Hey all,
I’m setting up a homeserver and trying to figure out the best way to access it remotely. I’ve been looking at different solutions, but I’m a little stuck.
I’ve been looking at VPNs, but it feels weird, to route everything through my home IP when I’m also trying to use a commercial VPN for privacy / to combat services fingerprinting me based on my IP.
I’m currently considering a reverse proxy setup with an authentication provider like authentik or authelia, but as far as I understand, that wouldn’t work well with accessing services through an app on my mobile device (like for jellyfin music for example.) I did think about just opening up the ports and using a DDNS with a reverse proxy, but is’nt that like a big security risk?
Keep in mind I am no network admin, but I don’t have anything against learning if someone can point me in the right direction.
Also I heard some people say that on proxmox you should use unprivileged containers instead of vms for your services, does that hold up?
Any recommendations for tools or approaches?
You must log in or register to comment.
Tailscale, if you don’t want to make your services available to anyone else than you (and people you want to grant access to).
This is the best option if you don’t want to manage your own VPN server.
I second this.
Cloudflare Tunnels work great and are really easy to setup. Plus you are not exposing you machine completely to the outside, as the cloudflared service/container „calls out“, and Cloudflare is your reverse proxy. Downside is, you’re binding yourself to one of the US hyperscalers.
Pangolin uses the same principle, but is a bit more challenging to setup. Plus you need some kind of cloud server to make it work.
As you already have a VPN active at all times (at least it sounds like that), a VPN home seems out of the picture.
Unless you have a dedicated firewall at home, maybe reconsider the reverse proxy route. Personally would not feel comfortable with exposing a machine at home to the internet in full without a handle on what it can do or how it may be reached.
As you already have a VPN active at all times (at least it sounds like that), a VPN home seems out of the picture.
Expand on that, if you would. I run local VPN and everything else through Cloudflare. In fact the VPN DNS is Cloudflare as well as the stand alone pFsense firewall. Perhaps I am misunderstanding, which is likely since I’m all drugged up trying to pass a kidney stone.
Well, not every system can handle or support multiple VPN connections with different providers, or the VPNs could interfere with each other. E.g. when using Tailscale you can not use another WireGuard based VPN according to their FAQs.
Also, it adds complexity to the stack and system as a whole on the client side. That is all fine and dandy as long as it works, but quickly a pain in the butt once you have to debug something.
when using Tailscale you can not use another WireGuard based VPN according to their FAQs.
Anecdotally, if I turn off the Advanced killswitch and The VPN killswitch of my main VPN, I can actually bring up Tailscale. But you are right, it does add complexity. Basically I use Tailscale on the server and pFsense firewall as an overlay VPN. It’s also handy if you lock yourself out of the server. A ‘backdoor’ of sorts.
I am using wireguard for this purpose. My router supports that. It’s a very easy setup and works fine in every is case I encountered except for android car. You do not expose anything to the outside. It’s kind of like logging in to your home network.
I heard you need to exclude Android auto in the WireGuard settings, then it should work.
The reason is that the car communicates via IP with your phone. But when all phone traffic is routed through your home, it can not reach the car.
Oh thanks. I knew the reason for the issue but had not thought of looking for a solution. Well I thought there was none.
Personally, I use headscale (self-hosted tailscale) that is open to the internet. Then my phone and all other devices use tailscale clients to connect to that. All my other services are accessed through the tailscale magic DNS service.
Nothing except headscale is open to the internet, and I can access anything I need on the server and other devices. It also doesn’t just route All traffic through my server, only the stuff to other tailscale nodes.
Then just recently I’ve been using Nginx proxy manager and my DNS to make nicer names instead of memorizing a dozen ports for random services I host :p
I went a different path than the VPN route that seems popular in the other comments…
I use a reverse proxy (caddy) with wildcard SSL (so all my hostnames aren’t in the public cert registry) plus port knocking. So normally no outside IPs are allowed to access my internal services, but I can knock and then access anything for a while. Working well so far.
My recommendation is a VPN server to connect in from outside and have the default gateway for the VPN clients be a server that acts as a router that’s set up with your commercial VPN.
That way, you can be outside on a phone or a computer, access your internal network and still have your public internet traffic go out through your commercial VPN without having to be able to configure multiple VPN connections at once (eg. Android doesn’t support that).
