My current setup is that I have a home server running a number of services that are only accessible to myself on my local network (Jellyfin, Home Assistant, etc.) and a DigitalOcean droplet I rent that runs a number of public facing items (personal websites). I’ve been looking into running my own Matrix server for myself and some friends, but while it will be public facing, I would prefer to run it on my own hardware for cost and storage reasons.

I have gotten it up and running the “old fashioned way”, by pointing my domain at my home network, setting up port forwarding and a reverse proxy. Is this the recommended solution? I have heard vague references made to somehow using a VPS service to forward specific traffic to a home server via WireGuard. I’m not sure how this is done, or really what the benefits are, so I was curious if anyone had any advice.

10 points

I started to do it the VPS - Wireguard - Home way recently. The advantage is that you do not need to expose an inbound port at home.

permalink
report
reply
1 point
*

Agreed, though recommend nginx as proxy, have it do ssl, can set it up with letsencrypt, but mostly you can run multiple services off multiple internal hosts as subdirectories (assuming they cooperate).

Works great for me.

permalink
report
parent
reply
2 points

Yup, NPM on the VPS here.

permalink
report
parent
reply
6 points

One of the main reasons to do this is if you are behind CGNAT and cannot port-forward. However, giving out your home IP isn’t ideal regardless. If you decide to not use a VPS as a reverse proxy, then you might want to look into using cloudflares proxy, which hides your IP and also serves your content more efficiently. However, I’m not quite familiar on how matrix works so this might not be possible if you need ports other than 80 and 443 as all other ports are not forwarded by the cloudflare proxy.

permalink
report
reply
6 points

I do the very thing that you are seeking to do. I have a free Oracle Cloud VM running nginx as a reverse proxy. Between the reverse proxy and my home server is a WireGuard tunnel. There are some benefits in that ports do not need to be opened on your home network’s firewall so you don’t have to do any port forwarding. If you want to go this route, the advice I have for you is to get a free Oracle cloud VPS, install NGINX Proxy Manager on it, and configure a WireGuard tunnel between it and the actual server that the service you want to provide resides on. NGINX Proxy Manager is actually not hard to get going and there are plenty of YouTube videos on it. In fact, for people new to self-hosting I really recommend NGINX Proxy Manager as I started out that way. NGINX Proxy Manager has a well designed GUI. In fact it is so well designed that most of the options are self-explanatory.

As I learned nginx and became better with it, I decided to decommission NPM in favor of a pure nginx environment because I am actually faster on the command line than a GUI. The hardest part for me was getting the WireGuard tunnel built between my home server and my cloud VM. That more pointed out to the fact that I didn’t have a good grasp of how firewalld works and firewalld is used in Alma Linux which is on my cloud VM. That was the real challenge.

permalink
report
reply
3 points

I’m sure it’s also doable via your own vps, but I think most people are talking about managed systems like cloudflare tunnels https://www.makeuseof.com/use-cloudflare-tunnel-expose-local-servers-internet/

permalink
report
reply
2 points

I’ve used this and it’s really easy

permalink
report
parent
reply
2 points

Just wanted to add this link explaining how to use tunnels in a more privacy respecting way

https://help.nextcloud.com/t/is-cloudflare-tunnel-safe-privacy-focused/150268/2

Problems with TLS (free option of routing on cloudlfare tunnels)

interception (or HTTPS interception if applied particularly to that protocol) is the practice of intercepting an encrypted data stream in order to decrypt it, read and possibly manipulate it, and then re-encrypt it and send the data on its way again. This is done by way of a “transparent proxy”: the interception software terminates the incoming TLS connection, inspects the HTTP plaintext, and then creates a new TLS connection to the destination.

permalink
report
parent
reply

Selfhosted

!selfhosted@lemmy.world

Create post

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.

Rules:

  1. Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

Community stats

  • 5K

    Monthly active users

  • 3.6K

    Posts

  • 81K

    Comments