this post was submitted on 03 Oct 2024
10 points (85.7% liked)

Selfhosted

40767 readers
377 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

The problem:

I manage computers for some loved ones from whom I now live several states away. All devices are linux environments and basically serve as home theater and light duty SOHO.

They have been running for several years without incident, but do require intervention for the "hard" stuff like major release upgrades. (And perhaps I like to slip some entertainment media onto their shared drive from time to time).

And I'd like to have an avenue to do this that doesn't necessarily involve planning a road trip.

Candidate solution(s):

Deploy a micro PC to sit on their network, whose sole purpose is as a headless SSH server. I would intend to SSH into that device, and from there SSH across the LAN to the necessary computers. The rationale is that I would only have one device answering the door, so to speak, at port 22, greatly simplifying port forwards and any need for static IPs.

With dual stack IPv4 + IPv6 internet service, would it be better that I attempt this through IPv6?

The micro PC would be scripted to retrieve the current public IP address every X hours and email it to me.

Another idea is to configure the immediate SSH box behind a Tor SSH hidden service or a I2P eepsite SSH. This way it would maintain a persistent, reachable address without requiring some cobbled together script & email IP notification.

top 7 comments
sorted by: hot top controversial new old
[–] [email protected] 13 points 2 months ago (1 children)

Why not use Tailscale on each device?

No need to expose any ports, no need for a bastion, no need for any complicated method of retrieving their public IP address, can use ACLs to restrict their access to other devices on the tailnet (if they're tech-savvy enough to go looking at the tailnet in the first place).

Essentially, as long as they have internet and Tailscale is running, you'll be able to connect to their device without exposing anything over the internet.

[–] antonionardella 5 points 2 months ago

Or eventi host your own tailscale with headscale

https://headscale.net/

[–] CrazyLikeGollum 7 points 2 months ago

Any reason you can't use a locally hosted VPN? That would be my solution for something like this. Either use tailscale or use a wireguard VPN and a dynamic DNS service.

Later on I might consider adding some PiKVMs in order to be able to more safely reboot/troubleshoot/access BIOS.

[–] [email protected] 3 points 2 months ago

That is a lot of effort to go through to avoid using a VPN.

[–] [email protected] 1 points 2 months ago* (last edited 2 months ago) (1 children)

Yep, a bastion is what you're looking for. I use an rpi + a Dynamic DNS record in a script on the pi to automatically update firewall and ssh rules if my IP updates. Of course, you may need to do some configuration depending on their network setup.

[–] [email protected] 1 points 2 months ago

TIL jump hosts are an existing concept

[–] [email protected] 1 points 2 months ago

Something like a raspberry pi or equivalent, and use reverse SSH set up to connect to a server with a known address on your end.

This means that ports don't need to be opened on their end.

Also if you go with a gateway host, shift SSH to a randomised port like 37465, and install fail2ban.