this post was submitted on 01 Dec 2023
96 points (94.4% liked)

Selfhosted

40438 readers
623 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Hi, I know this topic has been talked about 70 thousand times but I’m still not sure.

I have home server on an intel NUC behind the ISP router. On it I have the standard arr apps, jellyfin, pi-hole etc etc. I would like to access them through a domain rather than an IP. So I set them up in docker, behind traefik, behind authelia and behind cloudflare. I am the only one that uses it.

Now, I’m worried about the security of it all. I’ve been searching here and there and I’ve read about cf tunnels, wireguard server, vps, vlan, OPNsense etc etc. I still don’t know what would be the most secure. Should I just stay with what I have?

EDIT: I'm not behind CGNAT

top 50 comments
sorted by: hot top controversial new old
[–] bless 45 points 1 year ago (2 children)

I would go with wireguard VPN or something like cloudflare tunnels or tailscale. With wireguard you'll need to open up an external port and forward to your VPN host, but wireguard uses UDP so no one can probe it for responses. CF tunnels and tailscale you don't have to open up holes in your firewall which is nice.

You also have the option of using a proxy and opening up 443 publicly on your firewall, but unless you know what you're doing I'd leave that closed until you learn more.

[–] [email protected] 14 points 1 year ago (3 children)

Nah, that sounds complicated. Just open port 22 and forward it your server.

[–] idunnololz 27 points 1 year ago* (last edited 1 year ago) (2 children)

Trueeeeeee. Then post your ip here so you can recall it later.

[–] [email protected] 12 points 1 year ago (2 children)
[–] [email protected] 7 points 1 year ago

Hey thats where i download my ram

[–] AtariDump 5 points 1 year ago

There’s no place like it!

[–] [email protected] 5 points 1 year ago

Thanks, doing that now ;) /s

load more comments (1 replies)
[–] [email protected] 3 points 1 year ago (2 children)

Mmmmmm, tunnels sound boring haha I might try figuring out wireguard. Do you have any trusted guides on it? Or should I just google :P

[–] bless 2 points 1 year ago (5 children)

Good thing about wireguard is it's really simple. Google should get it done, if you get stuck send me a DM. I started with basic wireguard, I now run firezone in docker as I like the frontend.

load more comments (5 replies)
load more comments (1 replies)
[–] TCB13 37 points 1 year ago* (last edited 1 year ago) (1 children)

Yes, you can use a Cloudflare tunnel but why? Since you're into self-hosting why should you depend on some random company to tunnel your traffic when you most likely don't need it? You also have all the potential tracking, spyware, risks and "being hostage" scenarios that may come with that choice.

The following assumes your use case is a simple home server for "standard arr apps, jellyfin, pi-hole" for personal usage that sits inside your network and your objetive is to be able to access those services. If you're instead trying to host a game server / few services for friends (that doesn't really need to be "inside" your home network) there's a more complete comment with other security considerations and recommendations here.

Your basic requirements are:

  • Some kind of domain / subdomain payed or free;
  • Preferably Home ISP that has provides public IP addresses - no CGNAT BS;
  • Ideally a static IP at home, but you can do just fine with a dynamic DNS service such as https://freedns.afraid.org/.

Quick setup guide and checklist:

  1. Create your subdomain for the dynamic DNS service https://freedns.afraid.org/ and install the daemon on the server - will update your domain with your dynamic IP when it changes;
  2. List what ports you need to access remote;
  3. Setup Wireguard VPN on the server. There's also this nice UI that can be used to do most of the setup and create client config files;
  4. For the VPN use custom ports with 5 digits - something like 23901 (up to 65535) to make your service harder to find;
  5. Configure your ISP router to assign a static local IP to the server and port forward the VPN port to the server IP;
  6. Only expose absolutely required services (the VPN port in this case) to the Internet. Any service the server provides, SSH, configuration interfaces and whatnot can accessed through the WireGuard VPN;
  7. In the server consider setting up nftables / iptables / another firewall 10 minute guide;
  8. Configure nftables to only allow traffic coming from public IP addresses (IPs outside your home network IP / VPN range) to the Wireguard port - this will protect your server if by some mistake the router starts forwarding more traffic from the internet to the server than it should;
  9. Configure nftables to restrict what countries are allowed to access your server. Most likely you only need to allow incoming connection from your country (https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching).

Since you're only allowing access to your services through the VPN and you've heavily restricted access to the VPN port you'll be safe. Just a side note, don't be afraid to expose the Wireguard port because if someone tried to connect and they don't authenticate with the right key the server will silently drop the packets.

Now if your ISP doesn't provide you with a public IP / port forwarding abilities you may want to read this in order to find why you should avoid Cloudflare and how to setup and alternative / more private solution.

[–] [email protected] 3 points 1 year ago (6 children)

Thanks for this awesome write-up.

Yeah, that's what I'm kind of thinking about Cloudflare, so I'm trying to set up WireGuard right now. I don't know if I'm shooting myself in the foot by trying to do in docker for now or not, but I'd rather do that before I do it on bare metal. It seems to work already, as I can see that my IP changes on my phone when I access it. Hell, I can even access my routers' dashboard. However, I still can't access the services on the server (by IP, like 192.x.x.x:8989), so I'm trying to figure that out.

