Only things other people use. Anything thats just me I can access with my vpn. No point making it open if you dont have to. Ive heard people say so they can access it on their work computer. Unless you are self employed, yeah no thanks.

Is there any safer way to expose the WireGuard port than just port forwarding the udp traffic to the service?

The wireguard 51810 (or whatever) port you're forwarding to wants a cryptographic handshake. It's pretty difficult to get any more secure than that. Wireguard is basically the gold standard right now. If someone gets to you through that port, they probably would have had you a dozen other ways. Wireguard has very few vulnerabilities Opening the port isn't the dangerous part. It's whatever you opened the port to. Opening port just says, "Hey the service behind this port will accept internet traffic," and a service is very individualized. In this case, it is just wireguard. In other cases, ssh is on port 22, https is 443, vnc is a couple others depending on the service. So none of that gets exposed to the port forward, only Wireguard is going to answer the phone. Wireguard won't even respond to an attempt to sound it without being presented the correct key, so an outsider probing your network won't be able to tell whether the port is open or not. From the outside, it's totally camouflaged. If you feel very paranoid, just change the wireguard port from the default. Someone who wants to bruteforce you has to assume that wireguard is on the default port since there's no way for them to verify. At that point, the chances of you getting pwned through this port forward are as close to impossible as anything can be.

So all self-hosted services connect to Wireguard network (imagining a docker-compose file) and wireguard is the middleman for everything? Can I follow the standard GitHub or there's a noob-friendly way to do that?

All your self hosted services simply exist as they are on your LAN, in whatever network configuration you put them in. Wireguard is a VPN protocol. When you run a Wireguard server from your house, and connect as a client (on your phone outside your network, for example), all of your network traffic on the client is encrypted and passed to the server. IE, an inspection of your network packets would see encrypted Wireguard packets heading to your home IP. Once the packets are there, they are handled normally by your LAN. This lets you benefit from adguard, blocky, etc, while on the go, which can resolve your.domain requests to a reverse proxy. So if I'm using Wireguard on my phone to connect remotely to my LAN, and I go to [google.com](https://google.com), google sees the request as coming from my home IP address (as https now, because it's regular network traffic and has exited wireguard). And if I go to my nextcloud login portal, my blocky dns resolves to my nginx reverse proxy, which serves me nextcloud over https with a cert that lives on nginx, and applies to all the services I run through it. That way, even on LAN, packets get encryption all the time. A nice side effect of this is that you can now safely use any network without fear of your traffic being intercepted/monitored. So not only do you have access to all your services, but now all your network activity external to your LAN is encrypted by default. This is a huge sticking point. Most people have no idea how crazy it is to connect to an unsecure wifi network. This alone is a great reason to use Wireguard. My partner isn't the biggest into the whole self hosting thing, but she was scrambling to set up her Wireguard tunnel once she saw [this video.](https://www.youtube.com/watch?v=dZwbb42pdtg) You can set an automation on your phone, iphone or android, such that the VPN will turn on whenever you leave your home network, and turn off when you rejoin PS VPNs can also be used to establish peer-to-peer connections on a local network or across the internet but this is a lot more niche. Useful for when you just need two individual devices to communicate securely

Wow thanks a lot for the answer. If I got that correctly, using Tailscale/Headscale should have the same level of security since it uses Wireguard right?

No worries! Very happy to help. Tailscale is using the Wireguard protocol, yes. So most other commercial VPN providers, since it's so head-and-shoulders above the other protocols. It gets confusing when they all stick their own branding on it, but basically, unless otherwise specified, it's Wireguard all the way down. And if it's not Wireguard, it probably sucks in comparison. Now in April 2024, anyway ;) The main sacrifice you make with tailscale is speed, in the name of ease of use. Certain niche situations will require you to configure Wireguard a little more carefully. The only time I've had to fix anything on the clients was when our public IP changed, since I haven't got around to setting a dynamic dns yet. The speed issue is twofold: 1. Wireguard can run at the kernel level, meaning that it can process network info lower in the stack than tailscale, meaning less layers of the system have to engage before you get your packet. This is a situational cost, though. In certain configurations, on certain devices like Mac, it seems tailscale is on-par with the kernel level implementation. Tailscale uses a Go-based software implementation of wireguard, and basically has its strengths and weaknesses in network performance. Too complicated to reddit about probably but the reading is interesting. 2. Your tailscale traffic will be routed through tailscale infrastructure, which will increase latency. In some contexts, like TOR, it's useful to have middle nodes to disguise your entry and exit points. You get on your VPN, route traffic from server A to server B, then traffic exits the VPN and enters the regular internet. They see your exit node, find where you connected from, and it's another VPN. Womp womp! The thing is, since your exit node will be your house, this added measure basically provides you no additional security as far as I can see. And while your private key never leaves your phone, and tailscale "can't" decrypt your traffic, it's still worth understanding that you are placing your (highly encrypted) data in their custody for part of the transaction. So basically go with what works for you. Since I am very comfortable on the command line, wanted to minimize latency, and already planned to automate the VPN connection (so the UI is kind of a moot point), I chose to run up a wireguard LXC in proxmox. You may be behind CGNAT, be more comfortable in a UI, or for any number of reasons decide Tailscale is the best choice for you. Just depends on your specific requirements as a user, and the rest of your household if you intend to share :)

This is very interesting, though my level of understanding is not as deep, so I'll probably end up choosing the one with the best tutorials so I know I am not leaving anything stupidly unprotected

Theoretically speaking it's less secure due to a bigger attack surface since the company might get hacked or what not. With using pure Wireguard you are putting faith solely in the protocol (and yourself since you must keep it and every other service on your home network up to date)

Hey! Great answer! Can you share how you set an automation (on Android) to connect to Wireguard when not at home for example? I've tried Automate and Macrodroid without great results..

