Hi, I know this topic has been talked about 70 thousand times but I’m still not sure.
I have home server on an intel NUC behind the ISP router. On it I have the standard arr apps, jellyfin, pi-hole etc etc. I would like to access them through a domain rather than an IP. So I set them up in docker, behind traefik, behind authelia and behind cloudflare. I am the only one that uses it.
Now, I’m worried about the security of it all. I’ve been searching here and there and I’ve read about cf tunnels, wireguard server, vps, vlan, OPNsense etc etc. I still don’t know what would be the most secure. Should I just stay with what I have?
If its only you and you want best security, setup a VPN system. (Tailscale, Netbird, or others are quite easy)
If someone else should also, and you dont want everyone to have to use a VPN, then you can expose some services directly. Of course behind CGNat you need some third-party system to allow this (e.g. cloudflare or a rented server).
I am not a big fan of cloudflare, they are a huge centralized company, easily allowing tracking across websites with clear-text access and kinda discouraging learning how to secure things yourself (which you have to do anyways, because you are a service provider and only cloudflare is not enough if its still publicly accessible though them)
But in the end its your choice. They easily allow you as service provider to protect yourself from DDoS attacks or allowing IPv4 access when you are behind CGNat, things you just cannot easily do yourself, certainly not without costs.
As said in the thread, you need some kind of tunnel that stays up and doesn’t need to be fixed if the internet goes down.
Wireguard, or if wanting super easy setup, Tailscale version of Wireguard is great for this. Now you have a private IP address in your VPN network to your home server, that stays up and answers to HTTP. Next thing you need is a cheap VPS somewhere with a public IP address. When that is running, and is in the Wireguard network so you can access your home server from the VPS, you need a Nginx proxy in the public server. Either do it by hand, or use a service such as the Nginx Proxy Manager to handle the proxy setup.
How it basically works is you register a domain name (A, CNAME) to the public VPS service, then with Nginx you setup that anything coming in to the domain X should be proxied to the VPN IP address Y and port Z. Now you can add HTTPS to this domain and get a Let’s Encrypt certificate for it. You can, again, do this manually with Nginx, or let Nginx Proxy Manager handle it for you.
Finally. Stay safe. If you really open services to public internet from your home, be very sure to have all the latest updates and use strong passwords in all of them. Additionally, you can use the home services directly from the Wireguard/Tailscale network by accessing them using the private IP addresses. Your computer should just be in the same network with them.
My advice: only forward ports 8080 and 443, then make sure that you have fail2ban or crossed properly set up on your reverse proxy. After that, you are pretty much fine as long as you keep on top of updating your containers.
I would be careful about which apps you proxy. Idk why you need to access the admin portal for pi hole worldwide. If you really want to do that, you should set up a vpn.
First off, don’t expose anything that doesn’t need exposed. If your the only one using it you could use a VPN or ssh.
Second off, make sure you isolate everything with firewalls. Your reverse proxy should only have access to each service and each service should only have access to the reverse proxy. You should also block non essential ports.
For the services themselves, make sure you use strong passwords and keep them updated. For docker you can use watchtower to automatically pull and deploy software.
Since you aren’t behind CGNAT you can go full self-hosted! Don’t bother with Tailscale or Cloudflare Tunnel or other VPN services that connect through third parties if you can help it.
I use Tailscale with their DDNS feature that generates you a domain that resolves each of your Tailnet devices when connected. You can even run a command that generates an SSL cert for your given node and you can use that to further secure it with TLS in case you don’t want to deal with untrusted cert warnings.
This is especially useful for iPhones because they won’t keep your Tailscale VPN always on, but you can configure it so that requests to specific domains will activate and use your Tailscale VPN, which you just set to that generated one.
Because even when you have static IPs it’s still nice to just use a host name, and to properly secure things with a certificate. It’s not really DDNS as much as it is plain old DNS, but it works without configuration on your part. Once you enable it, whatever the tailnet name of your device is, becomes ‘device name.yourdomain.ts.net’.
I’d say to start with CF tunnels unless you need non-web based applications. Cloudflare tunnels require you to have a domain, though.
It has the added benefit that you have network monitoring, logging and some filtering for security that they do on top and you get to manage everything from their web interface.
be warned that the first time can be a bit confusing, but since it’s done using their web interface it’s easier than if you have a problem making wireguard work.
Create a tunnel with a public hostname that will be the url to access that service. During the creation of the hostname specify you want it protected by L7 application firewall.
Create a new self-hosted application in cloudflare application section and for starters use the default login email and in rules specify the list of emails that are allowed to login
you should now be able to access your application from anywhere.
