this post was submitted on 05 May 2024
34 points (97.2% liked)

Selfhosted

40721 readers
595 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Hi everyone!

I'm looking into self-hosting, and I currently have dynamic DNS set up to point to my home IP.

My question: is it worth getting a dedicated IP through a VPN?

I'm pretty technically savvy, but when it comes to networking I lack practical experience. My thought is that pointing my domain to a dedicated IP and routing that traffic to my home IP would be safer - especially if I only allow traffic on certain ports from that IP. Just curious if that idea holds up in practice, or if it's not worth the effort.

top 42 comments
sorted by: hot top controversial new old
[–] [email protected] 7 points 7 months ago* (last edited 7 months ago) (1 children)

A fixed IP does make things easier at first, but I fail to see the value on that for personal use. Nothing a reverse proxy and DDNS can't replace.

I purchased a domain, use dynamic DNS for it, and point my sub domains to an NGINX proxy server that handles where each points to.

Nothing has access to anything in my network from the internet (all ports are closed on my PFSense), other than Wireguard, and I just VPN into my network when I'm not home.

It was scary when I started, but figured it out in a couple of days. Take into consideration that I'm not even mildly smart, so it should be fairly easy for anyone.

Get into forums, ask around, watch tutorials, you'll be up and running in no time.

Good luck.

[–] [email protected] 2 points 7 months ago (4 children)

Thanks for the reply!

So the NGINX server hosted outside your network, then? And then reverse-proxy that into your home server?

Honestly, I feel like NGINX is a bit overkill for my situation, since I'm not expecting to have a lot of traffic. I could be wrong, though.

[–] marsara9 6 points 7 months ago (1 children)

Their setup sounds similar to mine. But no, only a single service is exposed to the internet: wireguard.

The idea is that you can have any number of servers running on your lan, etc... but in order to access them remotely you first need to VPN into your home network. This way the only thing you need to worry about security wise is wireguard. If there's a security hole / vulnerability in one of the services you're running on your network or in nginx, etc... attackers would still need to get past wireguard first before they could access your network.

But here is exactly what I've done:

  1. Bought a domain so that I don't have to remember my IP address.
  2. Setup DDNS so that the A record for my domain always points to my home ip.
  3. Run a wireguard server on my lan.
  4. Port forwarded the wireguard port to the wireguard server.
  5. Created client configs for all remote devices that should have access to my lan.

Now I can just turn on my phone's VPN whenever I need to access any one of the services that would normally only be accessible from home.

P.s. there's additional steps I did to ensure that the masquerade of the VPN was disabled, that all VPN clients use my pihole, and that I can still get decent internet speeds while on the VPN. But that's slightly beyond the original ask here.

[–] [email protected] 2 points 7 months ago (1 children)

Wouldn't this require any user to connect to the VPN though? I'm looking for something more publicly accessible - say like a website.

[–] marsara9 3 points 7 months ago

Yes it would. In my case though I know all of the users that should have remote access snd I'm more concerned about unauthorized access than ease of use.

If I wanted to host a website for the general public to use though, I'd buy a VPS and host it there. Then use SSH with private key authentication for remote management. This way, again, if someone hacks that server they can't get access to my home lan.

[–] [email protected] 3 points 7 months ago (2 children)

No, the nginx runs inside your network. It's the "entry point" to it and it proxies all requests to your respective services.

[–] peregus 2 points 7 months ago* (last edited 7 months ago) (1 children)

@[email protected] It would be better to have the server on a separated VLAN

[–] [email protected] 1 points 7 months ago

Yeah, thats definitely something I need to look into setting up.

[–] [email protected] 1 points 7 months ago

Ahh okay, thanks for the clarification. Honestly I should use NGINX just for the sake of learning it, if nothing else.

[–] [email protected] 3 points 7 months ago

No, it's inside the network. Once I'm inside my network via the VPN, the proxy server routes to the service I want based on the subdomain instead of using the IP and port as the address.

This can also be useful if, instead of going the VPN route, and you choose to go the CDN tunnel (for example, Cloudflare) way. I actually started with a tunnel via Cloudflare, but after some digging, I don't trust them anymore. Having a tunnel allows you to close all ports coming into your network, but at the expense of having to trust the tunnel provider, and I don't trust many companies out there.

[–] [email protected] 3 points 7 months ago (1 children)

Nginx isn't for security it's to allow hostname-based proxying so that your single IP address can serve multiple backend services.

[–] [email protected] 1 points 7 months ago (1 children)

Thanks, I'm only very vaguely familiar with NGINX, so I appreciate the clarification.