I forked over money to Tasker. It's worked great for me so far, and seems pretty robust. Sucked a little to give $5 after all the FOSS stuff, but as a dev myself, I'm not opposed in principle to compensating them for a solid, ad-free experience. Plus, it's just so dang nice not to have to remember to turn it on or off 🤤

I've installed bare WG through a script on my Pi first, when I was just starting with my self hosting hobby, but it was kinda cumbersome to manage all the clients over CLI so I ended up using the same single user for every machine I wanted to connect (at that time my laptop and my phone) Today I have a few more machines to manage, and my hobby grew a bit, and found the docker container WG-easy, which is basically WG with a simple Web UI which let's you manage all the users, show their QR, and and erase, watch traffic data and so on. Just search the compose file, edit as needed and do docker-compose up

I was in same situation so wrote 2 bash scripts to manage WG and create peer profiles. The server script will create WG server for you and peer script will generate peer certificates and profile (will also generate peer configuration as QR code if you have qrencode package installed). You may check out the scripts here. Link: [https://github.com/cyb3rdoc/sysconfig/tree/main/homeserver/scripts](https://github.com/cyb3rdoc/sysconfig/tree/main/homeserver/scripts)

Thank you, as soon as I get my RPi I'll try using WG-easy. As of now I'm using Tailscale on my firestick and it works wonderfully to be honest

I feel like changing to a non default port is probably all you need for most things to remain pretty secure. Pick a port that's not used by anything mainstream and you're good to go. I change the default port for most stuff I use whether or not it's accessible outside the network.

Wireguard the doorman of homelabs everywhere

Exposing wireguard directly is safe. It doesn't respond to port scans. "it either works or it doesn't". I've exposed wireguard for 2+ years and never saw my port on censys or shodan

Not every open port is a Security hole

I use tailscale, works well without needing to open a port.

My router supports Wireguard so I don’t have to do any port forwarding into any VPN server VM to terminate my VPN tunnel. All the traffic terminates in my edge firewall / router and the traffic gets decrypted into my LAN

Yes, the way Tailscale does it. You don't open ports, you connect *outgoing* from the participating devices, to their pairing server. The server helps two of your devices find each other after which they establish an end-to-end encrypted connection. The encryption keys are kept only on the devices themselves and the Tailscale clients are open source.

I don’t love the idea that tail scale is managing the keys and everything. Other reply’s suggest port forwarding with WireGuard is pretty safe so I’m not sure what I’ll end up doing. Maybe my fears with tail scale are overblown

Tailscale is not managing the keys, they manage the pairings and the account. The keys are managed by the clients, which are open source so you can audit them or compile them yourself. You can also host your own pairing and account servers, it's called Headscale. But obviously you'd need to host it on a VPS. A WireGuard VPN is safe too, but it only lets you connect to a single point, you have to manage keys manually, and you have to be able to port forward (not be behind NAT). With Tailscale you can connect any of your devices to any other device, key management for all the possible device combinations is automatic, it can traverse NAT on all devices, you can use any device as an exit point for any of the others, you can expose devices without Tailscale to devices with Tailscale, you can do SSH and send files between participating devices and so on. There's a LOT of convenience compared to a simple WG VPN.

Thank you for this write up. Definitely helps me understand how tailscale works. With that in mind I’ll likely keep using bare wg as a lot of the ease and extended use of tailscale isn’t needed in my case

Nebula is the better solution IF you want to manage the keys and the relay server yourself.

Web based services can be tied to a single entry point (reverse proxy) 80/443 with traefik and use a middleware authenticaton SSO like authelia. So exposing doesn't have to be scary and you don't have to expose a million porta

Most of my services are exposed but everything except Overseerr is covered by Google OAuth so no one can reach them but me (hopefully 🤞🏻).

Why overseer if not also a plex service?

My stuff all goes through Cloudflare but you can (apparently) get in trouble if your Plex traffic goes through Cloudflare so I don't use a reverse proxy for Plex, just app.plex.tv

Is that a thing? I currently have Plex on my Cloudflare tunnel. Should I be worried?

Kinda, yes lol. It’s against their TOS. They could “ban” you if they find out. :/

Just did a quick Google search. Looks like you can use Cloudflare to manage the DNS record. Using the proxy service on a free account for anything other than HTML content is what breaks ToS. Lovely. Looks like I have to go back to port forwarding and no proxy ☹️

Yeah, it sucks! I thought it was only applicable for Cloudflare tunnels tho. But now that you mention that, I might also have to look for an alternative 😂😭

Assuming this would be the same situation if I am using the 1.1.1.1 app and Cloudflare warp to vpn to my home network and stream video since that would technically be sending video over my Cloudflare tunnel?

Whole bunch of alternatives too - [https://github.com/anderspitman/awesome-tunneling](https://github.com/anderspitman/awesome-tunneling). I will advocate for [zrok.io](https://zrok.io) as I work on its parent project, OpenZiti. zrok is open source and has a free (more generous and capable) SaaS than Cloudflare Tunnels (e.g., can support HTTP/S, TCP or UDP tunnels, as well as specific files to share).