Eg. 2 debian proxmox containers. One that runs wireguard (head/tailscale might also work here?) for external access and one that runs mullvad(or whoever) VPN cli and IP forwarding to be the gateway for your clients.
Only downside is the extra hops to send everything through your home network first rather than straight to the commercial vpn which is probably fine depending on your speeds. You can always disconnect and connect directly to the commercial VPN for faster internet traffic if you need to.
I’ve been looking at VPNs, but it feels weird, to route everything through my home IP when I’m also trying to use a commercial VPN for privacy / to combat services fingerprinting me based on my IP.
My ASUS WRT router (running Merlin Firmware) forwards my Home WireGuard VPN server through one of my Proton VPN clients, I get all the added bonuses of being connected to my home network, utilizing my PiHole an such, while benefiting from appearing across the world.
I’m currently considering a reverse proxy setup with an authentication provider like authentik or authelia, but as far as I understand, that wouldn’t work well with accessing services through an app on my mobile device (like for jellyfin music for example.)
This is correct, you cannot host an authentication service in front of Jellyfin’s proxy otherwise the Jellyfin Media Player will not connect to your server however, there is a Jellyfin SSO plugin for authentication which is what I use and I disabled the manual login form via CSS but be warned if you take this route that the CSS can be re-enabled on the login screen using your browsers element inspect, I wish you can disable it outright but it’s heavily baked into Jellyfin from what I’ve read.
I suggest setting up a IP-Blacklist for Jellyfin and only whitelisting the known IP’s.
For the unprivileged container thing, containers tend to be lighter on resources than VMs at the cost of a little isolation (they share the same kernel as proxmox which could have security implications).
The ability for lxc containers to run unprivileged with all the restrictions that entails alleviates a bit of that security risk.
Both options are generally considered pretty secure but bugs/vulnerabilities could break isolation in either case. The only real 100% safe isolation is bare metal.
I tend to run containers unless I have a really good reason to need a VM, and run unprivileged unless I have a really really good reason not to.
My Ubiquity Dream Machine has Wireguard integrated. So it’s literally just a few clicks to spin up a server. I use it in combination with a port forward on my FritzBox and a dyn ip using https://dynv6.com/ and a domain i had laying around anyways.
Regarding Wireguard: Wireguards (imho) best feature is split tunneling. You can decide which ips or subnets to route through the tunnel. See
AllowedIPs.As a default it says something like
AllowedIPs = 0.0.0.0/0Which means “just route everything through me”.
However you could allow your subnets only. Like this I use my private and my business vpn at the same time.
AllowedIPs = 10.0.0.0/24,10.0.1.0/24,10.0.2.0/24,10.0.3.0/24You mentioned, that you have not a lot experience with networking, so your subnet may look like that. Just check your local ip and replace the last digit with
0/24AllowedIPs = 192.168.2.0/24Depends I just have a proxy and open port 443. Its not wide open but open enough that others can use it. I geo block have IP lists filter through it and suricata. Or use a VPN if others don’t need access.
Its not wide open but open enough that others can use it
How does that work? Are you saying you are filtering with Suricata? Curious as in my mind a port is either on or off. I am always ready to be schooled.
a firewall can be used to filter incoming traffic by its properties. most consumer home routers don’t expose the firewall settings
I’ll recommend netbird as its entirely running on your server, is free, and I found it way easier to set up compared to Tailscale/Headscald
So is this like a Tailscale alternative and not a way to expose your services?
Correct. Its just a mesh VPN
Are the free limits suitable for light media streaming by a few users? I’m currently running a simple setup with Caddy reverse proxy and port knocking, but my ISP doesn’t do static IP and they change my address every few months.
I think this may be a your milage may vary thing. I only personally use netbird for remote server management, as I barely consume anything other than streamed music remotely. I host netbird community edition on my server in a VM so the streaming quality isn’t dependent on any tier of service purchased from the company
Personally, i would use VPN, Pihole for Local-DNS Records and a simple Local Reverse Proxy to address my Network-Services. I wouldnt open anything from my Homelab to the Internet.
Thanks for asking! I have the same problem, so eager to read the comments. Could you share what you choose in the end and why?