The only externally accessible service is my wireguard vpn. For anything else, if you are not on my lan or VPN back into my lan, it’s not accessible.
This is the way.
Funnily enough it’s exactly the opposite way of where the corporate world is going, where the LAN is no longer seen as a fortress and most services are available publically but behind 2FA.
Corporate world, I still have to VPN in before much is accessible. Then there’s also 2FA.
Homelab, ehhh. Much smaller user base and within smackable reach.
Oh right. The last three business I’ve worked in have all been fully public services; assume the intruder is already in the LAN, so don’t treat it like a barrier.
Can I ask your setup? I’d like to get this for myself as well.
Not OP but… I have an old PC as a server, Wireguard in docker container, port-forward in the router and that’s it
Which image? I’ve seen a few wireguard options on docker hub
Linuxserver
Try pivpn. It is meant to run on a raspberry pi, but it should work on most Ubuntu and Debian based distributions.
Not OP, but I just use ZeroTier for this since it’s dead simple to setup and free. I’m sure there’s some 100% self-hosted solutions, but it’s worked for me without issue.
Sorry, haven’t logged on in a bit. I use OPNSense on an old PC for my firewall with the wireguard packet installed.
Then use the wireguard client on my familys phones/laptops that is set to auto connect when NOT on my home wifi. That way media payback, adguard-home dns and everything acts as seamless as possible even when away while still keeping all ports blocked.
Everything is accessible through VPN (Wireguard) only
Same. Always on VPN on phone for on the go ad blocking via pihole.
Nothing I host is internet-accessible. Everything is accessible to me via Tailscale though.
I had everything behind my LAN, but published things like Nextcloud to the outside after finally figuring out how to do that even without a public IPv4 (being behind DS-Lite by my provider).
I knew about Cloudflare Tunnels but I didn’t want to route my stuff through their service. And using Immich through their tunnel would be very slow.
I finally figured out how to publish my stuff using an external VPS that’s doing several things:
- being a OpenVPN server
- being a cert server for OpenVPN certs
- being a reverse proxy using nginx with certbot
Then my servers at home just connect to the VPS as VPN clients so there’s a direct tunnel between the VPS and the home servers.
Now when I have an app running on 8080 on my home server, I can set up nginx so that the domain points to the VPS public IPv4 and IPv6 and that one routes the traffic through the VPN tunnel to the home server and it’s port using the IPv4 of the VPN tunnel. The clients are configured to have a static IPv4 inside the VPN tunnel when connecting to the VPN server.
Took me several years to figure out but resolved all my issues.
What benefit does it have instead of getting a dynamic DNS entry and port forwarding on your internet connection?
With DS-Lite you don’t have a public IPv4. Not a static one but also not a dynamic one. The ISP just gives you a public IPv6. You share your IPv4 address with other users. This is done to use less IPv4s. But not having a dynamic IPv4 causes you to be unable to use DynDNS etc. It’s simply not possible.
You could publish your stuff via IPv6 only but good luck accessing it from a network without IPv6.
You could also spin up tunnels with SSH actually between a public server and the private one (yes SSH can do stuff like that) but that’s very hard to manage with many services so you’re better of building a setup like mine.
Thanks for the great explanation!
I’m interested in why you’re terminating TLS on your VPS instead of doing it on your home network
I currently keep everything LAN-only because I haven’t figured out how to properly set up outside access yet.
(I would like to have Home Assistant available either over the Internet or via VPN so that automations keyed off people’s location outside the home would work.)
I have used DuckDNS and Nginx to get Home Assistant outside but it was horrible, just constantly breaking. Around Christmas time I bought myself a domain name for a few years and Cloudflare to access it, and it’s been night and day since.
Sure it cost me money but it was far cheaper than a Nabu Casa account.
Yeah, same, except I tunneled HA out via that Cloudflare daemon. Kinda janky because I cannot use the app with it to do locations, but I can check in on the pets from anywhere.
I’m planning to set up a legit VPN sometime soon.
Why can’t you use the app to do locations?
I cannot get the app to connect to my HA with the current setup. I have Cloudflare doing email verification, and the app doesn’t understand how to collect the cookies to make that possible.
Just recommendes something that could help you to someone else here
deleted by creator
Available to the internet via reverse proxy:
- Jellyfin
- Navidrome
- Two websites
- matrix chat server
- audiobookshelf
LAN only:
- homepage
- NGINX Proxy Manager
- Portainer
There’s more in both categories but I can’t remember everything I have running.
What is homepage? I’m testing homarr right now (assuming it’s similar) but haven’t set on it yet
I believe it’s this
I’ve been eyeing it myself
Woo thank you!
That it is!
It’s another dashboard like homarr. I set up homarr and homepage side by side to pick one and landed on homepage. No specific reason, I just gravitated to it over homarr.
Thanks, I’ll check it out :D
You’re welcome!
All of it is LAN only except Wireguard and some game servers.
deleted by creator
Everything exposed except NFS, CUPS and Samba. They absolutely cannot be exposed.
Like, even my DNS server is public because I use DoT for AdBlock on my phone.
Nextcloud, IMAP, SMTP, Plex, SSH, NTP, WordPress, ZoneMinder are all public facing (and mostly passworded).
A fun note: All of it is dual-stacked except SSH. Fail2Ban comparatively picks up almost zero activity on IPv6.
I keep everything behind a VPN so I don’t have to worry much about opening things up to the Internet. It’s not necessary about the fact that you’re probably fine but more so what the risk to you is if that device is compromised, ex: a NAS with important documents, or the idea that if that device is infected, what can that device access.
You could expose your media server and not worry too much about that device but having it in a “demilitarized zone”, ensuring all your firewall rules are correct and that that service is always updated is more difficult than just one VPN that is designed to be secure from the ground up.
Everything is accessible, but only through n2n vpn.
The only acessible element is the webserver. Fileserver, home automation, octopi, proxmox, media, etc etc are all isolate.
I use OpenVPN and not expose anything directly.