[–] [email protected] 2 points 7 months ago* (last edited 7 months ago) (1 children)

To provide a bit more detail then - you would setup your proxy with DNS entries "foo.example.com" as well as "bar.example.com" and whatever other sub-domains you want pointing to it. So your single IP address has multiple domain names.

Then your web browser connects to the proxy and makes a request to that server that looks like this:

GET / HTTP/1.1
Host: foo.example.com

nginx (or apache, or other reverse proxies) will then know that the request is specifically for "foo.example.com" even though they all point to the same computer. It then forwards the request to whatever you want on your own network and acts as a go-between between the browser and your service. This is often called something like host-based routing or virtual-hosts.

In this scenario the proxy is also the SSL endpoint and would be configured with HTTPS and a certificate that verifies that it is the source for foo.example.com, bar.example.com, etc.

[–] [email protected] 2 points 7 months ago

Ahh okay, interesting. I'll have to give this a try, then.

[–] [email protected] 4 points 7 months ago (1 children)

Really only if you're running your own email server. Otherwise as far as I know dynamic DNS fills the need.
You aren't in any more risk either way.

Sounds like maybe you want to look into pfsense to do traffic filtering. Highly recommend.

[–] [email protected] 1 points 7 months ago (1 children)

I messed with pfsense a bit at my old job, but never really thought to use it in my home network - might just give that a shot, thanks!

[–] TCB13 2 points 7 months ago

but never really thought to use it in my home network

Because you don't need it. OPNsense and pfSense may make sense in some cases however you're running a small network and you most likely don't require those. OpenWRT will provide you with a much cleaner open-source experience and also allow for all the customization you would like. Another great advantage of OpenWRT you've the ability to install 3rd party stuff in your router, you may even use qemu to virtualize stuff like your Pi-Hole on it or simply run docker containers.

[–] VelociCatTurd 3 points 7 months ago* (last edited 7 months ago) (1 children)

As long as whatever firewall rules you’re using is capable of resolving FQDNs then I don’t see an advantage of doing this. Maybe in the off chance that your IP changes, someone else gets the old IP and exploits it before the DDNS setup has a chance to update. I think that’s really unlikely.

Edit: just to add to this, I do think static IPs are preferable to DDNS, just because it’s easier, but they also typically cost money.

[–] peregus 3 points 7 months ago (1 children)

Why do firewall rules need to resolve FQDNs?

[–] VelociCatTurd 1 points 7 months ago (1 children)

To resolve whatever hostname you’ve setup for ddns

[–] peregus 1 points 7 months ago (1 children)

Sorry, but I still don't understand, what's the need for that?

[–] VelociCatTurd 1 points 7 months ago (1 children)

Because you’re not going to setup any rules pointed to a dynamic public IP address. Otherwise you’re going to be finding a way to change the rule every time the ip changes.

The ddns automatically updates an A record with your public IP address any time it changes, so yeah the rules would use the fqdn for that A record.

[–] peregus 1 points 7 months ago (1 children)

What's the need of the public IP in the firewall rules?

[–] VelociCatTurd 1 points 7 months ago (1 children)

If OP needs a firewall rule to do any number of things that a firewall does.

[–] peregus 1 points 7 months ago (1 children)

I'm curious to know in which case is useful to know the public IP in a firewall rule because I've never used it.

[–] VelociCatTurd 1 points 7 months ago (1 children)

An access rule for instance. To say to allow all traffic or specific types of traffic from a public IP address. This could be if you wanted to allow access to some media server from your friends house or something.

[–] peregus 1 points 7 months ago (1 children)

To allow access from a friend you need his public IP, not yours.

[–] VelociCatTurd 1 points 7 months ago (1 children)

No fucking shit? In that scenario your friend could use DDNS and you point your access rule to his FQDN to allow access.

Did you really ask me a billion fucking “why” questions just to come back and fucking what prove me wrong? Is this a good use of your time? I literally thought you were a noobie looking to understand.

Fuck off.

[–] peregus 1 points 7 months ago (1 children)

Dude, just chill! I didn't think that your answer made sense in the first place and that's why I've asked why you wrote that sentence. I'm not the one that reply to a comment saying "You're wrong!", unless I'm more than sure about what I'm talking, otherwise, and in this case I wasn't sure and I wanted to know your point. I'm here to give my point of view and also to LEARN from others and this is why I kept asking you what was the need of resolving a DNS in a firewall rule, so that maybe I could start using those rules too. On the other side, if you understood that your answer didn't make sense, you simply could have just said it and not waste mine and your time. I think that we ALL are here to share idea and knowledge and that NO ONE is perfect, me in the first place!

