this post was submitted on 19 Jul 2025
33 points (100.0% liked)

Selfhosted

49643 readers
459 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
33
Looking for guidance on safely exposing services (lemmy.ml)
submitted 1 day ago by nfreak@lemmy.ml to c/selfhosted@lemmy.world
3 comments fedilink hide all child comments
 

I'll preface by saying networking and especially netsec are arguably my weakest areas in all of this.

Been running a home server (technically 2 since my NAS is a separate box) for about 3 months ago with about 40 services running. Works great. It's almost entirely for myself while my wife uses a few things here and there. Remote access has been perfectly fine through Wireguard - I have a chained VPN setup where wg-easy allows LAN access while also tunneling outbound traffic through Proton, mostly because Android devices don't let you use multiple VPNs at a time and I didn't want to keep switching back and forth.

But I realized it'd be nice to have a few services more accessible. Sharing photo albums and jellyfin with family, and my wife wants a music stack and audiobooks for herself - teaching her Wireguard was easy, but it'd be more convenient to just not have to remember to that.

So here's the barrage of questions.

  1. Pangolin seems undoubtedly the best way to do this. I plan to set up a VPS running Pangolin and Headscale (I've already done the latter once, got it working perfectly before learning it doesn't really work when running on the same network you want to remotely access, oops)

  2. What's the trick for DNS? I do run Pihole + Unbound but I really haven't touched the configuration for the latter much. From what I understand I can "override" my domain in Unbound to point to the local IP? If that's the case, any guidance to the exact configuration/syntax needed would be very helpful.

  3. I obviously don't want to expose everything. I assume I can keep running Caddy locally, while only proxying what's necessary on Pangolin's end? I'm currently using a Cloudflare DNS record pointed to my private IP to skirt around certificate bullshit, last time I tried Caddy's internal cert I got an annoying "are you sure??" prompt when trying to access any subdomain, and I'd like to avoid that, so I'm not sure what the Caddy reconfiguration would involve here to prevent that prompt without manually installing the cert on every single device and browser.

  4. What would I need to look at for security? I did see Crowdsec is bundled with Pangolin. Is that sufficient? Can I set up geoblocks on the Pangolin end? And regarding docker networks, I assume it would be best practice to keep any exposed services on their own isolated networks? What about ufw, is there any specific approach to setting that up?

  5. I mentioned Headscale in passing - I plan to ditch wg-easy and move to a tailscale setup to remotely access any services that I don't expose through Pangolin. Last time I dabbled with it it seems simple enough, and I liked Headplane for a UI. Any gotchas I should worry about? I'd be able to close the Wireguard UDP port I had to forward for wg-easy, right? Could I route Headscale through a gluetun container to achieve a similar chained VPN setup as I have now?

  6. Authentication - I have Authelia OIDC configured for every service that supports it, and a forwardAuth in caddy for anything that doesn't. How would this play together with Pangolin, which from what I understand has its own authentication system?

Any advice would be much appreciated. This would be a huge change to the way I'm currently running this thing, but would be a worthwhile upgrade for sure.

top 3 comments
sorted by: hot top controversial new old
[–] Brkdncr@lemmy.world 12 points 1 day ago

Keep it simple. Have an “inside” network and an “outside”

Use a vpn access stuff inside your network. Split tunneling is fine for mobile devices.

Secure services that are exposed from outside to inside. Requiring mfa for all accounts goes a long way here. You can use some sort of proxy service.

Your should manage the firewall, so watch out for Upnp services that try to set up inbound ports automatically.

[–] SidewaysHighways@lemmy.world 5 points 1 day ago (1 children)

pangolin is really cool!

[–] irmadlad@lemmy.world 4 points 1 day ago

Any advice would be much appreciated. This would be a huge change to the way I’m currently running this thing, but would be a worthwhile upgrade for sure.

If I was standing up a new server, that's the route I would take. It looks like a very capable piece of open source.