Alternatively, if you have a DNS server in your home network you can add a private IP range to your tunnel. Let’s say 192.168.0.0/24. Then when you connect with their pseudo-VPN (cloudflare warp or cloudflare ONE) you can directly use your home network’s ip address from that device. If you tell your device to use a local DNS server that resolves your internal services, you’ll be able to connect to them that way.
Yes, you can use a Cloudflare tunnel but why? Since you’re into self-hosting why should you depend on some random company to tunnel your traffic when you most likely don’t need it? You also have all the potential tracking, spyware, risks and “being hostage” scenarios that may come with that choice.
The following assumes your use case is a simple home server for “standard arr apps, jellyfin, pi-hole” for personal usage that sits inside your network and your objetive is to be able to access those services. If you’re instead trying to host a game server / few services for friends (that doesn’t really need to be “inside” your home network) there’s a more complete comment with other security considerations and recommendations here.
Your basic requirements are:
Some kind of domain / subdomain payed or free;
Preferably Home ISP that has provides public IP addresses - no CGNAT BS;
Ideally a static IP at home, but you can do just fine with a dynamic DNS service such as https://freedns.afraid.org/.
Quick setup guide and checklist:
Create your subdomain for the dynamic DNS service https://freedns.afraid.org/ and install the daemon on the server - will update your domain with your dynamic IP when it changes;
For the VPN use custom ports with 5 digits - something like 23901 (up to 65535) to make your service harder to find;
Configure your ISP router to assign a static local IP to the server and port forward the VPN port to the server IP;
Only expose absolutely required services (the VPN port in this case) to the Internet. Any service the server provides, SSH, configuration interfaces and whatnot can accessed through the WireGuard VPN;
In the server consider setting up nftables / iptables / another firewall 10 minute guide;
Configure nftables to only allow traffic coming from public IP addresses (IPs outside your home network IP / VPN range) to the Wireguard port - this will protect your server if by some mistake the router starts forwarding more traffic from the internet to the server than it should;
Since you’re only allowing access to your services through the VPN and you’ve heavily restricted access to the VPN port you’ll be safe. Just a side note, don’t be afraid to expose the Wireguard port because if someone tried to connect and they don’t authenticate with the right key the server will silently drop the packets.
Now if your ISP doesn’t provide you with a public IP / port forwarding abilities you may want to read this in order to find why you should avoid Cloudflare and how to setup and alternative / more private solution.
Yeah, that’s what I’m kind of thinking about Cloudflare, so I’m trying to set up WireGuard right now. I don’t know if I’m shooting myself in the foot by trying to do in docker for now or not, but I’d rather do that before I do it on bare metal. It seems to work already, as I can see that my IP changes on my phone when I access it. Hell, I can even access my routers’ dashboard. However, I still can’t access the services on the server (by IP, like 192.x.x.x:8989), so I’m trying to figure that out.
May I ask, why do I need a domain if I’m going through WireGuard, which goes through the IP and port, anyway?
Before you invest a lot of time into this just wanted to say that it’s a 2m job with Tailscale. You install it on the server and on your phone (or laptop whatever), you start it, and you can access anything on the server at a short name you can customize fully, or at a long name you can pick from randomly generated choices generated by Tailscale. (The long name is usually only relevant if you’re going to expose your server to the internet or in unusual DNS setups, if you just want to access the server from your phone the short name will do.)
OP’s list is great for learning and for full control but if you just want to solve your problem fast, you can.
I’m either lucky or it’s stupid easy to install wireguard. I put basic config in docker compose, downloaded the app, port forwarded and I’m good. Even pihole works. It’d haven taken me 5 mins if it wasn’t for the firewall
One of the other benefits of Tailscale is device management. Wireguard is an awesome tool (Tailscale uses it under the hood), but adding new devices is more work with Wireguard, as you have to generate keys and share the public keys (and do some IP management). With Tailscale it’s pretty much install the app and allow the device with a click.
Dont listen to people about tailscale. This is self hosting! Do it yourself it’s part of the fun. I don’t know why people are shilling corporate entities so hard here.
Duckdns will give you a free domain name. Run wireguard on the machine to connect remotely. Only allow WG port for remote access. Optional limit app access in your webserver to your VPN and lan ips. You can also run something like adguard home to get ad blocking. In that case set your wg server ip as the dns server ip eg 10.0.0.1 and add your ddg domain name in adguard so it will resolve without having to do an external lookup when on the lan or vpn.
I’ve had really poor results with duckdns recently - it seems propagation flakes out every 2-3 months. Wrote to them about it but never had a response.
