I’ve setup wireguard, because it’s only me and an employee using the services. But with that, externally I don’t even seem to have a port open. But wireguard is so fast to be online, that I’m just always connected as soon as I’m online - using a domain and an IP update script
Something like Wireguard, Tailscale (uses Wireguard but provides easier administration), Reverse Proxy, VPN, are the best approaches.
Since OP doesn’t need for anyone else to access, I’d use Tailscale (Wireguard if you want a little more effort). Tailscale has a full self-host option with Headscale, though I have no problem with letting them provide discovery.
With Tailscale, you don’t even need the client on devices to access your Tailscale network, by enabling the Funnel feature. This does something similar to Reverse Proxy, by having a Web-exposed service hosted by Tailscale which then routes traffic (encrypted) to your Tailscale network.
Yeah, but then I’ve a web exposed service and I want keep a low profile as possible with what I’m exposing. So I guess as long as there aren’t many users to manage, wireguard (or a tailscale configuration) could work out for OP
I’ll assume you mean what I mean when I say I want to be safe with my self hosting – that is, “safe” but also easily accessible enough that my friends/family don’t balk the first time they try to log in or reset their password. There are all kinds of strategies you can use to protect your data, but I’ll cover the few that I find to be reasonable.
Port Forwarding – as someone mentioned already, port forwarding raw internet traffic to a server is probably a bad idea based on the information given. Especially since it isn’t strictly necessary.
Consumer Grade Tunnel Services – I’m sure there are others, but cloudflare tunnels can be a safer option of exposing a service to the public internet.
Personal VPN (my pick) – if your number of users is small, it may be easiest to set up a private VPN. This has the added benefit of making things like PiHole available to all of your devices wherever you go. Popular options include Tailscale (easiest, but relies on trusting Tailscale) or Wireguard/OpenVPN (bare bones with excellent documentation). I think there are similar options to tailscale through NordVPN (and probably others), where it “magically” handles connecting your devices but then you face a ~5 device limit.
With Wireguard or OpenVPN you may ask: “How do I do that without opening a port? You just said that was a bad idea!” Well, the best way that I have come up with is to use a VPS (providers include Digital Ocean, Linode to name a few) where you typically get a public IP address for free (as in free beer). You still have a public port open in your virtual private network, but it’s an acceptable risk (in my mind, for my threat model) given it’s on a machine that you don’t own or care about. You can wipe that VPS machine any time you want, the cost is time.
It’s all a trade-off. You can go to much further lengths than I’ve described here to be “safer” but this is the threshold that I’ve found to be easy and Good Enough for Me™.
If I were starting over I would start with Tailscale and work up from there. There are many many good options and only you can decide which one is best for your situation!
Port Forwarding – as someone mentioned already, port forwarding raw internet traffic to a server is probably a bad idea based on the information given. Especially since it isn’t strictly necessary.
I don’t mean to take issue with you specifically, but I see this stated in this community a lot.
For newbies I can agree with the sentiment “generally” - but this community seems to have gotten into some weird cargo-cult style thinking about this. “Port forwarding” is not a bad idea end of discussion. It’s a bad idea to expose a service if you haven’t taken any security precautions for on a system that is not being maintained. But exposing a wireguard service on a system which you keep up-to-date is not inherently a bad thing. Bonus points if VPN is all it does and has restricted local accounts.
In fact of all the services homegamers talk about running in their homelab wireguard is one of the safest to expose to the internet. It has no “well-known port” so it’s difficult to scan for. It uses UDP which is also difficult to scan for. It has great community support so there will be security patches. It’s very difficult to configure in an insecure way (I can’t even think of how one can). And it requires public/private key auth rather than allowing user-generated passwords. They don’t even allow you to pick insecure encryption algorithms like other VPNs do. It’s a great choice for a home VPN.
You make a great point. I really shouldn’t contribute to the boogeyman-ification of port forwarding.
I certainly agree there is nothing inherently wrong or dangerous with port forwarding in and of itself. It’s like saying a hammer is bad. Not true in the slightest! A newbie swinging it around like there’s no tomorrow might smack their fingers a few times, but that’s no fault of hammer :)
Port forwarding is a tool, and is great/necessary for many jobs. For my use case I love that Wireguard offers a great alternative that: completes my goal, forces the use of keys, and makes it easy to do so.
Glad you didn’t take my comment as being “aggressive” since it certainly wasn’t meant to be. :-)
Wireguard is a game-changer to me. Any other VPN I’ve tried to setup makes the user make too many decisions that require a fair amount of knowledge. Just by making good decisions on your behalf and simplifying the configuration they’ve done a great job of helping to secure the internet. An often overlooked piece of security is that “making it easier to do something the right way is good for security.”
You can selfhost the email server wherever you want. But you’ve to use some external system to deliver the email or you’ll end up in spam because your residential IP is most likely dynamic and already flagged by most email providers.
One way to do it is to get a VPS somewhere and setup Wireguard on it. Then configure your local system to bind to the Wireguard interface and IP so all email send and received using the tunnel. Dovecot doesn’t care what interface it is running on, Postfix has specific options that you can change in master.cf to accommodate the fact that it will be binding to the VPN IP and the real IP is the VPS public IP.