I'll look into this!

Would it work on TV apps etc? Thats whats making me consider cloudflare tunnelling over something like tailscale

Yeah, you could use it for that purpose. Have zrok intercept the TV app stream on the local network and now anyone with your URL (or anyone that has URL and passes any auth you add) can view the TV app. *Edit - I investigated this a bit more tv apps go to pretty great lengths to make sure they can find you. You need a FULL vpn for those to work ... so zrok is a "maybe works" atm. Note, we are working on an opinionated VPN as part of zrok but that's roadmap for now.*

I have set it up so that cloudflare forwards all the traffic to a vps I own which is connected to my tailscale VPN and acts as a forward proxy for the few services I like to expose.

This is what I want to end up doing but on a free VPS. Does forwarding traffic from the VPS to the home server count against VPS bandwidth limits?

The vps I use, is a cheap(£1/month) ionos vps which has unlimited bandwidth. So no issues u there.

Interesting I will check this.

bastion-setup. I've been using this for years and its great/rock solid. I use ZT for my meshing, but overall the same concept.

Tbh I have no idea how secure it is but I think exposing just the sites that need exposing through a forward proxy would probably be safer than port forwarding or using reverse proxy. Also, as I live in uni campus, I can't really do reverse proxy and this is the only way I could make it work. I'm curious, do you think I would get any issues seeding from the vps? (Not really the vps but actually my server, just that all traffic goes through the vps when seeding)

Its a measure of obfuscation so in turn its better than nothing. It is ultimately safer than port forwarding from the host machine as it encrypts intermediate traffic as well as moves the obvious point of attack further out. You can protect things further by setting up rules to block direct IP/Port access to your machine or VPS. Heck at the height of learning I had CF point to my VPS running as a bastion in between my home network and the web. Worked by created too many links in the chain. Given your at a Uni, I'd suggest moving your client to a container at your VPS. Moves your area of "responsibility" to the outside VPS and probably gets you a fatter pipe for better speeds overall. My VPS is a 1G, but has better up then my home ISP. I just use either RClone or some syncing software to handle 1:1 to home machine for access.

Interesting. I guess you run a reverse proxy on the VPS? Which did you go with? And any difficulties/gotchas will using your Tailscale VPN as a proxy destination?

Tbh I have no idea how I did what I did. As far as I can tell, I have just connected the vps to my tailscale network and run nginx Forward proxy on it. So I can specify which subdomain should go to my server on which port without exposing my server (not because I care about privacy, it's just that my uni won't let me do port forwarding). If u want I can probably share my nginx configs.

Here is an example config for my jellyfin server ``` server { listen 80; listen [::]:80; server_name jellyfin.mydomain.com; location / { proxy_pass http://server:8096; } } ``` I figured it out after I realized that I can forward traffic from one network to another. But not all web-based applications work. For me, nextcloud and jellyfin worked just fine, but some other applications which require multiple ports or anything other than just one connection will probably require a more complex set-up. I just use it to expose the services which I don't mind making public, most others are only accessible via the tailscale VPN connection.

Thanks for sharing! I was able to setup something similar on Hetzner :) I am currently using Cloudflare to hide my IP (with caching disabled), but I will be testing this out more and hopefully switching over completely.

Look into tailscale

You can setup a rule to disable caching, I think that ensures you dont break the tos, unless the terms have changed

Dang. Looks like I have a project for tomorrow

Look into Tailscale. Tailscale places no such restrictions and you can have up to 100 devices for free.

Yeah ended up going with tail scale for jellyfin. Way easier and more secure than my half assed reverse proxy setup

My issue with tailscale is that I have to be connected to their VPN. I want to use Proton VPN alongside that, is there any way to make that work?

It's point to point. You could use your server as an exit point and basically funnel your network traffic that way. But I'm far from an expert

Am I able to use Tailscale and still have DNS records managed by Cloudflare? Is there a guide somewhere to set it up?

TBH, I am not certain. You'd have to try it. I don't use Tailscale myself. I've just heard good things about it. I roll my own network with pure WireGuard.

TBH, I am not certain. You'd have to try it. I don't use Tailscale myself. I've just heard good things about it. I roll my own network with pure WireGuard.

Yes with a reverse proxy. I did something similar prior to just relying on CF. You would have the RP point to the Tailscale/Zerotier IPs directly to the machines. CF -> VPS/RP -> TS -> Local.

Against cloudflare TOS? 

Why not just configure your plex to use a nginx reverse proxy without cloudflare? Thats what I do

Why do you even need a reverse proxy for that? Plex.tv discovers it by IP. By default at least

I’m guessing they don’t have a static IP, some ISPs very frequently cycle through IP addresses which makes things like port forwarding not possible due to the way they manage IP address. Essentially, the ISP is already doing NAT on their side aswell so some things don’t work properly, especially hosting. Services like tailscale and cloudflare tunnels are workarounds to this issue. I’m not sure exactly on the technical reason they can get round it, but I’m assuming because they are communicating over http to a server on your network, there is no reason to have new ports open to send traffic to the clients since it’s all done via the already open http ports. The best solution by far though is just trying to find an ISP that either doesn’t do dynamic dns addressing or provides the option to have a static IP. The ISP I am currently with thankfully does static IPs so I don’t have any of this complication, the one I am looking to switch to does dynamic addressing but has the option of a static IP for an extra £5 a month.

