this post was submitted on 05 May 2024
34 points (97.2% liked)

Selfhosted

40006 readers
742 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hi everyone!

I'm looking into self-hosting, and I currently have dynamic DNS set up to point to my home IP.

My question: is it worth getting a dedicated IP through a VPN?

I'm pretty technically savvy, but when it comes to networking I lack practical experience. My thought is that pointing my domain to a dedicated IP and routing that traffic to my home IP would be safer - especially if I only allow traffic on certain ports from that IP. Just curious if that idea holds up in practice, or if it's not worth the effort.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 2 points 6 months ago (4 children)

Thanks for the reply!

So the NGINX server hosted outside your network, then? And then reverse-proxy that into your home server?

Honestly, I feel like NGINX is a bit overkill for my situation, since I'm not expecting to have a lot of traffic. I could be wrong, though.

[–] [email protected] 6 points 6 months ago (1 children)

Their setup sounds similar to mine. But no, only a single service is exposed to the internet: wireguard.

The idea is that you can have any number of servers running on your lan, etc... but in order to access them remotely you first need to VPN into your home network. This way the only thing you need to worry about security wise is wireguard. If there's a security hole / vulnerability in one of the services you're running on your network or in nginx, etc... attackers would still need to get past wireguard first before they could access your network.

But here is exactly what I've done:

  1. Bought a domain so that I don't have to remember my IP address.
  2. Setup DDNS so that the A record for my domain always points to my home ip.
  3. Run a wireguard server on my lan.
  4. Port forwarded the wireguard port to the wireguard server.
  5. Created client configs for all remote devices that should have access to my lan.

Now I can just turn on my phone's VPN whenever I need to access any one of the services that would normally only be accessible from home.

P.s. there's additional steps I did to ensure that the masquerade of the VPN was disabled, that all VPN clients use my pihole, and that I can still get decent internet speeds while on the VPN. But that's slightly beyond the original ask here.

[–] [email protected] 2 points 6 months ago (1 children)

Wouldn't this require any user to connect to the VPN though? I'm looking for something more publicly accessible - say like a website.

[–] [email protected] 3 points 6 months ago

Yes it would. In my case though I know all of the users that should have remote access snd I'm more concerned about unauthorized access than ease of use.

If I wanted to host a website for the general public to use though, I'd buy a VPS and host it there. Then use SSH with private key authentication for remote management. This way, again, if someone hacks that server they can't get access to my home lan.

[–] [email protected] 3 points 6 months ago

No, it's inside the network. Once I'm inside my network via the VPN, the proxy server routes to the service I want based on the subdomain instead of using the IP and port as the address.

This can also be useful if, instead of going the VPN route, and you choose to go the CDN tunnel (for example, Cloudflare) way. I actually started with a tunnel via Cloudflare, but after some digging, I don't trust them anymore. Having a tunnel allows you to close all ports coming into your network, but at the expense of having to trust the tunnel provider, and I don't trust many companies out there.

[–] [email protected] 3 points 6 months ago (2 children)

No, the nginx runs inside your network. It's the "entry point" to it and it proxies all requests to your respective services.

[–] [email protected] 2 points 6 months ago* (last edited 6 months ago) (1 children)

@[email protected] It would be better to have the server on a separated VLAN

[–] [email protected] 1 points 6 months ago

Yeah, thats definitely something I need to look into setting up.

[–] [email protected] 1 points 6 months ago

Ahh okay, thanks for the clarification. Honestly I should use NGINX just for the sake of learning it, if nothing else.

[–] [email protected] 3 points 6 months ago (1 children)

Nginx isn't for security it's to allow hostname-based proxying so that your single IP address can serve multiple backend services.

[–] [email protected] 1 points 6 months ago (1 children)

Thanks, I'm only very vaguely familiar with NGINX, so I appreciate the clarification.

[–] [email protected] 2 points 6 months ago* (last edited 6 months ago) (1 children)

To provide a bit more detail then - you would setup your proxy with DNS entries "foo.example.com" as well as "bar.example.com" and whatever other sub-domains you want pointing to it. So your single IP address has multiple domain names.

Then your web browser connects to the proxy and makes a request to that server that looks like this:

GET / HTTP/1.1
Host: foo.example.com

nginx (or apache, or other reverse proxies) will then know that the request is specifically for "foo.example.com" even though they all point to the same computer. It then forwards the request to whatever you want on your own network and acts as a go-between between the browser and your service. This is often called something like host-based routing or virtual-hosts.

In this scenario the proxy is also the SSL endpoint and would be configured with HTTPS and a certificate that verifies that it is the source for foo.example.com, bar.example.com, etc.

[–] [email protected] 2 points 6 months ago

Ahh okay, interesting. I'll have to give this a try, then.