I have an Intel NUC with i3-4010U, 8GB of RAM and 250GB of storage. Got it for 50GBP off of eBay. Unfortunately, I have to delete shows/movies to watch another, as there isn’t much space, but it manages :)
(I should be paid for how many times I have mentioned this lmao) I used this smarthomebeginner.com. If you follow this guide, you should be good to go :)
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !selfhosted@lemmy.world
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
If its only you and you want best security, setup a VPN system. (Tailscale, Netbird, or others are quite easy)
If someone else should also, and you dont want everyone to have to use a VPN, then you can expose some services directly. Of course behind CGNat you need some third-party system to allow this (e.g. cloudflare or a rented server).
I am not a big fan of cloudflare, they are a huge centralized company, easily allowing tracking across websites with clear-text access and kinda discouraging learning how to secure things yourself (which you have to do anyways, because you are a service provider and only cloudflare is not enough if its still publicly accessible though them)
But in the end its your choice. They easily allow you as service provider to protect yourself from DDoS attacks or allowing IPv4 access when you are behind CGNat, things you just cannot easily do yourself, certainly not without costs.
As said in the thread, you need some kind of tunnel that stays up and doesn’t need to be fixed if the internet goes down.
Wireguard, or if wanting super easy setup, Tailscale version of Wireguard is great for this. Now you have a private IP address in your VPN network to your home server, that stays up and answers to HTTP. Next thing you need is a cheap VPS somewhere with a public IP address. When that is running, and is in the Wireguard network so you can access your home server from the VPS, you need a Nginx proxy in the public server. Either do it by hand, or use a service such as the Nginx Proxy Manager to handle the proxy setup.
How it basically works is you register a domain name (A, CNAME) to the public VPS service, then with Nginx you setup that anything coming in to the domain X should be proxied to the VPN IP address Y and port Z. Now you can add HTTPS to this domain and get a Let’s Encrypt certificate for it. You can, again, do this manually with Nginx, or let Nginx Proxy Manager handle it for you.
Finally. Stay safe. If you really open services to public internet from your home, be very sure to have all the latest updates and use strong passwords in all of them. Additionally, you can use the home services directly from the Wireguard/Tailscale network by accessing them using the private IP addresses. Your computer should just be in the same network with them.
My advice: only forward ports 8080 and 443, then make sure that you have fail2ban or crossed properly set up on your reverse proxy. After that, you are pretty much fine as long as you keep on top of updating your containers.
I would be careful about which apps you proxy. Idk why you need to access the admin portal for pi hole worldwide. If you really want to do that, you should set up a vpn.
Cloudflare is just so nice. Handles ssl for all your sites automatically.
First off, don’t expose anything that doesn’t need exposed. If your the only one using it you could use a VPN or ssh.
Second off, make sure you isolate everything with firewalls. Your reverse proxy should only have access to each service and each service should only have access to the reverse proxy. You should also block non essential ports.
For the services themselves, make sure you use strong passwords and keep them updated. For docker you can use watchtower to automatically pull and deploy software.
If you are behind CGNAT, this might help you understand things a little better.
Yeah, I looked it up and checked and I’m not behind CGNAT
Since you aren’t behind CGNAT you can go full self-hosted! Don’t bother with Tailscale or Cloudflare Tunnel or other VPN services that connect through third parties if you can help it.
Here’s something to get you started with setting up a wireguard server on your NUC. https://github.com/Nyr/wireguard-install
Thanks :)
I use Tailscale with their DDNS feature that generates you a domain that resolves each of your Tailnet devices when connected. You can even run a command that generates an SSL cert for your given node and you can use that to further secure it with TLS in case you don’t want to deal with untrusted cert warnings.
This is especially useful for iPhones because they won’t keep your Tailscale VPN always on, but you can configure it so that requests to specific domains will activate and use your Tailscale VPN, which you just set to that generated one.
I was about to ask why you’d need DDNS for Tailscale, had no idea about iOS issues. Thanks!
Because even when you have static IPs it’s still nice to just use a host name, and to properly secure things with a certificate. It’s not really DDNS as much as it is plain old DNS, but it works without configuration on your part. Once you enable it, whatever the tailnet name of your device is, becomes ‘device name.yourdomain.ts.net’.
Maybe something like tailscale.
I might, but I’m gonna explore the open source solutions first :)
I’ve been using Tailscale, it’s lovely. But I didn’t like that I had to use Google/Apple/Github to log in.
Last night I set up a Headscale server which works with the tailscale client. It’s lovely as well.
Some Tailscale clients are open-source and you can self-host a Headscale server
It’s just so easy.
Headscale if you want to self host.
You can also try looking into no-ip.
I’d say to start with CF tunnels unless you need non-web based applications. Cloudflare tunnels require you to have a domain, though.
It has the added benefit that you have network monitoring, logging and some filtering for security that they do on top and you get to manage everything from their web interface.
be warned that the first time can be a bit confusing, but since it’s done using their web interface it’s easier than if you have a problem making wireguard work.
you should now be able to access your application from anywhere.