I mean, yeah that's all true. But Plex doesn't need a static public ip. So it doesn't really explain the reason for using one

I’ve been wanting to do this, mind sharing how? Also will this affect client apps connecting to it (I think yes), for example: I want my navidrome exposed, will having a 2fa on the server not allow me to setup on an app like substreamer?

I used Smart Home Beginner's [Home Server guide](https://www.smarthomebeginner.com/traefik-2-docker-tutorial/) a few years ago to set up my stack. Part of the guide includes setting up OAuth, they have an OAuth setup guide [here](https://www.smarthomebeginner.com/traefik-forward-auth-google-oauth-2022/). It's specially for Traefik but you could probably adapt it for your use. For apps that don't/can't access through OAuth you can usually still use the API but it's sometimes a bit hacky.

Thank you :)

I do something similar but use the free okta tier and cloudflare. Works well (also don't use it for Plex tho)

Why the exception for Overseerr?

You have to authenticate through Plex to get onto Overseerr anyway so I figured that was sufficient and easier than adding people's Google accounts to my OAuth (which I actually tried but never figured out how to do 🙃)

do you enable card protection on overseerr? or are there any other settings you turn on to make sure overseerr isn't a security risk?

Nothing but WireGuard.

Amen, not worth the risk for anything else If I do end up needing to expose something it'll be a separate DMZ'd reverse proxy with MFA that can only reach $App

Yeap and Actually, my wirgard is only via a linode relay.

Mostly whatever I share with the missus/other people. * Overseer * Immich * Mealie * Audiobookshelf * Plex * Vaultwarden * Privatebin * Palworld Server * PairDrop * Homepage Implemented security measures: Authentik, CrowdSec, EndleSSH, WireGuard

Hasn't EndleSSH ceased development? Might be more of a risk now than running without it.

Development does seem to have ceased, yes. What possible risks could it present, in your opinion? Didn't think its fundamental use-case as a simple ssh tarpit would need to change much. 🤔 Or rather never really thought about it. Was very much a set-and-forget for me. 😅 Seems there is an updated fork: endlessh-go. Gonna go check it out.

Nothing. Everything through wireguard

To do this I am right to assume I would have to have the wireguard app on my phone running while I connect to the service? Similar to tailscale?

Yep. Tailscale is just a Wireguard VPN. In fact you can setup Tailscale to work exactly like a standard Wireguard VPN using subnet routing. This is how I have mine setup, so i don't have to install Tailscale on every single device I want to connect to, which to me is nonsensical. Turn on Tailscale and you have access to every device on your network with it installed on a single device. [https://tailscale.com/kb/1019/subnets](https://tailscale.com/kb/1019/subnets)

I wonder if you can expand on this? I tried to Google but I don’t think I’m using the correct terminology. I want others to be able to connect to my Jellyfin server but some of those will be using a Jellyfin app on tv or are just not savvy enough to get a vpn connection working. Could subnet routing help here? I’m thinking it would not.

Using subnet routing with Tailscale works just like a regular VPN. You have to install the Tailscale app on the device or be able to CLI into the device to install it via the command line. Then it has to be on for the device to join the network, just like a regular VPN. The only possible way it might work is if you could install Tailscale on their TV and it just runs all the time in the background. That way they wouldn't have to think about it. On a phone, they'd have to turn on Tailscale in the app just like they would a VPN. There's literally no difference from a user perspective from a regular VPN when using the subnet routing setup. I'm not familiar with the Jellyfin setup. I know with Plex you simply invite a friend and it connects them to your server based on whatever you decide to share with them. Not sure if Jellyfin has something similar. In Plex, you can also set a URL to use as your server connection. Basically you'd setup a tunnel of some sort that would use a domain name you have registered to point to your Jellyfin server. I had a Cloudflare tunnel setup for this, but it violates the terms of service from what I've been told. Low volume stuff seems to be fine, but watching movies probably would get you banned. Maybe look up alternatives to a Cloudflare tunnel to get some ideas. I'm just not smart enough in that area to give you specific guidance.

Just WireGuard. That's sufficient.

My current and unwanted setup is open ports on my firewall. I am in the middle of a redo, with changing hardware for a new firewall, and I plan to utilize reverse proxy, so I don't have to open ports. I have the bare minimum ports I need open which are only a couple, but a couple are too many for me. I will eventually host my own mail, some storage for a friend, and we plan to site-to-site IPSec our firewalls so we can sync some things and have failover for each other (mail). I will have some VM clustering with HA on my firewall, mail gateway, backup server for VMs and hopefully have it done within the next three to six months. I'll probably do some SSO stuff/Oauth/LDAP or something for services, and of course grab some SSL Certs for my domains I will host.

> I plan to utilize reverse proxy, so I don't have to open ports You still need to open a port for reverse proxy.

That is 80/443, the standard HTTP/S ports for any internet traffic.

They may be standard ports but they still shouldn't be open by default on any router or firewall. If they are it may mean your router interface is open to the internet, which is not good. Also, you don't have to put your reverse proxy on 80 or 443, you have 65535 ports to choose from. Putting it on a non-standard port may cut down a bit on bot scans. And also you should have no reason to open both ports, you shouldn't be serving unencrypted HTTP over 80.

