I have a self hosted server running yunohost that I use for a few services for my own use all of which require login to use so they’re safe enough.
However I’m increasingly uncomfortable with the fact that anyone can discover my home IP via my domain name. Especially if I decided to install something like Lemmy or Mastodon.
Yunohost installs dyndns as part of it’s setup but, aside from buying a fixed IP from a VPN provider that allows incoming connections I’m not sure what other options I have
I can’t change very much on the modem router either. I can forward ports but that’s about it.
I can add and manage new domains if necessary.
Any and all ideas welcome but, as you can guess from the fact I’m using yunohost, my networking knowledge is limited so please eli5 :)
Google cloudflared tunnels, zeroteir and tailscale. They all solve this exact problem, I’ve been using cloudflared tunnels to host without exposing my ip for while now, it’s relatively easy for https services.
Edit: also just because services require login, doesn’t necessarily make them secure if their implementation is terrible. It’s best practise to use a reverse proxy like nginx which specialises in having not shit security for authentication, and proxy your services behind it.
It’s best practise to use a reverse proxy like nginx … for authentication
What kind of authentication are you using for nginx? Just basic http authentication with a .htpasswd file?
That’s what I’m using right now, but I’ve found that not all services play nice with it.
If you are cool with using Cloudflare, you can use Argo Tunnel to expose HTTP(S) services to the internet with DDOS protection and all of Cloudflares features.
They’ve made it free some time ago, you just need a pc/server in your network running the cloudflare agent software.
I’ve hidden everything behind Wireguard.
externally my server doesn’t even have open ports. everyone who uses my services gets a Wireguard key.
don’t know how many people you wanna service or if it’s just you - then Wireguard could be a viable solution
How do you handle services that run on devices that can’t implement wireguard, like say a Roku or something? Just don’t allow?
It’s best practise to use a reverse proxy like nginx … for authentication
What kind of authentication are you using for nginx? Just basic http authentication with a .htpasswd file?
That’s what I’m using right now, but I’ve found that not all services play nice with it.
Running a federated service on your home network is just a bad idea in general. You’re screaming to the world “hey look, there’s a server running potentially exploitable software here!” Even if you hide the IP behind a VPN.
For everything else not so public as a federated service, best bet is to install a WireGuard VPN server on your network. Set it to some random high number port. Undetectable, basically. Then when you’re away from home just connect to the VPN and it’s basically just like you’re still hooked to your WiFi at home.
If you are the only one using your services, sure but that’s way more of a PITA than 99% of users are going to put up with. Running a federated service is no different than running any other service - harden your network, use tunneling if you so desire (though if hosting media, the likes of Cloudflare are out of the question), have your local VLANs configured accordingly, and manage it like you would any other service. Hell, if you are super paranoid, go dual WAN as that’s likely cheaper than having a multiple VPS for your services or paying for the needed bandwidth on one (again, assuming media hosting)
