this post was submitted on 13 Aug 2023
57 points (96.7% liked)

Selfhosted

39964 readers
413 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
HybridSarcasm@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
57
How do you facilitate remote access? (sh.itjust.works)
submitted 1 year ago by httpjames@sh.itjust.works to c/selfhosted@lemmy.world
31 comments fedilink hide all child comments
 

Right now I’ve been using Tailscale because it automatically adapts to my network conditions. If I’m at home, it’ll prioritize local network connection, but when I’m out and about, it’ll automatically beam a direct connection or use a relay.

One gripe I have about it is I can’t run it alongside my normal VPNs on my mobile devices. I have to choose between one or the other.

I have tried Cloudflare Tunnel before, but using it for streaming, like Jellyfin, is forbidden. There’s also the added latency and slowness to having to hop through multiple DCs to reach Cloudflare and back.

all 32 comments
sorted by: hot top controversial new old
[–] Decronym@lemmy.decronym.xyz 23 points 1 year ago* (last edited 1 year ago) (1 children)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
CGNAT Carrier-Grade NAT
DNS Domain Name Service/System
IP Internet Protocol
NAT Network Address Translation
SSL Secure Sockets Layer, for transparent encryption
SSO Single Sign-On
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)

7 acronyms in this thread; the most compressed thread commented on today has 15 acronyms.

[Thread #33 for this sub, first seen 13th Aug 2023, 06:05] [FAQ] [Full list] [Contact] [Source code]

[–] Anarki_@lemmy.blahaj.zone 1 points 1 year ago

Good bot.

[–] Puzzle_Sluts_4Ever@lemmy.world 22 points 1 year ago* (last edited 1 year ago) (3 children)
  1. Dynamic DNS hooked in to one of my spare domains
  2. Wireguard running on my firewall
  3. An alert set up to inform me any time ANY client connects to said VPN
  4. Smart plug between my firewall and the UPS

Connect on my device or my travel router to get onto my home network and then access additional services as though I were local. And on the off chance I get an alert that something is connected and it is not me? I kill my network and deal with it when I get home. Not perfect (since I could be asleep) but gives me peace of mind on the off chance my VPN somehow becomes compromised.

[–] RoyalEngineering@lemmy.world 9 points 1 year ago (1 children)

Have you ever had to cut your network?

[–] Puzzle_Sluts_4Ever@lemmy.world 4 points 1 year ago

Nope. And I doubt I ever will.

But it is pennies a month in terms of power loss having a smart plug and gives me peace of mind for a big ass potential vulnerability.

[–] tarjeezy@lemmy.ca 4 points 1 year ago (2 children)

What are you using to monitor wireguard?

[–] Puzzle_Sluts_4Ever@lemmy.world 3 points 1 year ago

I have a bit of a mess that detects active processes and traffic and sends a signal to homeassistant which then informs me the same way it does when my garage door opens or whatever.

But mostly, the key is to put it into a system that will actually alert you. Like with any alert

[–] httpjames@sh.itjust.works 1 points 1 year ago (1 children)

How does your dynamic DNS work? When does it resolve to your local network addresses and your public domains?

[–] BitPirate@feddit.de 1 points 1 year ago* (last edited 1 year ago)

Not OP but DynDNS entries will always point to your current external IP and are renewed every hour.

Internally I run an AdGuard Home instance for adblocking. All my domains are rewritten by it to use the local IP while I'm in the same network.

https://en.wikipedia.org/wiki/Split-horizon_DNS

[–] Rootiest@lemmy.world 6 points 1 year ago* (last edited 1 year ago) (1 children)

I've tried quite a few services and eventually I mostly settled on running my own WireGuard VPN.

But honestly these days I just use tailscale.

The convenience is really unmatched, and my only qualm was that you had to let them hold the keys in exchange for the convenience of a cloud service to manage everything.

But now with Tailnet Lock you can designate devices as signing nodes which effectively means those devices now hold your keys and tailscale really has no disadvantage over setting up your own WireGuard server manually.

While also being loads easier and more feature-rich.

If anything the user-friendliness probably ultimately makes it more secure than for inexperienced users to try to set up something similar manually.

Their free plan is also quite comfortable with 3 users and 100 devices and virtually all of the features available in the premium/enterprise plans.

Honestly I was very wary of them at first but I've really grown to appreciate tailscale to the point I probably sound like a shill

[–] lemming007@lemm.ee 5 points 1 year ago* (last edited 1 year ago) (1 children)

I stay away from anything not selfhosted. Any third party, no matter how good and friendly it seems now, will eventually screw you once they get big.

Besides, even if it doesn't, I don't want them to have access to my data.

