I’ve started dabbling in self-hosting, including a few frontends (Invidious, redlib, 4Get, SearxNG, etc.). I’m running a VPN within the container, so (as best as I can tell) none of those services draw back back to my home IP. They split 2 tunnels for their requests out.
It just seems counter-intuitive that I can run a VPN connection and use on SearXNG at 192.168.xx.xxx and then jump straight to a result that’s via the VPN connection. But the VPN is set to allow LAN traffic…so rationally, this makes sense, but seems too good to be true. Is this accurate?
My threat model is just getting Google out of my life, so no lives hang in the balance on this. Considering how relatively easy it was to set up for such a massive benefit, I’m just wondering why everyone doesn’t do this.
Just to clarify, do you mean that you run something like gluetun in docker together with the other stuff or does the SearxNG container have an inbuilt VPN function?
Correct. WG connection with gluetun in a docker container, then a couple frontends per container that depend on gluetun running to start up themselves.
If you look separately at the connection between your pc and searxng and the connection between searxng and the internet it becomes more clear. Your pc connects to your server → docker network → gluetuns network → searxng. Then searxng connects to the internet and since it (likely) has network_mode: service:gluetun in the compose file their only way to connect to the internet is through the gluetun VPN and your Home IP will not be used. Then it sends its results back to your pc via the local connection (as long as firewall rules are correct etc.)
Be aware that the sites you visit will be visited with your real IP. Only your search is proxied through searxng and the vpn. As soon as you click on a search result your pc will connect to that site directly with your Home IP if it doesn’t have it’s own VPN running.
Not really sure
but I think I remember reading something that Invidious doesn’t always proxy everything, but since I don’t use it I never really cared. Just double check that and make sure to configure it right.
Thanks - and I’m aware of all of this, which is sort of what I’m asking. It seems too good to be true that this would work:
-Selfhosting SearXNG on docker with gluetun running VPN (NL location). I connect on a 192.168… LAN IP. Home IP address is GR (It’s not, but play along)
-Running VPN (US location) on device. Device sees self-hosted services on LAN because it’s LAN and not subject to VPN (US).
-SearXNG on gluetun VPN (NL) gets results on 192.168 address, and I click links on device running VPN (US). Never does home IP (GR) get exposed if device is on VPN (US) also?
It is really this simple? This seems like magic. Like some loophole where everything just…did things right accidentally and shouldn’t. That’s just not how real life works!
It is not 100% guaranteed that your Home IP never leaks, but for an average threat model it should be fine. Android connectivity checks are one of the few examples I can think of right now, that could be bypassing the vpn.