I have a self hosted server running yunohost that I use for a few services for my own use all of which require login to use so they’re safe enough.
However I’m increasingly uncomfortable with the fact that anyone can discover my home IP via my domain name. Especially if I decided to install something like Lemmy or Mastodon.
Yunohost installs dyndns as part of it’s setup but, aside from buying a fixed IP from a VPN provider that allows incoming connections I’m not sure what other options I have
I can’t change very much on the modem router either. I can forward ports but that’s about it.
I can add and manage new domains if necessary.
Any and all ideas welcome but, as you can guess from the fact I’m using yunohost, my networking knowledge is limited so please eli5 :)
I’d disagree with the other post (Running any software on your home network is insecure, but so is having your network connected to the internet).
You should not be opening ports in general. There are various ways to do this:
- Create a site-to-site wireguard VPN with a lightweight VPS from someone like Digital Ocean, install a reverse proxy + WAF on this VPS, and setup a tunnel between it and your network.
If you are cool with using Cloudflare, you can use Argo Tunnel to expose HTTP(S) services to the internet with DDOS protection and all of Cloudflares features.
They’ve made it free some time ago, you just need a pc/server in your network running the cloudflare agent software.
You have several options these days:
-
Use cloudflare in DNS proxy mode and run a dynamic DNS updater so cloudflare always point to your correct IP address. By using cloudflare DNS in proxy mode, your real IP address will be hidden because all traffics will be routed via cloudflare servers first. The disadvantage is it only works for http/https service. If you need to route other service/port (e.g. ssh) you’ll need to use cloudflare tunnel
-
Rent a small vps and use it as a bastion server. Add your home server and the vps server into tailscale or zerotier network, and then configure it to route traffics to your home server. I personally use this method because it gives me full control and flexibility over using cloudflare, but it does harder to setup.
-
I’ve hidden everything behind Wireguard.
externally my server doesn’t even have open ports. everyone who uses my services gets a Wireguard key.don’t know how many people you wanna service or if it’s just you - then Wireguard could be a viable solution
How do you handle services that run on devices that can’t implement wireguard, like say a Roku or something? Just don’t allow?
in my case Wireguard acts as access to my personal LAN, where all my services (in virtual containers or physical computers) are located. I’m just pointing to their address inside my LAN, which I can access through Wireguard.