[–] brakenium@lemm.ee 1 points 1 year ago* (last edited 1 year ago) (1 children)

You can use headscale with tailscale if you want to self host it. Headscale is a community made server implementation for tailscale

[–] Atemu@lemmy.ml 1 points 1 year ago (1 children)

Headscale is a community made server implementation for tailscale

Well, it was until they hired the guy who made it. He's still doing it but, technically, it's being made by Tailscale themselves now ;)

[–] Rootiest@lemmy.world 1 points 1 year ago (1 children)

It still says

This project is not associated with Tailscale Inc.

on their GitHub

[–] Atemu@lemmy.ml 1 points 1 year ago

It's not an official Tailscale product.

[–] Vake@lemmy.world 5 points 1 year ago (2 children)

I just have all my services exposed through reverse proxy with whatever authentication they have on their webpage. I see most people using VPN which I know is the more secure option but I like the zero setup of just typing in the name of the service I want to go to and just having it work. Is there a better way to secure this?

[–] dinosaurdynasty@lemmy.world 7 points 1 year ago

Do authentication in the reverse proxy if you can (e.g., basic auth or forward auth like Authelia, the second also has the benefit of SSO).

[–] Reborn2966@feddit.it 6 points 1 year ago

add fail2ban, so they cannot brute force the web interface.

[–] rambos@lemm.ee 5 points 1 year ago (1 children)

I use duckdns and wireguard and love it. Sometimes I have to reconnect to VPN (double tap notification button), but its enabled all the time otherwise. I cant run it alongside payed VPN, but maybe selfhosted wireguard can be run behind payed VPN service.

Only downside for me is lack of ssl certs. Im using letsencrypt and have to accept the risk quite often hehe. Tried to install cert on android, but wasnt successful. Thinking to buy domain or whatever is needed to remove that annoying warning. Still noob, so dont know whats best for me, but wireguard is serving me fine

[–] ErwinLottemann@feddit.de 4 points 1 year ago (1 children)

You can use DNS-01 with duckdns to get certificates! Here are the docs on how to set that up with traefik.

About the wireguard but no other VPN - that's a phone problem, as it (at least android) only allows one VPN type connection at once. But one could set it up in a way that uses wireguard on the phone to connect to your home network and than use a proxy running there that does the other VPN connection. Also routing all mobile traffic using wireguard on a foreign WiFi network (or something) through your home network is basically the same as using a commercial VPN, if the goal is that the 'owner' of the foreign WiFi does not see your traffic.

[–] rambos@lemm.ee 2 points 1 year ago

Thanks a lot mate, It sounds promising. Well I got certs with duckdns in npm somehow, but they are making problems on android. Im kinda lost so maybe I did something wrong. Ill deffo check DNS-01 and that link and do another attempt.

Im not op, but using both VPNs on phone at the same time is usefull just to avoid switching between them when you want privacy or you want to access home services (I guess). I could benefit from that as well, but have higher priorities right now

[–] randombullet@feddit.de 2 points 1 year ago

I don't have a lot of time running my own homelab so I currently use Tailscale

[–] ThorrJo@lemmy.sdf.org 2 points 1 year ago

Currently I have a bastion host running a hardened distro, which establishes a reverse proxy tunnel to its ssh port via my $4/mo VPS using rathole, an excellent reverse proxy utility I switched to from frp.

I also maintain a Tor hidden service pointed at the bastion host's ssh port and another on a different internal host. These are so that I can still get in if the bastion host, my VPS, or certain aspects of networking are down for some reason.

Eventually I will implement port knocking / single packet authorization by deploying fwknop on some or all of these services to further enhance security.

[–] Drusenija@lemmy.world 2 points 1 year ago

I use ocserv to provide a Cisco AnyConnect compatible VPN server. There's an SSL proxy running on port 443 of my gateway so the VPN is only accessible using the right domain name, and the server is running in a Docker container.

Main reason I go for ocserv over OpenVPN or Wireguard is when I used to travel to China for work I found it was able to get past the Chinese firewalls. No idea if it still holds true but a few years ago it was fine.

[–] nomadjoanne@lemmy.world 2 points 1 year ago

Https and a server. If hosting at home just leave a high numbered port open. If on a vps then you should be able to use any port you want.

[–] CCatMan@lemmy.one 1 points 1 year ago (1 children)

Cloudflare tunnel works for my jellyfin server.

[–] httpjames@sh.itjust.works 1 points 1 year ago (1 children)

My upload speed isn’t that fast (50 mbps) so tunnel doesn’t work so well for large bandwidth applications.

[–] CCatMan@lemmy.one 1 points 1 year ago

Very true

[–] Appoxo@lemmy.dbzer0.com 1 points 1 year ago

Did run a VPN on my firewall which broke for whatever reason.

For access to my *arrs I run a reverse proxy and authelia for access regulation.

[–] redcalcium@lemmy.institute 1 points 1 year ago* (last edited 1 year ago)

I picked a random port number on my router and forward it to my main machine's ssh port. If I need to access another port without using zerotier or tailscale, now I have an option to use ssh port forwarding.

I also have a bastion server on a vps provider because my ISP would often randomly assign me behind CGNAT until I restart the router, that way I can still access the ssh port even when the router doesn't have a public IP address.