May I ask, why do I need a domain if I'm going through WireGuard, which goes through the IP and port, anyway?

[–] theit8514 3 points 1 year ago (1 children)

If your home ip changes a lot a dynamic dns provider will keep up with it so you don't constantly have to change your phone's wireguard configuration

load more comments (1 replies)
load more comments (5 replies)
[–] psion1369 20 points 1 year ago (5 children)

Check out Tailscale. They have 20 machine limit on the free plan. It runs on wireguard and is pretty secure.

[–] Rootiest 16 points 1 year ago* (last edited 1 year ago)

Tailscale Free has a 100 device limit.

Virtually its only limitation against the paid plans is the user limit. (3 users)

And network logging because it's heavy on their servers.

Also the user limit only applies to your account. You can share devices/etc with other accounts, as many others as you like.

[–] [email protected] 8 points 1 year ago* (last edited 1 year ago) (2 children)

And there's an OSS control plane replacement called Headscale although I don't know what's involved in using it. Researching and implementing it is my backup plan for when Tailscale turns to shit.

E: Just briefly parsed their docs, deployment and usage seem pretty trivial. There's no need to use forks of the clients either. You can give your Headscale url to the Tailscale clients on login and you're good to go.

[–] Rootiest 4 points 1 year ago* (last edited 1 year ago)

I am big into self-hosting and would be happy to run my own Headscale server (I have actually) but imo it's not worth the effort.

It can be done but it requires a lot of effort and consideration to ensure the relays and routing work for when your clients are in challenging NAT scenarios. And the user experience is not as good.

Instead what I do is continue to use Tailscale but I use the Tailnet Lock feature to give signing authority to my own specified devices so any new devices must be signed off by one of those other devices.

This effectively eliminates the last point of trust where you had to trust tailscale's servers to manage authorization. The result is you don't have to worry about trusting tailscale at all, the entire system is zero trust.

The catch is if you lose those devices and the recovery keys you lose the ability to trust or add to your tailnet and your only real option is to delete all the devices and start fresh.

They also have the option to send a recovery key to their servers when you enable Tailnet Lock so support can rescue you in that scenario, but I think if you are using this feature on the first place it's because you don't want to do that so I imagine most choose not to lol

I linked to their blog post above because I think it explains the feature well. If you just want the docs they are here

[–] [email protected] 3 points 1 year ago (2 children)

Setting up headscale isn't too hard. But last time I tried, connecting the clients to it didn't work properly (on mobile). Since they are using the regular tailscale clients, they don't have much control over that.

load more comments (2 replies)
[–] EarthBoundMisfit 8 points 1 year ago

Tailscale is awesome, and super easy to set up. I think the free tier allows up to 100 devices now!

[–] [email protected] 6 points 1 year ago

Wireguard itself works software far, thanks anyway :)

[–] [email protected] 3 points 1 year ago

Tailscale is amazing, I work with a small company and we were battling with our IT contractor to have a VPN running for remote work.

After a while of things not working as it should I just set up tailscaled because I was using it with my home server and it just works.

We are now on a paid plan and everyone else is using it when working remotely.

[–] devfuuu 15 points 1 year ago (2 children)

Maybe something like tailscale.

[–] [email protected] 4 points 1 year ago

It’s just so easy.

Headscale if you want to self host.

[–] [email protected] 4 points 1 year ago (2 children)

I might, but I'm gonna explore the open source solutions first :)

[–] [email protected] 10 points 1 year ago

I've been using Tailscale, it's lovely. But I didn't like that I had to use Google/Apple/Github to log in.

Last night I set up a Headscale server which works with the tailscale client. It's lovely as well.

load more comments (1 replies)
[–] EncryptKeeper 10 points 1 year ago* (last edited 1 year ago) (2 children)

I use Tailscale with their DDNS feature that generates you a domain that resolves each of your Tailnet devices when connected. You can even run a command that generates an SSL cert for your given node and you can use that to further secure it with TLS in case you don’t want to deal with untrusted cert warnings.

This is especially useful for iPhones because they won’t keep your Tailscale VPN always on, but you can configure it so that requests to specific domains will activate and use your Tailscale VPN, which you just set to that generated one.

load more comments (2 replies)
[–] [email protected] 8 points 1 year ago* (last edited 1 year ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
CF CloudFlare
CGNAT Carrier-Grade NAT
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
HTTPS HTTP over SSL
IP Internet Protocol
NAS Network-Attached Storage
NAT Network Address Translation
NUC Next Unit of Computing brand of Intel small computers
SSH Secure Shell for remote terminal access
SSL Secure Sockets Layer, for transparent encryption
TLS Transport Layer Security, supersedes SSL
UDP User Datagram Protocol, for real-time communications
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)

[Thread #319 for this sub, first seen 1st Dec 2023, 09:55] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] 7 points 1 year ago (1 children)

Make your services password protected and have some software like fail2ban that blocks people from brute-forcing passwords.

Keep your software up to date.