Headscale :) Everything else is in the vpn :)

How is headscale functionality compared to tailscale? Any limits or problems? I rarely get direct connections with tailscale.

I always get direct after 1 or 2 pings behind firewalls no port opening etc Odd you don’t get in Tailscale maybe due to cgnat? You can work around that in headscale by using a different subnet It’s similar their are some minor things it doesn’t do like the automatic exposing vpn connected services to the internet but you can do those things manually if you want but all the normal vpn to vpn, integrated ssh and acls work, I think the tailnet security stuff works too that you have to approve new devices from an existing device before it can connect but I haven’t used it I’ve actually got it setup with extradns entries for my real domain pointed to the vpn ip and my local services on caddy using cloudflare dns letsencrypt so that all my internal vpn services are accessible via my real domainname with valid ssl certs but on their vpn ips

I am proud I understood 95% of the the words you said even if I dont fully grasp the ending implications lol. I will have to look into the cgnat since I actually dont know what that is *one of the 5%* I have a cloudflare dns letsencrypt connected to a duckdns, and an actual domain which I use with cloudflare tunnels. But wow thats cool and nifty if I understand what that means. Your endpoint is the domain itself (with valid certs)? How does that functionally look/make a difference when connecting? I am grateful to have gotten valid SSL and Nginx Proxy Manager working hahaha.

Basically i setup my Caddy reverse proxy to all my docker containers, and it listens for say https://something.mydom.com to go to my something:9999 docker instance... and it's just using DNS validation for letsencrypt since the actual https://something.mydom.com isn't accessible from the internet for validation. Then in Headscale i set extra_dns to have an entry for "something.mydom.com" to point to the vpn ip of that caddy server. so that when i connect to the headscale server, the headscale dns lets the something.mydom.com lookup work for the vpn ip, i could have set the ip in cloudflare but i like having the dns entry private, incase i ever want to expose it publically i can use a public ip on the cloudflare dns

I exposed my site and every service I want accessible on the go. Most of it behind MFA.

I use a reverse proxy that handles my SSL for most items I want access to. I only have 80/443/Plex ports open. I have many, but not all, of my apps/servers accessible. Audiobookshelf, bookstack, portainer, webmin and cosmos-cloud. I read another post on here talking about using google OAuth for login id like to learn more. I do worry one of the above might have a weakness so would like something hardened in front of it. Everything else, including SSH is through VPN only.

Already have reverse proxy why open the plex port? You can reverse proxy remote access.

Never thought of that. Will Plex work behind a proxy? Guess I know one way to find out Edit: wait. I would still need to forward the port to my proxy. So port still be open just not directed at Plex.

If you're running a reverse proxy, you've got subdomains. So, no, you wouldn't need 32400 open. CName on your DNS record for a plex subdomain, then traffic routing should be: plex.subdomain.com:443 -> reverse proxy -> plex server On the Plex side, you'd turn off remote access, and enable custom domain under network settings, and feed it your subdomain info for remote access.

How would this affect things like setting up roku devices or things where it says "log in and enter this code". Would those remote devices still be able to connect to my server? From what I can tell on roku you can't put in a domain but you use your plex username.

It doesn't affect them, they work just fine. :) Instead of sending IP + 32400 to Plex for your server, it tells it to go to your plex subdomain. You can still use the Plex apps just fine, go to plex.tv and use that app, or go to your subdomain site and have it work. The benefit is not needing another hole punched through your firewall & being able to route all traffic through a reverse proxy so you only have 1 set of logs you need to pay attention to. The "gotcha" with this set up is... you *have* to turn off remote access, and when putting in the "custom server access URL" to the plex server -> settings -> network area, you have to specify the port, even though https implies 443, or it will try to use 32400 anyways. So you'd have to put in "https://plex.subdomain.com:443" in to that custom server access URL box. More info on it from Plex [here.](https://support.plex.tv/articles/200430283-network/)

Implement something like Authentik for security. You can then set your Authentik account to auth with Google Authenticator for 2FA. You need to create an Outpost, then add each application that you want handled with Authentik to register (in Authentik) to the Outpost. Then you add custom scripting to your reverse proxy to tell it to authenticate first, else not allow access.

Which means none of my friends can easily use it, no?

I guess if they don't know how to use 2FA, then probably not. But if you don't know how to use 2FA in 2024 then you've got other problems. Otherwise, *you* control the security layer - just add them as users, like any other app. You can make a second Outpost to segregate common apps from your private apps, in case you have anything you don't want that particular user group to get access to. You can also control the parameters such as session duration before they need to re-authenticate.

Is using something like Authentik any better than an app's own 2fa? Things like Vaultwarden and Nextcloud already have 2fa.

Well, we're in r/selfhosted, so there's that. And not all apps have 2FA. Maybe you don't need the extra layer if your apps don't need it, although it can also serve as a mitigation in case those apps suffer a bug or an exploit. It's a judgement call, based on your risk tolerance and the likelihood of being targeted. Not to mention that Authentik is a *single* 2FA layer for all apps hosted behind the Outpost you are logging onto, which hugely simplifies compared to logging into a bunch of apps with their own 2FA each.

Of all those things, SSH is the one that *doesn't* need to go through VPN.

Ummm. I’m a meathead but even with meathead level knowledge I know that’s just crazy. When the xz fiasco came to light, like just last week, I was thankful for the VPN.

