for my node to sync as we speak. It’s been messy:

  • Sync was slow af so I gave the VM more RAM (4GB -> 8GB)
  • Sync went faster way faster after that but then the iSCSI share my VM is booting from ran out of space
  • Resized the share, then expanded the LVM
  • Ran into some issues where a bad lock had been created on settings.json while storage was full
  • Nuked settings.json and the associated bogus swap files restarted the service
  • Now chugging along with the chain sync again

What fun this has been so far. Pretty soon I’ll be attempting a VPS tunnel setup again, with LNBits on the VPS, using selfhosted-gateway instead of the manual Wireguard path outlined in the two guides you linked to. Maybe if that works out I can write a guide.