[–] [email protected] 2 points 1 year ago (1 children)

They are password protected. Plus, behind 2FA authelia. Plus Crowdsec (which originally made me make this post, cos I can see http probing etc on it)

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (2 children)

Alright. I wouldn't worry too much, then. If you set it up correctly and you keep it up to date so there aren't any security vulnerabilities, you should be okay.

Of course there are arbitrary, more strict approaches. You could do monitoring. Or restrict the IP addresses the server answers to. Or put everything behind a VPN and not have it exposed in the first place. But I also have my NAS and a few internet services like Nextcloud and it's been fine, similar to this, for years.

[–] [email protected] 2 points 1 year ago

Thanks, I'm a bit calmer now :)

load more comments (1 replies)
[–] [email protected] 6 points 1 year ago (1 children)

It largely depends on what you mean by 'anywhere', in particular if you only want to access it from your own devices or also other people's you can only access for a minute or two and where you can't install anything.

Of course there is also the question which services you want to access, e.g. just Websites and -Applications over HTTPS or do you also want e.g. the pi-hole's DNS service to be available.

load more comments (1 replies)
[–] JoeKrogan 4 points 1 year ago* (last edited 1 year ago) (1 children)

Duckdns will give you a free domain name. Run wireguard on the machine to connect remotely. Only allow WG port for remote access. Optional limit app access in your webserver to your VPN and lan ips. You can also run something like adguard home to get ad blocking. In that case set your wg server ip as the dns server ip eg 10.0.0.1 and add your ddg domain name in adguard so it will resolve without having to do an external lookup when on the lan or vpn.

load more comments (1 replies)
[–] [email protected] 3 points 1 year ago (3 children)

Why so complicated? Why not just SSH? Put it on some random port, make it public key login only, and you're done.

load more comments (3 replies)
[–] [email protected] 3 points 1 year ago (3 children)

If you are behind CGNAT, this might help you understand things a little better.

load more comments (3 replies)
[–] [email protected] 3 points 1 year ago* (last edited 1 year ago)

As said in the thread, you need some kind of tunnel that stays up and doesn't need to be fixed if the internet goes down.

Wireguard, or if wanting super easy setup, Tailscale version of Wireguard is great for this. Now you have a private IP address in your VPN network to your home server, that stays up and answers to HTTP. Next thing you need is a cheap VPS somewhere with a public IP address. When that is running, and is in the Wireguard network so you can access your home server from the VPS, you need a Nginx proxy in the public server. Either do it by hand, or use a service such as the Nginx Proxy Manager to handle the proxy setup.

How it basically works is you register a domain name (A, CNAME) to the public VPS service, then with Nginx you setup that anything coming in to the domain X should be proxied to the VPN IP address Y and port Z. Now you can add HTTPS to this domain and get a Let's Encrypt certificate for it. You can, again, do this manually with Nginx, or let Nginx Proxy Manager handle it for you.

Finally. Stay safe. If you really open services to public internet from your home, be very sure to have all the latest updates and use strong passwords in all of them. Additionally, you can use the home services directly from the Wireguard/Tailscale network by accessing them using the private IP addresses. Your computer should just be in the same network with them.

[–] [email protected] 3 points 1 year ago

If its only you and you want best security, setup a VPN system. (Tailscale, Netbird, or others are quite easy)
If someone else should also, and you dont want everyone to have to use a VPN, then you can expose some services directly. Of course behind CGNat you need some third-party system to allow this (e.g. cloudflare or a rented server).

I am not a big fan of cloudflare, they are a huge centralized company, easily allowing tracking across websites with clear-text access and kinda discouraging learning how to secure things yourself (which you have to do anyways, because you are a service provider and only cloudflare is not enough if its still publicly accessible though them)
But in the end its your choice. They easily allow you as service provider to protect yourself from DDoS attacks or allowing IPv4 access when you are behind CGNat, things you just cannot easily do yourself, certainly not without costs.

[–] themeatbridge 3 points 1 year ago (1 children)
[–] [email protected] 2 points 1 year ago (2 children)
load more comments (2 replies)
[–] Symphonic 2 points 1 year ago

You can also try looking into no-ip.

[–] [email protected] 2 points 1 year ago (2 children)

I'd say to start with CF tunnels unless you need non-web based applications. Cloudflare tunnels require you to have a domain, though.

It has the added benefit that you have network monitoring, logging and some filtering for security that they do on top and you get to manage everything from their web interface.

be warned that the first time can be a bit confusing, but since it's done using their web interface it's easier than if you have a problem making wireguard work.

  1. Create a tunnel with a public hostname that will be the url to access that service. During the creation of the hostname specify you want it protected by L7 application firewall.
  2. Create a new self-hosted application in cloudflare application section and for starters use the default login email and in rules specify the list of emails that are allowed to login

you should now be able to access your application from anywhere.

Alternatively, if you have a DNS server in your home network you can add a private IP range to your tunnel. Let's say 192.168.0.0/24. Then when you connect with their pseudo-VPN (cloudflare warp or cloudflare ONE) you can directly use your home network's ip address from that device. If you tell your device to use a local DNS server that resolves your internal services, you'll be able to connect to them that way.

load more comments (2 replies)
load more comments
view more: next ›