You should consider reversing the roles. There's no reason your homelab cannot be the client, and have your vps be the server. Once the wireguard virtual network exists, network traffic doesn't really care which was the client and which was the server. Saves you from opening a port to attackers on your home network.
this post was submitted on 21 Apr 2024
12 points (83.3% liked)
Selfhosted
38707 readers
677 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 1 year ago
MODERATORS
Thats a pretty cool idea! Thank you very much!
You can also configure your server to only accept traffic on the VPN port coming from your home IP address if you've a static one. Or.. only allow incoming connection from your country (https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching). This will provide you an extra layer of security.
Either way don’t be afraid to expose the Wireguard port because an attacker won’t even know there’s something listening on that port as it will ignore any piece of traffic that isn’t properly encrypted with your keys;
Thanks for the info. That sounds doable.
For the backup scenario in particular, it makes sense to pipe them through right to the destination. Like, tar -zcv somefiles | ssh $homeserver dd of=backup.tar.gz, or mysqldump | gzip -c | ssh $homeserver dd of=backup.sql.gz. Since it's basically a download from your home server's perspective it should be pretty fast, and you don't need temporary space at all on the VPS.
File caching might be a little tricky. You might be best self host some kind of object storage and put varnish/NGINX/dedicated caching proxy software in front of it on your VPS, so it can cache the responses but will ultimately forward to the home server over VPN if it doesn't have it cached.
If you use NextCloud for your photos and videos and stuff, it can use object storage instead of local filesystem, so it would work with that kind of setup.
Also been thinking about doing something like this. Would love to hear about your experience deploying it.
Thanks! Will try to update when implementing :)
Tbh I sometimes sshfs mount a vps onto a home machine but doing it the other way around doesn't seem worthwhile. The idea of a vps is that it's in a data center, has tons of bandwidth, backup power, you can set up a failover scheme if you need high availability, etc. Stuff like media is on your home server so you can use it locally, and maybe it's backed up remotely just in case, but doesn't need to be live mounted. That said, I'm used to home internet being unreliable compared to VPS, so mounting it to a vps sounds flaky.
If you want more storage on your vps, just get a bigger one, I would say. Or if you want tons of remote storage, get something with better connectivity.
You could self-host a S3-compatible storage bucket with something like MinIO or Garage.
S3 backends are available in a lot of software and it's kinda made for a similar use-case. I don't know which projects have caching available in a way that aligns with your setup. But I found these two being easy to set up.
I have a orangepi at home with a 2tb usb disk. I made it reachable via wireguard, and works very well as a samba server. No need to open any ports.
Very cool.
How exactly did you manage to make it available without forwarding a port? If the server is behind your routers with no way through, a vpn shouldn’t reach it either.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
| Fewer Letters | More Letters |
|---|---|
| IP | Internet Protocol |
| VPN | Virtual Private Network |
| VPS | Virtual Private Server (opposed to shared hosting) |
[Thread #701 for this sub, first seen 22nd Apr 2024, 11:05] [FAQ] [Full list] [Contact] [Source code]