• Bdaman@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    56
    arrow-down
    1
    ·
    9 months ago

    The only externally accessible service is my wireguard vpn. For anything else, if you are not on my lan or VPN back into my lan, it’s not accessible.

      • sunbeam60@lemmy.one
        link
        fedilink
        English
        arrow-up
        8
        ·
        9 months ago

        Funnily enough it’s exactly the opposite way of where the corporate world is going, where the LAN is no longer seen as a fortress and most services are available publically but behind 2FA.

        • AtariDump@lemmy.world
          link
          fedilink
          English
          arrow-up
          9
          ·
          edit-2
          9 months ago

          Corporate world, I still have to VPN in before much is accessible. Then there’s also 2FA.

          Homelab, ehhh. Much smaller user base and within smackable reach.

          • sunbeam60@lemmy.one
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            1
            ·
            9 months ago

            Oh right. The last three business I’ve worked in have all been fully public services; assume the intruder is already in the LAN, so don’t treat it like a barrier.

      • Footnote2669@lemmy.zip
        link
        fedilink
        English
        arrow-up
        3
        ·
        9 months ago

        Not OP but… I have an old PC as a server, Wireguard in docker container, port-forward in the router and that’s it

      • JDubbleu@programming.dev
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        Not OP, but I just use ZeroTier for this since it’s dead simple to setup and free. I’m sure there’s some 100% self-hosted solutions, but it’s worked for me without issue.

      • Bdaman@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        ·
        8 months ago

        Sorry, haven’t logged on in a bit. I use OPNSense on an old PC for my firewall with the wireguard packet installed.

        Then use the wireguard client on my familys phones/laptops that is set to auto connect when NOT on my home wifi. That way media payback, adguard-home dns and everything acts as seamless as possible even when away while still keeping all ports blocked.

  • TDCN@feddit.dk
    link
    fedilink
    English
    arrow-up
    25
    arrow-down
    1
    ·
    9 months ago

    Everything is behind a wireguard vpn for me. It’s mostly because I don’t understand how to set up Https and at this point I’m afraid to ask so everything is just http.

    • Fisch@lemmy.ml
      link
      fedilink
      English
      arrow-up
      11
      ·
      9 months ago

      I’ve been using YunoHost, which does this for you but I’m thinking of switching to a regular Linux install, which is why I’ve been searching for stuff to replace YunoHost’s features. That’s why I came across Nginx Proxy Manager, which let’s you easily configure that stuff with a web UI. From what I understand it also does certificates for you for https. Haven’t had the chance to try it out myself tho because I only found it earlier today.

    • Johannes Jacobs@lemmy.jhjacobs.nl
      link
      fedilink
      English
      arrow-up
      7
      ·
      9 months ago

      Its not hard really, and you shouldn’t be afraid to ask, if we don’t ask then we don’t learn :)

      Look at Caddy webserver, it does automated SSL for you.

      • TDCN@feddit.dk
        link
        fedilink
        English
        arrow-up
        8
        ·
        9 months ago

        Thank you. It was mostly ment as a joke tho. I’m not actually afraid to ask, but more ignorant because it’s all behind VPN and that’s just so much easier and safer and I know how to do it so less effort. Https is just magic for me at the moment and I like it that way. Maybe one day I’ll learn the magic spells but not today.

        • Johannes Jacobs@lemmy.jhjacobs.nl
          link
          fedilink
          English
          arrow-up
          3
          ·
          9 months ago

          All software has issued, such is the nature of software. I always say if you selfhost, at least follow some security related websites to keep up to date about these things :)

              • andreas@lemmy.korfmann.xyz
                link
                fedilink
                English
                arrow-up
                2
                ·
                8 months ago

                few days late here, but that pastebin had some really good feeds 🙏 I noticed the OPML file was labeled FreshRSS and I also use FreshRSS. So I fixed up the feeds and configured FreshRSS to scrape the full articles (when possible) and bypass ads, tracking and paywalls.

                I figured I’d pay it forward by sharing my revised OPML file.

                I also included some of my other feeds that are related (if you or anyone else is interested).

                Some of the feeds are created from scratch since a few if these sites don’t offer RSS, so if the sites change their layout the configs may need to be adjusted a bit, but in my experience this rarely happens.

                I had to replace some of the urls with publicly hosted versions of the front-ends I host locally and scrape, but feel free to change it up however you like.

                https://gist.akl.ink/Idly9231/22fd15085f1144a1b74e2f748513f911

    • calm.like.a.bomb@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      9 months ago

      Same here. Taught my wife how to start WireGuard on her android phone and then access any of the services I run. This way I only have one port open and don’t have to worry too much.

      • fragrantvegetable@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        2
        ·
        9 months ago

        That’s what I do. The beauty of wireguard is that it won’t respond at all if you don’t send the right key. So from the outside it will appear as if none of your ports are open.

      • MigratingtoLemmy@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        9 months ago

        How about running your wireguard server on a VPS and then connecting to the same interface as clients from your mobile and home network? No ports open on your side!

  • Atemu@lemmy.ml
    link
    fedilink
    English
    arrow-up
    22
    ·
    9 months ago

    Nothing I host is internet-accessible. Everything is accessible to me via Tailscale though.

  • Brayd@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    17
    ·
    9 months ago

    I had everything behind my LAN, but published things like Nextcloud to the outside after finally figuring out how to do that even without a public IPv4 (being behind DS-Lite by my provider).