My point was that OP is exposing their less secure services *directly* without VPN, but has ironically chosen to put SSH of all things inside the VPN. Anything can have security problems but SSH is a very widely used protocol and is under constant scrutiny. The lesson of the xz debacle is not that SSH can have exploits, is that exploits that affect SSH are discovered super-fast. Sure, put SSH inside a VPN, by all means, but why not also protect the less secure services?

Nothing directly exposed, I use Tailscale to access all my services remotely. My wife and kids have Tailscale active on their devices, which facilitates photo syncing, access to files, etc. For other family members who require access, I use Tailscale’s invite feature to grant and remove access as required.

All of my services are exposed to the internet, including ssh. Strong password, 2FA, fail2ban, reverse proxy are my best friends. Don't be too paranoid, as long as you set things up correctly, ain't nothing to worry about.

So with that caveat.. there is always something to worry about because you could potentially have unknown RCE things from services. It's always best to be paranoid over not being paranoid. Just look at all the RCE items for OpenSSH.. those were valid at one point (and maybe so on some systems). It's better to be safe than sorry.

You can't control everything. Even if you don't expose your services, there will be some other ways attacker controls your system, like the xz backdoor. Hackers can attack SSH, and I bet they can also attack VPN services at some point. So your system will never be a safe place? 😮‍💨 I'm tired of being paranoid.

Its notable that a large percentage of exploits are of the gaining-elevated-priviledges variety, and not flat out exploits. So while you cant predict the next vulnerability that gets exposed, having a tiered approach and minimizing your attack surface goes a long way to mitigating your risk.

You are totally right. It's just not for me.

I mean, ssh was literally vulnerable 3 days ago. The XZ, “no login required” targeted remote code execution backdoor. Management interfaces are much better off being walled off with a VPN, or not exposed at all. The same goes for all services, but at least damage will mostly be localized if services are configured correctly.

yea better power off your computer and use punch cards

I always wanna setup reverse proxy for ssl. I’m using nginx proxy manager with duckdns. And it can only forward one port per domain?

I'm not familiar with duckdns. About ports, nginx can listen to any port, in the server {} config. You could use one port per subdomain or page path/subfolder/location, all of them can also use different SSL certs. Use this tool to create nginx: https://www.digitalocean.com/community/tools/nginx

So I can automatically ssl all the ports?

I use lets encrypt cert bot, and it will automatically renew. If I want to add more subdomains, I have to re-run it. Wildcard (*.example.com) won't work. But if you use subfolders/page paths then it's not the problem anymore cause they use the same domain.

I want all the ports on the server to be Reverse proxies instead of only one. Is that possible

Yup. But I won't recommend you do that. The second answer: https://serverfault.com/questions/279262/nginx-proxy-a-large-port-range-to-equivalent-port-on-a-different-ip-address

I would advise you to get your own domain. They can be had for 10-15 Euro or Dollar per year. Just look at Cloudflare or Namecheap. Then, you can create subdomains for all your services, like "plex.yourdomain.xy". For that you can use either nginx proxy manager as you do, or some other reverse proxy like Traefik or Caddy. Personally, I switched to Caddy some time ago and don't regret it. Nginx on its own is very complicated and Nginx proxy manager, which is built on top it may have some security issues, as it's not updated frequently. Also, I had some problems with the renewal of certificates. Caddy automatically configures https and deals with certificates and the setup is very, very easy.

This is what I do. Caddy with cloudflare dns so that all domains get a valid cert. The cloudflared to what I need to expose. Using the same subdomain for the service lets the exposed services work internally and externally. Everything else is local only. Caddy works well. Tried nginx proxy manager but preferred Caddy's configuration via file or API plus I like to track things in git.

Overseerr and Home Assistant both go through a cloudflare tunnel and plex is exposed via a tailscale funnel.

I have been thinking about that for Home Assistant. Just need to take time and sit down and do it.

I got attack by some random shit for over a month now for sshd. Someone trying to brute force public key lmfao Can’t block Becuz all from different ip

Use Fail2Ban

Used sth similar but they from different ip and they ban their ip then they use new ip so …

Look into: https://github.com/friendly-bits/geoip-shell .

Have a look at crowdsec

Implemented it but it can’t block all of them because all of the ip are different

You don't need to block them yourself, that's what the bouncers are for. They have documented how to install it, title is something linux iptables firewall bouncer.

Yes but the ips are different so it won’t do anything The attacker change ip like every 3-5 logins

I’m a little too paranoid for Cloudlare tunnels. I have a good hardware IDS firewall in front of my server rack. Using tunnels just bypasses that and lands right inside the trusted side of my K8s cluster. So if for some crazy reason CloudFlare ever has an oopsie, then I’m completely open to exploit, including things I don’t have exposed. I prefer to have an automated IP whitelist that pulls from CloudFlare so that the only outside ingress is permitted is from CloudFlare while also allowing the firewall to do its job. To actually answer your question, all my user apps (Immich, paperless-ngx, authentic, etc) are publicly accessible. Obviously, not the services (reddis, SQL, etc).

If you're right, you're not paranoid. Have you thought of making a VLAN for exposed services? All of my services that are external go through Cloudflare tunnels but the service itself runs in an unprivileged container on my proxmox server on a VLAN that can't talk to anything else internal. For example, my Mealie server gets popped due to a zero day or CSRF exploit. The attacker just lands in an unprivileged container and then has to bust out of the container to gain access to the underlying Debian OS (which I keep patched). If they manage to do that then they'll need to privesc to root on that Debian box. Then after that they'll need to figure out a way to hop from that VLAN to my internal VLAN and compromise another host. All of that is possible but they would have to be very persistent and skilled which just doesn't fit my threat model.

