this post was submitted on 26 Feb 2024
72 points (98.6% liked)

Selfhosted

39964 readers
363 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
top 50 comments
sorted by: hot top controversial new old
[–] Bdaman@sh.itjust.works 28 points 8 months ago (2 children)

The only externally accessible service is my wireguard vpn. For anything else, if you are not on my lan or VPN back into my lan, it’s not accessible.

[–] AtariDump@lemmy.world 5 points 8 months ago (1 children)
[–] sunbeam60@lemmy.one 5 points 8 months ago (1 children)

Funnily enough it’s exactly the opposite way of where the corporate world is going, where the LAN is no longer seen as a fortress and most services are available publically but behind 2FA.

[–] AtariDump@lemmy.world 5 points 8 months ago* (last edited 8 months ago) (1 children)

Corporate world, I still have to VPN in before much is accessible. Then there’s also 2FA.

Homelab, ehhh. Much smaller user base and within smackable reach.

[–] sunbeam60@lemmy.one 2 points 8 months ago

Oh right. The last three business I’ve worked in have all been fully public services; assume the intruder is already in the LAN, so don’t treat it like a barrier.

[–] SecretSauces@lemmy.world 2 points 8 months ago (3 children)

Can I ask your setup? I'd like to get this for myself as well.

[–] flawedFraction@lemmy.world 3 points 8 months ago

Try pivpn. It is meant to run on a raspberry pi, but it should work on most Ubuntu and Debian based distributions.

[–] jaykay@lemmy.zip 2 points 8 months ago (2 children)

Not OP but… I have an old PC as a server, Wireguard in docker container, port-forward in the router and that’s it

load more comments (2 replies)
load more comments (1 replies)
[–] TDCN@feddit.dk 25 points 8 months ago (2 children)

Everything is behind a wireguard vpn for me. It's mostly because I don't understand how to set up Https and at this point I'm afraid to ask so everything is just http.

[–] Fisch@lemmy.ml 10 points 8 months ago (1 children)

I've been using YunoHost, which does this for you but I'm thinking of switching to a regular Linux install, which is why I've been searching for stuff to replace YunoHost's features. That's why I came across Nginx Proxy Manager, which let's you easily configure that stuff with a web UI. From what I understand it also does certificates for you for https. Haven't had the chance to try it out myself tho because I only found it earlier today.

[–] ahal@lemmy.ca 6 points 8 months ago

NPM is the way. SSL without ever needing to edit a config file.

[–] johannes@lemmy.jhjacobs.nl 6 points 8 months ago (2 children)

Its not hard really, and you shouldn't be afraid to ask, if we don't ask then we don't learn :)

Look at Caddy webserver, it does automated SSL for you.

[–] TDCN@feddit.dk 8 points 8 months ago

Thank you. It was mostly ment as a joke tho. I'm not actually afraid to ask, but more ignorant because it's all behind VPN and that's just so much easier and safer and I know how to do it so less effort. Https is just magic for me at the moment and I like it that way. Maybe one day I'll learn the magic spells but not today.

[–] possiblylinux127@lemmy.zip 2 points 8 months ago (1 children)

Careful with Caddy as its had a few security issues.

[–] johannes@lemmy.jhjacobs.nl 3 points 8 months ago (4 children)

All software has issued, such is the nature of software. I always say if you selfhost, at least follow some security related websites to keep up to date about these things :)

load more comments (4 replies)
[–] Atemu@lemmy.ml 16 points 8 months ago

Nothing I host is internet-accessible. Everything is accessible to me via Tailscale though.

[–] Presi300@lemmy.world 16 points 8 months ago (4 children)

Everything is accessible through VPN (Wireguard) only

[–] Randelung@lemmy.world 2 points 8 months ago

Same. Always on VPN on phone for on the go ad blocking via pihole.

load more comments (3 replies)
[–] brayd@discuss.tchncs.de 16 points 8 months ago (2 children)

I had everything behind my LAN, but published things like Nextcloud to the outside after finally figuring out how to do that even without a public IPv4 (being behind DS-Lite by my provider).

I knew about Cloudflare Tunnels but I didn't want to route my stuff through their service. And using Immich through their tunnel would be very slow.

I finally figured out how to publish my stuff using an external VPS that's doing several things:

  • being a OpenVPN server
  • being a cert server for OpenVPN certs
  • being a reverse proxy using nginx with certbot

Then my servers at home just connect to the VPS as VPN clients so there's a direct tunnel between the VPS and the home servers.

Now when I have an app running on 8080 on my home server, I can set up nginx so that the domain points to the VPS public IPv4 and IPv6 and that one routes the traffic through the VPN tunnel to the home server and it's port using the IPv4 of the VPN tunnel. The clients are configured to have a static IPv4 inside the VPN tunnel when connecting to the VPN server.

Took me several years to figure out but resolved all my issues.

[–] llii@feddit.de 4 points 8 months ago (1 children)

What benefit does it have instead of getting a dynamic DNS entry and port forwarding on your internet connection?

[–] brayd@discuss.tchncs.de 10 points 8 months ago (1 children)

With DS-Lite you don't have a public IPv4. Not a static one but also not a dynamic one. The ISP just gives you a public IPv6. You share your IPv4 address with other users. This is done to use less IPv4s. But not having a dynamic IPv4 causes you to be unable to use DynDNS etc. It's simply not possible.