Alternatively, if you have a DNS server in your home network you can add a private IP range to your tunnel. Let’s say 192.168.0.0/24. Then when you connect with their pseudo-VPN (cloudflare warp or cloudflare ONE) you can directly use your home network’s ip address from that device. If you tell your device to use a local DNS server that resolves your internal services, you’ll be able to connect to them that way.
This is he best Cloudflare guide I’ve seen so far. Thank you!
Thanks fro this little guide, might come in handy :)
Twingate has been my go to. It’s amazing. Highly recommended.
Looks very similar to tailscale, thanks :)
Yes, you can use a Cloudflare tunnel but why? Since you’re into self-hosting why should you depend on some random company to tunnel your traffic when you most likely don’t need it? You also have all the potential tracking, spyware, risks and “being hostage” scenarios that may come with that choice.
The following assumes your use case is a simple home server for “standard arr apps, jellyfin, pi-hole” for personal usage that sits inside your network and your objetive is to be able to access those services. If you’re instead trying to host a game server / few services for friends (that doesn’t really need to be “inside” your home network) there’s a more complete comment with other security considerations and recommendations here.
Your basic requirements are:
Quick setup guide and checklist:
Since you’re only allowing access to your services through the VPN and you’ve heavily restricted access to the VPN port you’ll be safe. Just a side note, don’t be afraid to expose the Wireguard port because if someone tried to connect and they don’t authenticate with the right key the server will silently drop the packets.
Now if your ISP doesn’t provide you with a public IP / port forwarding abilities you may want to read this in order to find why you should avoid Cloudflare and how to setup and alternative / more private solution.
Thanks for this awesome write-up.
Yeah, that’s what I’m kind of thinking about Cloudflare, so I’m trying to set up WireGuard right now. I don’t know if I’m shooting myself in the foot by trying to do in docker for now or not, but I’d rather do that before I do it on bare metal. It seems to work already, as I can see that my IP changes on my phone when I access it. Hell, I can even access my routers’ dashboard. However, I still can’t access the services on the server (by IP, like 192.x.x.x:8989), so I’m trying to figure that out.
May I ask, why do I need a domain if I’m going through WireGuard, which goes through the IP and port, anyway?
Before you invest a lot of time into this just wanted to say that it’s a 2m job with Tailscale. You install it on the server and on your phone (or laptop whatever), you start it, and you can access anything on the server at a short name you can customize fully, or at a long name you can pick from randomly generated choices generated by Tailscale. (The long name is usually only relevant if you’re going to expose your server to the internet or in unusual DNS setups, if you just want to access the server from your phone the short name will do.)
OP’s list is great for learning and for full control but if you just want to solve your problem fast, you can.
I’m either lucky or it’s stupid easy to install wireguard. I put basic config in docker compose, downloaded the app, port forwarded and I’m good. Even pihole works. It’d haven taken me 5 mins if it wasn’t for the firewall
One of the other benefits of Tailscale is device management. Wireguard is an awesome tool (Tailscale uses it under the hood), but adding new devices is more work with Wireguard, as you have to generate keys and share the public keys (and do some IP management). With Tailscale it’s pretty much install the app and allow the device with a click.
Dont listen to people about tailscale. This is self hosting! Do it yourself it’s part of the fun. I don’t know why people are shilling corporate entities so hard here.
Exactly what I did haha
If your home ip changes a lot a dynamic dns provider will keep up with it so you don’t constantly have to change your phone’s wireguard configuration
Ohhhhh, that makes sense. I might consider it in the future. I don’t think it changed once so far. If it does, I’ll come back to that, thanks :)
Duckdns will give you a free domain name. Run wireguard on the machine to connect remotely. Only allow WG port for remote access. Optional limit app access in your webserver to your VPN and lan ips. You can also run something like adguard home to get ad blocking. In that case set your wg server ip as the dns server ip eg 10.0.0.1 and add your ddg domain name in adguard so it will resolve without having to do an external lookup when on the lan or vpn.
I’ve had really poor results with duckdns recently - it seems propagation flakes out every 2-3 months. Wrote to them about it but never had a response.
Is ngrok still a thing?
Seems like it is
Yep, and it used to be free for personal use, although I don’t know if that’s the case anymore. Either way, I will highly recommend it.
There are free alternatives like FRP and Rathole.
I want to have the same setup as you! Do you have any guides on how you did it?
I have an Intel NUC with i3-4010U, 8GB of RAM and 250GB of storage. Got it for 50GBP off of eBay. Unfortunately, I have to delete shows/movies to watch another, as there isn’t much space, but it manages :)
(I should be paid for how many times I have mentioned this lmao) I used this smarthomebeginner.com. If you follow this guide, you should be good to go :)
Thank you!