I need everything to be fully but securely accessible from outside the network
I wouldn’t be able to sleep at night. Who is going to need to access it from outside the network? Is it good enough for you to set up a VPN?
The more stuff visible on the internet, the more you have to play IT to keep it safe. Personally, I don’t have time for that. The safest and easiest system to maintain a system is one where possible connections are minimized.
I sometimes travel for work, as an example, and need to be able to access things to take care of things while I’m away and the girlfriend is home, or when she’s with me and someone else is watching the place (I have a dog that needs petsat). I definitely have the time to tinker with it. Patience may be another thing, though, lol.
Tailscale would allow you access to everything inside your network without having it publicly accessible. I highly recommend that since you are new to security.
It’s not clear to me how tailscale does this without being a VPN of some kind. Is it just masking your IP and otherwise just forwarding packets to your open ports? Maybe also auto blocking suspicious behavior if they’re clearly scanning or probing for vulnerabilities?
That’s exactly what it is. I haven’t looked into it too much, but as far as I know it’s main advantage is simplifying the setup process, which in turn reduces the chances of a misconfigured VPN.
I think the simplest setup is keeping all the apps and services on the local network and doing something like this guide so they are always behind a VPN. Then setup another VPN on unraid or another device to access from outside the local network. There are plenty of other guides for unraid and Plex and the arr stack out there, unraid is just what I use but can use whatever OS you would prefer.
b) I was aware of using tailscale or a VPN. I don’t really want to do that as it requires running my whole connection through home Internet.
c) I also want to setup a reverse proxy even if I do only use it locally just so I am not dealing with ports and IPs. No bookmarks are not practical I have too many as it is.
d) At this point I am doing this the “right” way or at least the complex way because I can.
Well, what you could do is run a DNS server so you don’t need to deal with IPs. You could likely adjust ports for whatever server to be 443 or 80 depending on if you’re internal only or need SSL. Also, something like zerotier won’t route your whole connection through your home internet if you set it up correctly, consider split tunneling. With something like zerotier it’ll only route the zerotier network you create for your devices.
A, great. Overly complicated. B, wireguard lets you set your allowed IPS to your networks’s subnet so you only tunnel that traffic. C, that’s ideal. Use nginx proxy manager. It’s super simple. Buy a domain and you can use letsencrypt for SSL so you don’t get http nag messages from your browser. Old suggest something with cheap renewals like ‘.rodeo’ or ‘.top’. D, there are many right ways. Personally, i’d set up your services in a docker compose file, all behind gluetun as a VPN for your torrent service. I’d set up a wireguard VPN on a pi zero elsewhere on your network so you can access everything from outside, and on your wireguard clients i’d only tunnel the traffic to your network’s subnet. Unless you want everything behind the same VPN you use for torrenting. In that case i’d run a wireguard service in the same docker network as gluetun, so you can tunnel all your client traffic through that. You could even out a dns server in there as well, and manually set a domain name to your server’s ip so you don’t have to buy a domain name. Course, then you can’t use letsenceypt SSL.
I don’t have any answers to your questions, I would just like to mention that you can get complete images that do both of these things together. I use this one, but there apparently to be a bunch of different ones.
Based on this, it’s not yet available. I use Joplin server for my stuff and have been wanting to move away to a web based platform as I tend to reinstall my OS every few months and like to be able to dial in my self hosted instance and reference for what I need.
Imo this is not enshitification yet, but I’m concerned it could pave the way! It all depends on whether they make using your own content harder to promote this, or if it’s just a side hustle to add another revenue stream.
My journey has been similar yet distinctly different. I went from “put it all on one server” to running servers in AWS. But the cost was preventing me from doing much more than run a couple of compute nodes. I hated the feeling of “I could setup a server to do X but it’s gonna cost another $x/month”. So I’ve been shifting back to my own servers.
I do like devops and automation though. Automation is brilliant for creating easily reproducible and stable environments - especially for things you don’t touch very often… Proxmox was what let me start moving back “on prem” as it were. There are “good enough” terraform plugins for proxmox that let me provision standardized VMs from a centralized code-base. And I’ve got ansible handling most of the setup/configure beyond that. I’ve now got like 20 VMs whereas before I only had 2 EC2 nodes due to cost. So much happier…
I’m just getting started on Proxmox and had no idea plugins like that were available. Anything in particular that works well for you? I’d like to try it out.
The telmate one seems more popular but the bgp one worked better for me (I forget what wasn’t working with the other one). They use the proxmox API to automate creating VMs for me.
selfhosted
Top
This magazine is from a federated server and may be incomplete. Browse more on the original instance.