You could publish your stuff via IPv6 only but good luck accessing it from a network without IPv6.

You could also spin up tunnels with SSH actually between a public server and the private one (yes SSH can do stuff like that) but that's very hard to manage with many services so you're better of building a setup like mine.

https://www.juniper.net/documentation/us/en/software/junos/nat/topics/topic-map/security-ipv6-dual-stack-lite.html

[–] llii@feddit.de 2 points 8 months ago

Thanks for the great explanation!

load more comments (1 replies)
[–] grue@lemmy.world 12 points 8 months ago* (last edited 8 months ago) (6 children)

I currently keep everything LAN-only because I haven't figured out how to properly set up outside access yet.

(I would like to have Home Assistant available either over the Internet or via VPN so that automations keyed off people's location outside the home would work.)

[–] Lifebandit666@feddit.uk 3 points 8 months ago

I have used DuckDNS and Nginx to get Home Assistant outside but it was horrible, just constantly breaking. Around Christmas time I bought myself a domain name for a few years and Cloudflare to access it, and it's been night and day since.

Sure it cost me money but it was far cheaper than a Nabu Casa account.

Tailscale plugin for HA works flawlessly for me.

load more comments (4 replies)
[–] captainastronaut@seattlelunarsociety.org 7 points 8 months ago* (last edited 8 months ago)

Nothing outside the LAN. Just Tailscale installed on my Synology NAS, on HomeAssistant and on all my machines.

[–] pHr34kY@lemmy.world 6 points 8 months ago* (last edited 8 months ago)

Everything exposed except NFS, CUPS and Samba. They absolutely cannot be exposed.

Like, even my DNS server is public because I use DoT for AdBlock on my phone.

Nextcloud, IMAP, SMTP, Plex, SSH, NTP, WordPress, ZoneMinder are all public facing (and mostly passworded).

A fun note: All of it is dual-stacked except SSH. Fail2Ban comparatively picks up almost zero activity on IPv6.

[–] ultorpha@lemmy.nz 6 points 8 months ago (6 children)

Unlike most here, I'm not as concerned with opening things up. The two general guidelines I use are 1. Is it built by a big organization with intent to be exposed, and 2. What's the risk if someone gets in.

All my stuff is in docker, so compartmentalized with little risk of breaking out of the container. Each is on it's own docker network to the reverse proxy, so no cross-container communication unless part of the same stack.

So following my rules, I expose things like Nextcloud and Mediawiki, and I would never expose Paperless which has identity documents (access remotely via Tailscale). I have many low-risk services I expose on demand. E.g. when going away for a weekend, I might expose FreshRSS so I can access the feed, but I'd remove it once I got home.

load more comments (6 replies)
[–] empireOfLove2@lemmy.dbzer0.com 5 points 8 months ago (3 children)

100% is lan only cause my isp is a cunt

[–] BearOfaTime@lemm.ee 3 points 8 months ago* (last edited 8 months ago)

Tailscale with the Funnel feature enabled should work for most ISPs, since it's setup via an outbound connection. Though maybe they're Super Cunts and block that too.

[–] MigratingtoLemmy@lemmy.world 2 points 8 months ago (1 children)

Ah, CG-NAT, is it? There are workarounds

load more comments (1 replies)
load more comments (1 replies)
[–] powermaker450@discuss.tchncs.de 5 points 8 months ago* (last edited 8 months ago)

Nearly all of them. Nextcloud, Jellyfin, Vaultwarden, Spacebar, and 2fAuth, all set behind an NGINX Reverse Proxy, SWAG. SWAG made it very easy to set up https and now I can throw anything behind a subfolder or subdomain.

[–] harsh3466@lemmy.ml 5 points 8 months ago (7 children)

Available to the internet via reverse proxy:

  • Jellyfin
  • Navidrome
  • Two websites
  • matrix chat server
  • audiobookshelf

LAN only:

  • homepage
  • NGINX Proxy Manager
  • Portainer

There’s more in both categories but I can’t remember everything I have running.

load more comments (7 replies)
[–] jlh@lemmy.jlh.name 4 points 8 months ago

There's a wid range of opinions on this. Some people only access their services via tunnel, some people open most of their services up to the internet, as long as they're authenticated. One useful option for https services is to put them behind a reverse proxy that require oauth authentication, which allows you to have services over the internet, without increasing your attack surface. But that breaks apps like Nextcloud and Lemmy, so it's not a universal option.

[–] noisypine@infosec.pub 3 points 8 months ago

Everything is accessible, but only through n2n vpn.

[–] MangoPenguin@lemmy.blahaj.zone 2 points 8 months ago

All of it is LAN only except Wireguard and some game servers.

[–] andreas@lemmy.korfmann.xyz 2 points 8 months ago (1 children)

something like 95% stays local and is remote accessed via wireguard, The rest is stuff I need to host via a hostname with a trusted cert because apps I use require that or if I need to share links to files for work, school etc. For the external stuff I use Cloudflare tunnels just because I use DDNS and want to avoid/can't use port forwarding. works well for me.

load more comments (1 replies)
load more comments
view more: next ›