I use OpenVPN and not expose anything directly.
I keep everything behind a VPN so I don’t have to worry much about opening things up to the Internet. It’s not necessary about the fact that you’re probably fine but more so what the risk to you is if that device is compromised, ex: a NAS with important documents, or the idea that if that device is infected, what can that device access.
You could expose your media server and not worry too much about that device but having it in a “demilitarized zone”, ensuring all your firewall rules are correct and that that service is always updated is more difficult than just one VPN that is designed to be secure from the ground up.
Everything exposed except NFS, CUPS and Samba. They absolutely cannot be exposed.
Like, even my DNS server is public because I use DoT for AdBlock on my phone.
Nextcloud, IMAP, SMTP, Plex, SSH, NTP, WordPress, ZoneMinder are all public facing (and mostly passworded).
A fun note: All of it is dual-stacked except SSH. Fail2Ban comparatively picks up almost zero activity on IPv6.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters DNS Domain Name Service/System HA Home Assistant automation software ~ High Availability HTTP Hypertext Transfer Protocol, the Web HTTPS HTTP over SSL IMAP Internet Message Access Protocol for email IP Internet Protocol NAS Network-Attached Storage NAT Network Address Translation Plex Brand of media server package SMTP Simple Mail Transfer Protocol SSH Secure Shell for remote terminal access SSL Secure Sockets Layer, for transparent encryption TLS Transport Layer Security, supersedes SSL VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting) nginx Popular HTTP server
[Thread #549 for this sub, first seen 26th Feb 2024, 21:45] [FAQ] [Full list] [Contact] [Source code]
something like 95% stays local and is remote accessed via wireguard, The rest is stuff I need to host via a hostname with a trusted cert because apps I use require that or if I need to share links to files for work, school etc. For the external stuff I use Cloudflare tunnels just because I use DDNS and want to avoid/can’t use port forwarding. works well for me.
Just in case you missed this, you can issue valid HTTPS Certificates with the DNS challenge. I use LetsEncrypt, DeSEC and Traefik, but any other supported provider with Lego (CLI) would work.
Just my Nextcloud and Matrix
I had everything behind my LAN, but published things like Nextcloud to the outside after finally figuring out how to do that even without a public IPv4 (being behind DS-Lite by my provider).
I knew about Cloudflare Tunnels but I didn’t want to route my stuff through their service. And using Immich through their tunnel would be very slow.
I finally figured out how to publish my stuff using an external VPS that’s doing several things:
- being a OpenVPN server
- being a cert server for OpenVPN certs
- being a reverse proxy using nginx with certbot
Then my servers at home just connect to the VPS as VPN clients so there’s a direct tunnel between the VPS and the home servers.
Now when I have an app running on 8080 on my home server, I can set up nginx so that the domain points to the VPS public IPv4 and IPv6 and that one routes the traffic through the VPN tunnel to the home server and it’s port using the IPv4 of the VPN tunnel. The clients are configured to have a static IPv4 inside the VPN tunnel when connecting to the VPN server.
Took me several years to figure out but resolved all my issues.
What benefit does it have instead of getting a dynamic DNS entry and port forwarding on your internet connection?
With DS-Lite you don’t have a public IPv4. Not a static one but also not a dynamic one. The ISP just gives you a public IPv6. You share your IPv4 address with other users. This is done to use less IPv4s. But not having a dynamic IPv4 causes you to be unable to use DynDNS etc. It’s simply not possible.
You could publish your stuff via IPv6 only but good luck accessing it from a network without IPv6.
You could also spin up tunnels with SSH actually between a public server and the private one (yes SSH can do stuff like that) but that’s very hard to manage with many services so you’re better of building a setup like mine.
Thanks for the great explanation!
I’m interested in why you’re terminating TLS on your VPS instead of doing it on your home network
Everything is behind a wireguard vpn for me. It’s mostly because I don’t understand how to set up Https and at this point I’m afraid to ask so everything is just http.