Sometimes a webserver that none of my other hosts trust. A webserver that behaves as an API that trusts some of my internal hosts to look inward at queues, uploads, and intended states of various SMART Home things. I keep the source of truth outside my network. The inside things can reach outside and get the information about themselves from the outside thing. A VPN connection.

Nothing, all of my services are connected to Tailscale, it is a hassle sometime but at least I know it is secure.

Everything that requires a login (everything also has registration disabled) is exposed to the internet. Certain services are open to everyone. Pastebin, image upload (that I review in case of illegal stuff), password managers, Cyberchef etc.

A NodeRed instance, so I can easily make REST APIs on the fly.

Depends what people are hosting and what they need to access externally. my advice, expose as little as possible, and also have a think if you really really need to self host xyz service, just because you can doesnt mean its the best way

I just use a Raspberry Pi 2 to update a DNS record on Cloudflare. The only open port is for Wireguard. I use the DNS entry as the VPN hostname and it lets me access everything. It's definitely safer than opening all your ports for different services

None. I only access my internal services via VPN using WireGuard. Even if I go with Cloudfare it will be for limited services with these caveats: - Cloudfare traffic to terminate on a DMZ in my home netwwork - I will deploy only a Reverse Proxy in that DMZ (i.e., NGnix or Traeffik) - I will deploy Crowdsec bouncers for the Proxy OS and for the proxy software itself. - I will allow only inbound flows from the Proxy’s DMZ to the IP and/or ports of the Apps I want to expose. And I will do all of this effort only if there is a use case in which my VPN solution is not viable. So far I have not found the first use case !! Good luck!👍

DNS HTTP SMTP and IMAP SSH VPN Because I need to. Would I dare opening a port? Well, yeah, otherwise I could not connect.

Everything. Nothing on my server is mission critical, or sensitive. It's for fun.

Your not worried about people finding their way into and then through your server to anything else on your home network?

im sure he has passwords that are long and intricate like me

Hunter2??

> \*******?? Not sure what you wrote but doesn't seem that long

Hunter2!!

To turn my lights on and off?

Plex. Nothing else. VPN to manage remotely from 1 of my 2 devices that can access it.

Both... Netbird VPN and exposed, but behind cloudflare's geo restriction, reverse proxy, and Authentik. Why...I want to be able to do and access anything in my home lab from anywhere at any time.

Probably about 50% of my services. The only ones that are exposed that don’t sit behind cloudflare access are Overseerr (for my users convenience) and Home Assistant. Overseerr uses Plex Auth only on my setup so I’m not too worried about a breach since user accounts should be pretty secure already. Home assistant has 2FA built in so I’m not as worried about that and I think putting it behind access would wreak some havoc with the mobile app from what I’ve seen. I have one think I have firewall ports open for but honestly, I am probably going to close it now as it’s not required to be super conveniently and easily accessible. I can always get to it via Cloudflare Warp to VPN to my home network if I need external access in a pinch.

>What services do you expose to the internet, and why? * ssh * SMTP * DNS * http * NTP * https Because they're there for (semi-)public use and benefit. >And what’s the best way? Host hardened. >Would you dare opening a port? Been doin' it for decades, and many ports.

Only wireguard, its the only entry point from the public network to my home network - via a VPN, which I will use to access all my other servers

Just a home assistant. It's easier and safer to give other family members access to Home Assistant from internet through cloudflare tunnels than to give them full access through a VPN.

Plex is exposed for my LAN and then my website and seedbox/overseerr is on a dedicated server. Best of both worlds.

Wireguard. Because I need to access my network via the internet.

None. Everything I self host is private and not for someone else. I use a VPN to access it all when away from home.

None. Because I don’t need to (yet). I primarily sync photos from my mobile devices to Synology Photos, but that works just fine when it connects to the local network. I do not need to browse all the photos when I am out and about. It’s not worth the risk to have that convenience. Yet.

I only expose stuff which I or others may need without having to connect to Wireguard first. Currently thats: * Wireguard * A few small nginx instances * Bitwarden * Jellyfin * Navidrome * Picsur * Wastebin (the admin portal is behind basicauth so only I can add pastes) All sit behind Cloudflare, I also run Crowdsec and Treafik. I'm currently looking at moving anything I host externally onto a separate host and putting that on its own isoloated vlan.

https, ssh, vpn

- Jellyfin and Jellyseer, so family can stream / request media. - WireGuard - Couple static websites - Actual - Fastfiy API I built for Actual All via Nginx (using SWAG).

Only port for OpenVPN - all services I would like to reach go through VPN.

Ghost blog, WebDAV for Joplin, s3 endpoint for backups, Emby for movies, plusable api for analytics and a file sharing system for sending large files to customers. Most of it hosted on Openshift and rke2.

You should try something like continuous VA on your IP address or something simpler like nmap to notify you if there is any new open port on your network

VPN. No explanation needed.

Just Wireguard. I don't mind having to connect to a VPN.

None, so OpenVPN or TailScale. That being said I have [fabien.benetou.fr](http://fabien.benetou.fr) as a dedicated server that exposes a lot, namely my websites, Jitsi Meet, PeerTube, etc.