Create a outgoing transport for the email that uses the WG tunnel and is aware of the VPS public IP:
<span style="color:#323232;">out-wg unix - - n - - smtp
</span><span style="color:#323232;"> -o proxy_interfaces=188.xxx.xxx.xxx # the real public IP of the VPS
</span><span style="color:#323232;"> -o smtp_bind_address=10.0.0.2 # the IP that your local server has on the WG interface
</span><span style="color:#323232;"> -o inet_interfaces=10.0.0.2 # same as above
</span><span style="color:#323232;"> -o myhostname=server.example.org # should match the PTR / reverse DNS entry on the VPS IP
</span><span style="color:#323232;"> -o smtp_helo_name=server.example.org # should match the PTR / reverse DNS entry on the VPS IP
</span><span style="color:#323232;"> -o syslog_name=smtp-wg
</span>
Set your VPS firewall to NAT/forward incoming traffic on port 25, 587, 465 and 993 to the local server (wireguard client 10.0.0.2);
Change main.cf to use the transport by adding: default_transport = out-wg.
That’s everything you need to get it going. Use www.mail-tester.com to debug if DKIM and everything else is properly setup at the end.
DNS, mail, business web, cusromer web on VPSes (2, 1 primary, 1 secondary DNS only)
Personal email, incoming and outgoing via VPS, personal websites (all static) on local system (RPi 4 8GB)
This gives the advantage that your outgoing email always comes from the VPS ip address (pick a VPS provider that is trusted) and when your line is down, incoming email is cached on your VPS. It’s a tad of double work, but pretty secure. Even connecting to my employer to work from home is not a big issue. (and that connection is limited to it’s own vlan)
Also, with this method, you can route the mail into your network via port 26 when 25 is blocked or even set an outgoing vpn to your VPS and route the email that way. You’ll be provider independent at home. (I even have a private ipv6 /48 via a tunnel broker)
You’ll need to work a lot on your knowledge though, without DNSSEC, SPF, DKIM and DMARC the big 2 (Google and hotmail) will refuse your email.
I run nodered within Homeassistant in a vm on one of my nucs, I do all of my actual automation in there and homeassistant is just an IO layer for zigbee and bluetooth stuff.
I started out that way, but I’ve moved to doing most of it in HA directly since they massively improves the UI. I still use NR for complicated stuff though. I’ve recently started using Pyscript for modbus integrations too.
The UI is definitely better than it used to be, but nodered can do some more powerful stuff like pulling the html of a devices web ui and parsing data straight from the page when there’s no API to use for example. I used to do that for a solar inverter at my last house.
Now I use it to control my AV switcher that distributes video through the house, it has no native homeassistant integration and only supports things like control4 and RTI so I implemented my own control using their REST API and hooked it all up to buttons and selectors in homeassistant. works great.
Also my home theatre receiver has a homeassistant integration but its terrible, so again, I’ve manually implemented the tcp controls in nodered.
I’ve done something similiar in NR to scrape the CUPS webpage on my desktop and turn on a tasmota plug for the printer when it sees a job waiting in the queue. I wouldn’t even try to do that in HA directly. But I wouldn’t be surprised if there’s an integration somewhere that would do it.
That is a self-made soldering kit box I made when I was in college and had to haul it around a lot. I have actually been meeting to replace it with something more permanent now that I’m a grown up with my own house. I have an air flow soldering rig which doesn’t really have a home, and I could have a much better use of space. I have my brocade ICX6610-24 next to that which I’ve been programming for way too long, and a whole bunch of 3D printer parts on top of that.
That kit box would actually be perfect for my needs as this is a hobby I only visit occasionally or when needed. It would be great to have something I can easily store.
Works great. It’s my portable gaming box. I use virtualhere usb over ip on the same Pi too so I can use multiple controllers like a wheel or joystick, pass a full bluetooth adapter directly to it for emulators.
In the house, anywhere with wifi. Can run decently down to 10-15mbps at 1080p60.
Remotely, over Tailscale, my home uplink is too slow for anything more than 720p60, but its low latency enough I can play games like Mario RPG and get timed hits correct. Or Clone Hero. Games like rocket league tend to be too fast tho, and video breaks up badly.
so Long as you have fast enough uplink, I think I’d be fine anywhere. Sunshine and moonlight are amazing, I used to use Parsec extensively but now it’s just moonlight and sunshine.
In most games not noticeable. Only game I have trouble with is emulating Wii, playing Mario Galaxy. The pointer on screen lags, but I think that’s more due to the bluetooth adapter compatibility than any latency added by the usb-> ip -> wifi link.
I’m not an FPS player, so can’t speak to sub second latency….but I do racing sims on this, and it has no trouble with controls and force feedback.
That’s not too easy methinks. You get kvm vm-s though gui/shell/api with proxmox, but no docker (they use lxc). Unless you set up a podman or similar inside it.
Other than that I’d say go with a xen (xcp-ng). Proxmox or esxi host, and spin up a vm as docker host.
I ditched docker in my latest setup, just running 2 machines in a proxmox cluster. I like lxc - as it’s got the footprint of docker and behaves like a vm
selfhosted
Top
This magazine is from a federated server and may be incomplete. Browse more on the original instance.