[–] VelociCatTurd 1 points 7 months ago* (last edited 7 months ago) (1 children)

If you really think someone is wrong don’t ask them “why, why, why” incessantly like a toddler, grow a pair of balls and just speak your mind.

And in this case I meant “your IP” as in, the grand scheme of things “an IP address that you own”, a VPS for instance, not necessarily the destination. Obviously you wouldn’t need to tell a firewall what its own public IP is. Have I clarified my thought to your standards?

[–] peregus 1 points 7 months ago* (last edited 7 months ago) (1 children)

You've clarified your thought to a normal standard, as you didn't previously. Learn to say "I was wrong" when you are wrong!

Edit: could I have said in the first place that I thought that you were wrong? Probably yes and I'll keep that in mind.

[–] VelociCatTurd 1 points 7 months ago

I would’ve if I was wrong

[–] [email protected] 3 points 7 months ago

VPN providers usually do not offer port forwarding, so the dedicated IP doesn't help you. I discussed that in length with a support guy from nordvpn. The dedicated IP is only meant for outgoing connections, so your IP doesn't jump to crazy, which would cause problems,e.g., with bank logins.

[–] [email protected] 2 points 7 months ago (1 children)

Safer in terms of what?

If you can't justify it, then no, save your money.

[–] [email protected] 2 points 7 months ago (1 children)

Just in terms of broadcasting my home IP directly vs having a middleman, essentially.

[–] [email protected] 2 points 7 months ago (1 children)

You're not "broadcasting" anything. You're running a server.

Your browser is the thing sending your ip to every site you visit. And beyond simple geolocation data it's not that useful to anybody.

[–] [email protected] 1 points 7 months ago

Sorry, yeah, "broadcasting" was a bad word choice. What I meant was that if I port-forward, it exposes that socket to potential bad actors searching for exposed services.

[–] pyrosis 1 points 7 months ago (1 children)

You can do that or you can use a reverse proxy to expose your services without opening ports for every service. With a reverse proxy you would point port 80 and 443 to the reverse proxy once traffic hits your router/firewall. In the reverse proxy you would configure hostnames that point to the local service IP/ports. Reverse proxy servers like nginx proxy manager then allow you to setup https certificates for every service you expose. They also allow you to disable access to them through a single interface.

I do this and have setup some blocklists on the opnsense firewall. Specifically you could setup the spamhaus blocklists to drop any traffic that originates from those ips. You can also use the Emerging Threats Blocklist. It has spamhaus and a few more integrated from dshield ect. These can be made into simple firewall rules.

If you want to block entire country ips you can setup the GeoIP blocklist in opnsense. This requires a maxmind account but allows you to pick and choose countries.

You can also setup the suricatta ips in opnsense to block detected traffic from daily updates lists. It's a bit more resource intensive from regular firewall rules but also far more advanced at detecting threats.

I use both firewall lists and ips scanning both the wan and lan in promiscuous mode. This heavily defends your network in ways that most modern networks can't even take advantage.

You want even more security you can setup unbound with DNS over TLS. You could even setup openvpn and route all your internal traffic through that to a VPN provider. Personally I prefer having individual systems connect to a VPN service.

Anyway all this to say no you don't need a VPN static IP. You may prefer instead a domain name you can point to your systems. If you're worried about security here identify providers that allow crypto and don't care about identity. This is true for VPN providers as well.

[–] [email protected] 2 points 7 months ago

Thank you for such an in-depth reply!

There's a lot to take in here, but it sounds like I've got some work to do - not necessarily a bad thing. It's honestly about time I took my network more seriously and set up some proper routing / firewalls.

[–] [email protected] 1 points 7 months ago (1 children)

First I’d ask if you need to open ports at all - if this is only for your family’s use then Tailscale or one of its alternatives can accomplish the same goal without opening ports in your firewall or worrying about security flaws in your hosted services.

If it’s for public use, maybe consider cloudflare tunnel?

[–] [email protected] 2 points 7 months ago

True, these do sound like the best solutions honestly. I wanted to avoid something like Tailscale, since it just becomes another point for me to support/troubleshoot on the user end, but maybe I should reconsider. It's a tradeoff, but it would also simplify a lot on my end.

[–] [email protected] 0 points 7 months ago* (last edited 7 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
HTTPS HTTP over SSL
IP Internet Protocol
SSH Secure Shell for remote terminal access
SSL Secure Sockets Layer, for transparent encryption
TLS Transport Layer Security, supersedes SSL
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)
nginx Popular HTTP server

[Thread #737 for this sub, first seen 5th May 2024, 05:35] [FAQ] [Full list] [Contact] [Source code]