    I knew about Cloudflare Tunnels but I didn’t want to route my stuff through their service. And using Immich through their tunnel would be very slow.

    I finally figured out how to publish my stuff using an external VPS that’s doing several things:

    • being a OpenVPN server
    • being a cert server for OpenVPN certs
    • being a reverse proxy using nginx with certbot

    Then my servers at home just connect to the VPS as VPN clients so there’s a direct tunnel between the VPS and the home servers.

    Now when I have an app running on 8080 on my home server, I can set up nginx so that the domain points to the VPS public IPv4 and IPv6 and that one routes the traffic through the VPN tunnel to the home server and it’s port using the IPv4 of the VPN tunnel. The clients are configured to have a static IPv4 inside the VPN tunnel when connecting to the VPN server.

    Took me several years to figure out but resolved all my issues.

    • llii@feddit.de
      link
      fedilink
      English
      arrow-up
      4
      ·
      9 months ago

      What benefit does it have instead of getting a dynamic DNS entry and port forwarding on your internet connection?

      • Brayd@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        11
        ·
        9 months ago

        With DS-Lite you don’t have a public IPv4. Not a static one but also not a dynamic one. The ISP just gives you a public IPv6. You share your IPv4 address with other users. This is done to use less IPv4s. But not having a dynamic IPv4 causes you to be unable to use DynDNS etc. It’s simply not possible.

        You could publish your stuff via IPv6 only but good luck accessing it from a network without IPv6.

        You could also spin up tunnels with SSH actually between a public server and the private one (yes SSH can do stuff like that) but that’s very hard to manage with many services so you’re better of building a setup like mine.

        https://www.juniper.net/documentation/us/en/software/junos/nat/topics/topic-map/security-ipv6-dual-stack-lite.html

    • BearOfaTime@lemm.ee
      link
      fedilink
      English
      arrow-up
      11
      arrow-down
      2
      ·
      edit-2
      9 months ago

      Tailscale with the Funnel feature enabled should work for most ISPs, since it’s setup via an outbound connection. Though maybe they’re Super Cunts and block that too.

      • empireOfLove2@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        1
        ·
        8 months ago

        NAT to extremes… it’s Starlink so I think I’m almost completely obfuscated from the internet entirely.

        quite frankly i don’t really host anything that needs to be accessible from the general Internet so I never bothered with workarounds.

  • grue@lemmy.world
    link
    fedilink
    English
    arrow-up
    15
    ·
    edit-2
    9 months ago

    I currently keep everything LAN-only because I haven’t figured out how to properly set up outside access yet.

    (I would like to have Home Assistant available either over the Internet or via VPN so that automations keyed off people’s location outside the home would work.)

    • LifeBandit666@feddit.uk
      link
      fedilink
      English
      arrow-up
      3
      ·
      9 months ago

      I have used DuckDNS and Nginx to get Home Assistant outside but it was horrible, just constantly breaking. Around Christmas time I bought myself a domain name for a few years and Cloudflare to access it, and it’s been night and day since.

      Sure it cost me money but it was far cheaper than a Nabu Casa account.

    • jkrtn@lemmy.ml
      link
      fedilink
      English
      arrow-up
      1
      ·
      9 months ago

      Yeah, same, except I tunneled HA out via that Cloudflare daemon. Kinda janky because I cannot use the app with it to do locations, but I can check in on the pets from anywhere.

      I’m planning to set up a legit VPN sometime soon.

        • jkrtn@lemmy.ml
          link
          fedilink
          English
          arrow-up
          1
          ·
          9 months ago

          I cannot get the app to connect to my HA with the current setup. I have Cloudflare doing email verification, and the app doesn’t understand how to collect the cookies to make that possible.

  • Justin@lemmy.jlh.name
    link
    fedilink
    English
    arrow-up
    13
    arrow-down
    1
    ·
    9 months ago

    There’s a wid range of opinions on this. Some people only access their services via tunnel, some people open most of their services up to the internet, as long as they’re authenticated. One useful option for https services is to put them behind a reverse proxy that require oauth authentication, which allows you to have services over the internet, without increasing your attack surface. But that breaks apps like Nextcloud and Lemmy, so it’s not a universal option.

  • harsh3466@lemmy.ml
    link
    fedilink
    English
    arrow-up
    10
    ·
    9 months ago

    Available to the internet via reverse proxy:

    • Jellyfin
    • Navidrome
    • Two websites
    • matrix chat server
    • audiobookshelf

    LAN only:

    • homepage
    • NGINX Proxy Manager
    • Portainer

    There’s more in both categories but I can’t remember everything I have running.

  • pHr34kY@lemmy.world
    link
    fedilink
    English
    arrow-up
    8
    ·
    edit-2
    9 months ago

    Everything exposed except NFS, CUPS and Samba. They absolutely cannot be exposed.

    Like, even my DNS server is public because I use DoT for AdBlock on my phone.

    Nextcloud, IMAP, SMTP, Plex, SSH, NTP, WordPress, ZoneMinder are all public facing (and mostly passworded).

    A fun note: All of it is dual-stacked except SSH. Fail2Ban comparatively picks up almost zero activity on IPv6.

  • powermaker450@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    6
    ·
    edit-2
    9 months ago

    Nearly all of them. Nextcloud, Jellyfin, Vaultwarden, Spacebar, and 2fAuth, all set behind an NGINX Reverse Proxy, SWAG. SWAG made it very easy to set up https and now I can throw anything behind a subfolder or subdomain.