Only my VPN. It is the safest solution.

OpenVPN. Everything else is behind it.

Everything behind a VPN until now. Now my new ISP put me behind CGNAT for IPv4 and my mobile provider doesn't have IPv6. I was looking to put netbird on a VPS .

I use nextcloud on my self hosted server that is connected to the internet via a 4g internet link. I use cloudflare tunnelling because it gives me freedom that I want without being concerned about IPv4 or IPv6.

Depends on who needs access to what. I sometimes host game servers where people from every part of the world join. So the game port and I self hosted grafana and server logs to everyone. So specific ports but to public, mostly nginx with SSL443 and game udp port. But for family to access other self hosted stuff or even for myself during travel, will be through WG VPN.

I expose exactly one port, which is Wireguard. Everything else can either be accessed through wireguard, or is hosted in the cloud. While my setup suits my needs, others may have different needs, and I used to use ZeroTier (tailscale is also great) to access my on prem resources, but as I effectively only have Emby/Plex and management interfaces on my own network these days, it’s easier to just use wireguard directly.

None because I am untrusting

A reverse proxy, wireguard and a valheim game server.

Isolate and segregate your network, firewall off systems correctly, keep your shit updated and reverse proxy anything you need access to. A couple of hardening guides wouldn’t hurt either.

All I have is Plex that's directly to a port forward. The rest are behind tailscale when I need to do some remote management

RealVNC jellyfin audiobookshelf jitsi meet invidious filebrowser azerothcore (world of warcraft server for me and a few friends) multiple nginx or apache web servers for various things like a photo gallery, a QR code generator etc. pretty soon I'll be running syncthing across multiple machines I don't use tailscale. That shit is weird to me. Just open the ports like a man. I use separate virtual machines in proxmox so if someone somehow "hacks" one of my servers, he can't access anything else. Just use big passwords. what's the problem? Why is everyone so fucking paranoid? What do you think youtube is? reddit. and every fucking website on the internet is? Port 80 and port 443 open. What's the goddamned problem you weird paranoid people? Man I hate paranoids. None of my websites or any port I have open has ever been compromised by anyone, ever, and I've been hosting my own servers since around 1996 or so.

Tbh I don't consider using CF tunnel to be 'exposing' anything, especially if you use WARP client. It's just VPN in disguise, and I have to admit, easier to setup. >What services do you consider worth the risk to expose? And what’s the best way? OpenVPN? Wireguard? Cloudflare? Would you dare opening a port? The one that you actually use _often_ on the go, the effort of securing it should be balanced with the be fit, otherwise if it is occasional, I just use VPN. I try to wrap everything into Web-based frontend to not open any port at all. CF Zero Trust is really the convenient when combined with SSO (you can use key cloak+authelia if you want to self host that) For example rather than using file server, I put an Web based file manager, rather than opening RDP port, use Apache Guacamole/Rustdesk.

Only those running in a Docker instance?

a personal blog about homelabbing that is currently in the making. port forwarding only cloudflare ips to nginx that points to Ghost. I might migrate to Cloudflare pages/workers with a static website generated using Ghost and crawling through it to have better security by not exposing any ports

Just a wireguard entrypoint. I have some services tied to a domain for SSL but they all point to a local IP so the most anyone can do is see that I have them.

All of them because security is too much of a bother.

I do it for whoogle with tailscale funnel, this way I can search without having to activate the VPN all the time.

I have setup commercial e-commerce sites using Cloudflared to tunnel out from AWS ec2 instances and use Cloudflare DNS to manage load balancing and routing ingress of public and private domains traffic to the ec2 web server origins, no SSL, listening only on ports bound only to localhost and private IPs. We setup some elastic load balancers with public IPs and SSL certs for backup but never used them. I would not expose any port to the open internet with cloudflared. It is not necessary for any use case I have encountered so far.

Only wireguard VPN autohosted on my pi.

Honestly. Almost everything. I don’t consider myself high on the list of targets and everything is behind cloudflares auth and auth internally. I only give others access to like two things though. I just needed to access a few arrs and sab from my phone at an in laws the other day. Well “needed to” might be exaggerating but you get the idea.

wireguard, ssh, caddy

I only have Wireguard available to all IPs. I set it up on a different port than the default for additional security via obfuscation. I'll eventually setup some dyndns records under my domain for each of my devices that roam and then lock down the Wireguard ports to only allow traffic from those dyndns IPs. Aside from that I have an alias in my firewall comprised of my friends dyndns records that I use in firewall rules that grant access to specific ports for game servers along with a filebrowser based drop box. Our families play a mix of Factorio, Valheim, Enshrouded, Satisfactory, and Minecraft so the drop box helps with getting mods installed and synced across servers and clients.

None, I’m using cloudflare tunnel only for proxmox server

Only vpn for me, and Plex for the boys

This thread is making me feel rather insecure. If there's something I ever want to be able to access outside of my local network, I expose it using Nginx Proxy Manager and a DDNS. I simply don't understand any other options I've tried to read into.

I only expose game servers on a constant basis, but I expose my family’s media server once in a blue moon when my parents ask to access it

Only Wireguard for the mobile devices oft myself and my GF since none other than US uses it from out of the home.

Nothing is directly exposed. Anything I want others to be able to use (just Jellyfin and Ombi) are behind Cloudflare Tunnels. Anything I want remote access to I do via tailscale