New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Use wireguard and reverse proxy..
You can try Cloudflare Argo tunnel. No need to open any port. Or follow chocolateshirt's advice. You can use Tailscale for easy configuration.
Get cheap vps - in case you will get ddosed it blowsup just that vps, instead of entire home connection
I would go with openvpn
1. Setup openvpn server on vps or dedicated server
2. Forward ports so everything that goes inside (at vps external ip) is pre/rerouted onto your VPN client internal ip
3. Connect via openvpn client from preferred home computer
This iptable command is crucial to get it all working
iptables -t nat -A PREROUTING -p tcp -d (EXTERNAL IP HERE) --dport (WEB_PORTS) -j DNAT --to-destination (internal vpn ip - by default 10.8.0.X)
At very top of that you can go with cloudflare reversed proxy - it will works like double condom. All depends on how much you are likely to be ddosed and how much is able to handle your vps provider
Making your home network safe - as long as your software... its endless story but thats good starting point for creating sandbox zone
Easy
I did this the other day
1) Get a VM
2) Install Nginx
3) Setup an Nginx Reverse proxy with the domain of your choosing,
4) Install zerotier on both servers
5) Point nginx reverse proxy to the zerotier IP of the server in your home.
Boom done.
I see comments of routing thru a cheap vps with reverse proxy or vpn. If was going to get a vps there's no point in hosting at home.
Maybe you want to serve 15 TB of photos or other data, and don't want to get an enormous storage VPS or dedi.
Or porn?
CloudFlare Argo is paid feature, $5/month/site+ $0.10/GB.
Dont presume reverse proxy to site with outgoing 10Mbps would be too CPU heavy so BuyVM Slice512 should be enough, right?
Contemplating between Wireguard, OpenVPN and nginx.
I setup VPN server before and it was lot of fiddling, but perhaps because I am not a pro. It should be something that I can just spawn within minute if needed, set 2-3 options in configuration and be up and running.
That's always a given.
right
for openvpn
https://github.com/Nyr/openvpn-install
in 99% of cases you need to just execute this script and follow steps by pressing 1 or 2 (tested with many debian images)
then you type iptable command from my previous post and it is done
The smallest BuyVM slice should easily be able to handle that up to at least 100 Mbps.
I personally would use a nginx reverse proxy on the VPS and access the backend either directly via TLS/HTTPS on your home WAN IP or HTTP through a SSH tunnel. Both provide the same level of security if configured correctly with proper certificate validation. Since they work directly on OSI layer 5 there will be the least overhead.
A VPN with OpenVPN, Wireguard or IPSec will of course work, too. It's slightly more complex as it encapsulates IP in IP but might open other more complex use cases.
If you want to learn how things work, setup all of them, i.e. accessing your real webserver directly via HTTPS, tunneled HTTP via SSH, through redundant VPN connections - and let nginx act as a load-balancer with automated failover if you cut one of the connections.
Awesome, thank you
Then need to ensure your reverse proxy supports keep-alive connections (and you enable them), as the time overhead for each new connection with HTTPS, compared to HTTP-over-WireGuard, is a lot higher.
Also it might be tricky to get a valid HTTPS certificate for the backend as well as the frontend (separately?), good luck setting up Let's Encrypt to do exactly what you need on each.
That's true.
And another plus for SSH tunneling.
Simple one-liner, operates at L5, secures plaintext HTTP with less overhead and connection overhead is only done once per tunnel.
For proper daemonization autossh+systemd does a good job.
Argo is a paid feature, but Argo Tunnel was made free months ago. They're two different things, take a look here: https://developers.cloudflare.com/argo-tunnel/
But for this use-case it wouldn't hurt to use a small VPS anyway.
Just wondering, what additional security does using a reverse proxy give compared to just pointing the domain at your home IP and opening port 80+443 in the firewall?
If you get DDOSed, usually it's as simple as switching the MAC address of the modem and you get a fresh IP address.
If you enjoy not being able to use your home connection for other stuff during an ongoing attack then sure.
Not all residential connection have public IP address.. usually they are NATed
Argo Tunnel is free in Cloudflare Teams. I'm using it.
What if your ISP uses CG-NAT (like mine does)? Only way that I've figured out to make a server reachable from the outside is to connect to a VPS with Wireguard and forward the traffic to the local machine, is there another possibility?
check https://github.com/fatedier/frp
How is that different to the method he just described?
Deep packet inspection can detect wireguard traffic due to its unique port. Work arounds are to route encrypted wireguard packets thru a tls tunnel so it uses port 443.
WireGuard can run on any port you want. I'm using it on my own chosen ports and don't even remember what's the standard "unique" one. DPI has to try better if it wants to detect that.
Secondly, even if it does, so what? The OP didn't mention if they are in China or such, and otherwise at their place using WireGuard is likely no problem, and there might not even be a DPI in the first place.
That's not deep packet inspection.