this post was submitted on 01 Dec 2023
0 points (NaN% liked)

Selfhosted

59448 readers
643 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
0
Access home server from anywhere (lemmy.zip)
submitted 2 years ago* (last edited 2 years ago) by jaykay@lemmy.zip to c/selfhosted@lemmy.world
5 comments fedilink hide all child comments
 

Hi, I know this topic has been talked about 70 thousand times but I’m still not sure.

I have home server on an intel NUC behind the ISP router. On it I have the standard arr apps, jellyfin, pi-hole etc etc. I would like to access them through a domain rather than an IP. So I set them up in docker, behind traefik, behind authelia and behind cloudflare. I am the only one that uses it.

Now, I’m worried about the security of it all. I’ve been searching here and there and I’ve read about cf tunnels, wireguard server, vps, vlan, OPNsense etc etc. I still don’t know what would be the most secure. Should I just stay with what I have?

EDIT: I'm not behind CGNAT

you are viewing a single comment's thread
view the rest of the comments
[–] TCB13@lemmy.world 2 points 2 years ago* (last edited 2 years ago)

Yes, you can use a Cloudflare tunnel but why? Since you're into self-hosting why should you depend on some random company to tunnel your traffic when you most likely don't need it? You also have all the potential tracking, spyware, risks and "being hostage" scenarios that may come with that choice.

The following assumes your use case is a simple home server for "standard arr apps, jellyfin, pi-hole" for personal usage that sits inside your network and your objetive is to be able to access those services. If you're instead trying to host a game server / few services for friends (that doesn't really need to be "inside" your home network) there's a more complete comment with other security considerations and recommendations here.

Your basic requirements are:

  • Some kind of domain / subdomain payed or free;
  • Preferably Home ISP that has provides public IP addresses - no CGNAT BS;
  • Ideally a static IP at home, but you can do just fine with a dynamic DNS service such as https://freedns.afraid.org/.

Quick setup guide and checklist:

  1. Create your subdomain for the dynamic DNS service https://freedns.afraid.org/ and install the daemon on the server - will update your domain with your dynamic IP when it changes;
  2. List what ports you need to access remote;
  3. Setup Wireguard VPN on the server. There's also this nice UI that can be used to do most of the setup and create client config files;
  4. For the VPN use custom ports with 5 digits - something like 23901 (up to 65535) to make your service harder to find;
  5. Configure your ISP router to assign a static local IP to the server and port forward the VPN port to the server IP;
  6. Only expose absolutely required services (the VPN port in this case) to the Internet. Any service the server provides, SSH, configuration interfaces and whatnot can accessed through the WireGuard VPN;
  7. In the server consider setting up nftables / iptables / another firewall 10 minute guide;
  8. Configure nftables to only allow traffic coming from public IP addresses (IPs outside your home network IP / VPN range) to the Wireguard port - this will protect your server if by some mistake the router starts forwarding more traffic from the internet to the server than it should;
  9. Configure nftables to restrict what countries are allowed to access your server. Most likely you only need to allow incoming connection from your country (https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching).

Since you're only allowing access to your services through the VPN and you've heavily restricted access to the VPN port you'll be safe. Just a side note, don't be afraid to expose the Wireguard port because if someone tried to connect and they don't authenticate with the right key the server will silently drop the packets.

Now if your ISP doesn't provide you with a public IP / port forwarding abilities you may want to read this in order to find why you should avoid Cloudflare and how to setup and alternative / more private solution.