Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
view the rest of the comments
Do you think it's safe for the average joe to forward ports in the router to access things from the outside?
Have it be accessible over Tailscale (or similar) and that alleviates a lot of the access concerns. No need to setup port forwarding either.
Similar might be running Wireguard yourself, right? Albeit if memory serves that setup tends to require port forwarding, so maybe not (or maybe I set it up wrong).
Tailscale uses the Wireguard protocol (in userspace, not kernel) along with a user and IP management system, a STUN system and a relay so they can provide easy management and connectivity even behind NAT or CGNAT. The relay uses https headers to hide the traffic, which provides a slower connection but allows connectivity in networks that block UDP or VPN traffic.
Installing a Wireguard server would use a kernel implementation of the WG protocol, but you have to open a port on the server side for it, and manually create the peer configuration and public/private keys for them. It is slightly faster, but not as easy to deploy or as versatile when dealing with complicated networks, dual NAT or CGNAT. Also very easy to block on networks as it does not obfuscates the traffic.
I chose to deploy a Wireguard server because it works well for my needs, but if I was behind CGNAT or connected through restrictive networks I would move to Tailscale.
Makes sense!
I set up Wireguard simply to get a rough understanding of how to do so & to try to access some home resources while away, which works well enough across simpler network situations, but as you indicate, breaks down against more complicated network situations.
Port forwarding a wg udp port is way safer than port forwarding some application to login to from the internet. At least with WG you can't even brute force it or anything, it's a lightweight protocol that requires a client cert.
Tailscale basically uses NAT hole-punching, doesn't require any port-forwarding ever, it's great
Nope. But wireguard works fine and is super easy. I'd recommend something like WG-easy running on the nas. That's just one port to forward, with a reliable service behind it that does not advertise its presence. That is pretty safe.
Do you have a good tutorial for setting up Wireguard? I was able to setup OpenVPN easily but haven't been able to get Wireguard to let me access the internet while connected to it. Plus the Android app always says successfully connected even if the server is misconfigured.
I'm using pivpn inside a Debian container in Proxmox instead of using a raspberry pi. You can pick either OpenVPN or WireGuard during install. Mine is running WireGuard with no issues. I feel it's very easy to use.
2 words: Cloudflare tunnel. Ez-PZ
Cloudflare tunnels are a great alternative to port forwarding
I use Zerotier