The easiest and quickest way thats still safe is to just use tailscale.
Its a zero config VPN that you can install on all your devices. I've been using it for quite some time now and I'm still fascinated by how easy to use it is.
this post was submitted on 21 Apr 2024
11 points (100.0% liked)
Selfhosted
38707 readers
677 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 1 year ago
MODERATORS
I would want to go that appros but it feels very inconvenient having to connect to VPN every time I want to check something, also the battery drain if I stayed connected all the time
I’ve been using Tailscale for about 2 months now. It has a VPN-on-demand setting that I keep enabled. That way, anytime I am not on my local WiFi, it automatically connects the VPN. According to my battery health settings, Tailscale has used 5% of my battery in the last 10 days. And I am even using a Mullvad exit node, which would use even more battery.
Where is VPN in demand setting?
On iOS, I tap on my profile in the upper right, and the VPN-on-demand setting is right below my account.
I found Tailscale/Headacale way more difficult to setup than Wireguard.
Enable Funnel and the Tailscale client isn't required.
It's easiest to just register a domain name and use Couldflare Tunnels. No need to worry about dynamic DNS, port forwarding etc. Plus, you have the security advantages of DDoS protection and firewall (WAF). Finally, you get portability - you can change your ISP, router or even move your entire lab into the cloud if you wanted to, and you won't need to change a single thing.
I have a lab set up on my mini PC that I often take to work with me, and it works the same regardless of whether it's going thru my work's restricted proxy or the NAT at home. Zero config required on the network side.
Just a reminder that even though the tunnel itself is encrypted, the whole connection is not E2E encrypted between your remote client and the server. Cloudflare as a CDN/PoP provider can see the traffic in plaintext.
In all other aspects, this is a great solution, as we even get to use the edge caching(over top of all others mentioned above) facility - which further reduces the requests to origin server.
I recently went this route after dabbling with other options. I had a wireguard VPN through my Unifi router, with rules to limit access to only the resources I wanted to share, but it can be a struggle for non savvy users, and even more so if they want to use Jellyfin on their TV. Tried Twingate too and would recommend if it fits your usecase, but Cloudflare Tunnels were more applicable to me.
Just be careful as DNS and federated requests can leak your real ip even through the CF proxy.
If you’re only exposing your services through a cloudflare tunnel, it doesn’t even matter if they get your real IP.
If you are going for a reverse proxy, I highly recommend using Caddy. Issuing TLS certificates is all done automatically and reverse proxy headers are all automatically set.
In many cases, this simple config is enough:
example.org {
reverse_proxy localhost:1234
}
By "remotely accessible", do you mean remotely accessible to everyone or just you? If it's just you, then you don't need to setup a reverse proxy. You can use your router as a vpn gateway (assuming you have a static ip address) or you can use tailscale or zerotier.
If you want to make your services remotely accessible to everyone without using a vpn, then you'll need to expose them to the world somehow. How to do that depends on whether you have a static ip address, or behind a CGNAT. If you have a static ip, you can route port 80 and 443 to your load balancer (e.g. nginx proxy manager), which works best if you have your own domain name so you can map each service to their own subdomain in the load balancer. If you're behind a GCNAT, you're going to need an external server/vps to route traffics to its port 80 and 443 into your home network, essentially granting you a static ip address.
You don't need a static IP to host a VPN. You can do it using a dynamic DNS which updates the DNS records to match your IP when/if it changes. You do need a public IP though, so CGNAT goes straight out.
If it's only you (or your household) that is accessing the services then something like hosting a tailscale VPN is a relatively user friendly and safe way to set-up remote access.
If not, then you'd probably want to either use the aforementioned Cloudflare tunnels, or set up a reverse proxy container (nginx proxy manager is quite nice for this as it also handles certs and stuff for you). Then port forward ports 80 and 443 to the server (or container if you give it a separate IP). This can be done in your router.
In terms of domain set-up. I've always found subdomains (homeassistant.domain.com) to be way less of a hassle compared to directories (domain.com/homeassistant) since the latter may need additional config on the application end.
Get a cheap domain at like Cloudflare and use CNAME records that point domain.com and *.domain.com to your dyndns host. Iirc there's also some routers/containers that can do ddns with Cloudflare directly, so that might be worth a quick check too.
I am using duckdns.org and let my router ping it when it's public IP changes. Then I use nginx as a reverse proxy with help of https://nginxproxymanager.com/ so I don't need to write config files and it also runs certbot for my so I don't need to deal with https manually.
Actually I also have my own domain so I use a subdomain pointing via CNAME to the duckdns subdomain. This way I can easily change the provider of dyndns.
If you are the only one using the services, then go for a VPN instead of port forwarding or sth. This way, your stuff isn't openly accessible from the internet to anyone poking around
My advice is to just use Tailscale. It’s a 5 minute setup and you get access to your stuff from anywhere, securely, without opening ports to the public internet. It will give your server a second IP address, which you will be able to access from any other device which is also registered to your Tailscale account.
My personal setup:
- Tailscale installed on all devices that need access to my home lab
- Custom domain with root A record set to server’s Tailscale IP
- caddyserver reverse proxy on server, with DNS https authentication configured (regular http with won’t work because it’s not on the public internet)
- services all on subdomains
Wireguard, simply connect to it whenever I'm out somewhere and boom, instant access to everything on my local network
I used to use Wireguard with Authelia, then I switched to Tailscale (with a self-hosted Headscale server), and now I'm trying out Netbird (which is open source btw)
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
| Fewer Letters | More Letters |
|---|---|
| CF | CloudFlare |
| CGNAT | Carrier-Grade NAT |
| DNS | Domain Name Service/System |
| HTTP | Hypertext Transfer Protocol, the Web |
| IP | Internet Protocol |
| NAT | Network Address Translation |
| SSL | Secure Sockets Layer, for transparent encryption |
| SSO | Single Sign-On |
| TLS | Transport Layer Security, supersedes SSL |
| VPN | Virtual Private Network |
| VPS | Virtual Private Server (opposed to shared hosting) |
| nginx | Popular HTTP server |
[Thread #695 for this sub, first seen 21st Apr 2024, 07:55] [FAQ] [Full list] [Contact] [Source code]
Im using wireguard VPN. You have to setup VPN server (using your DynDNS address, but duckdns in my case), open wireguard port in your router and configure each device that needs access. Reverse proxy is not needed, but I have it so I can use jellyfin.example.com instead of 192.168.100.40:8096. I use NPM (nginx proxy manager) with awesome GUI that can create lets encrypt certificates. I also use piHole for local DNS server
VPS with public IPv4, Wireguard/Tailscale/Headscale and my own Domain.