I’ve been using YunoHost, which does this for you but I’m thinking of switching to a regular Linux install, which is why I’ve been searching for stuff to replace YunoHost’s features. That’s why I came across Nginx Proxy Manager, which let’s you easily configure that stuff with a web UI. From what I understand it also does certificates for you for https. Haven’t had the chance to try it out myself tho because I only found it earlier today.
NPM is nice and easy to use.
NPM is the way. SSL without ever needing to edit a config file.
Its not hard really, and you shouldn’t be afraid to ask, if we don’t ask then we don’t learn :)
Look at Caddy webserver, it does automated SSL for you.
Thank you. It was mostly ment as a joke tho. I’m not actually afraid to ask, but more ignorant because it’s all behind VPN and that’s just so much easier and safer and I know how to do it so less effort. Https is just magic for me at the moment and I like it that way. Maybe one day I’ll learn the magic spells but not today.
Careful with Caddy as its had a few security issues.
All software has issued, such is the nature of software. I always say if you selfhost, at least follow some security related websites to keep up to date about these things :)
Do you have any suggestions for reputable security related websites?
too many :) Here is a snippet of my RSS feed, save it as an xml file and most rss reeders should be able to import it :) https://pastebin.com/q0c6s5UF
few days late here, but that pastebin had some really good feeds 🙏 I noticed the OPML file was labeled FreshRSS and I also use FreshRSS. So I fixed up the feeds and configured FreshRSS to scrape the full articles (when possible) and bypass ads, tracking and paywalls.
I figured I’d pay it forward by sharing my revised OPML file.
I also included some of my other feeds that are related (if you or anyone else is interested).
Some of the feeds are created from scratch since a few if these sites don’t offer RSS, so if the sites change their layout the configs may need to be adjusted a bit, but in my experience this rarely happens.
I had to replace some of the urls with publicly hosted versions of the front-ends I host locally and scrape, but feel free to change it up however you like.
https://gist.akl.ink/Idly9231/22fd15085f1144a1b74e2f748513f911
Thank you :)
deleted by creator
Most of my things are open to the web but thats kinda nessasary for them to be functional file shairing links, link shortening, mc server etc etc
The only externally accessible service is my wireguard vpn. For anything else, if you are not on my lan or VPN back into my lan, it’s not accessible.
Can I ask your setup? I’d like to get this for myself as well.
Try pivpn. It is meant to run on a raspberry pi, but it should work on most Ubuntu and Debian based distributions.
Sorry, haven’t logged on in a bit. I use OPNSense on an old PC for my firewall with the wireguard packet installed.
Then use the wireguard client on my familys phones/laptops that is set to auto connect when NOT on my home wifi. That way media payback, adguard-home dns and everything acts as seamless as possible even when away while still keeping all ports blocked.
Not OP but… I have an old PC as a server, Wireguard in docker container, port-forward in the router and that’s it
Which image? I’ve seen a few wireguard options on docker hub
Linuxserver
Not OP, but I just use ZeroTier for this since it’s dead simple to setup and free. I’m sure there’s some 100% self-hosted solutions, but it’s worked for me without issue.
This is the way.
Funnily enough it’s exactly the opposite way of where the corporate world is going, where the LAN is no longer seen as a fortress and most services are available publically but behind 2FA.
Corporate world, I still have to VPN in before much is accessible. Then there’s also 2FA.
Homelab, ehhh. Much smaller user base and within smackable reach.
Oh right. The last three business I’ve worked in have all been fully public services; assume the intruder is already in the LAN, so don’t treat it like a barrier.
I have HTTPS and SSH accessible on the internet but only over IPv6. Anything else I access over an SSH tunnel or VPN.
All of it is LAN only except Wireguard and some game servers.
PII or anything that would demonstrate clear attribution is LAN, the rest of the “fun” stuff lives on a VPS. Wireguard between them.
