this post was submitted on 22 Feb 2026
75 points (98.7% liked)

Selfhosted

56865 readers
1152 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Hey all,

I'm setting up a homeserver and trying to figure out the best way to access it remotely. I've been looking at different solutions, but I’m a little stuck.

I’ve been looking at VPNs, but it feels weird, to route everything through my home IP when I’m also trying to use a commercial VPN for privacy / to combat services fingerprinting me based on my IP.

I'm currently considering a reverse proxy setup with an authentication provider like authentik or authelia, but as far as I understand, that wouldn't work well with accessing services through an app on my mobile device (like for jellyfin music for example.) I did think about just opening up the ports and using a DDNS with a reverse proxy, but is'nt that like a big security risk?

Keep in mind I am no network admin, but I don’t have anything against learning if someone can point me in the right direction.

Also I heard some people say that on proxmox you should use unprivileged containers instead of vms for your services, does that hold up?

Any recommendations for tools or approaches?

top 50 comments
sorted by: hot top controversial new old
[–] Chaser@lemmy.zip 4 points 10 hours ago

My Ubiquity Dream Machine has Wireguard integrated. So it's literally just a few clicks to spin up a server. I use it in combination with a port forward on my FritzBox and a dyn ip using https://dynv6.com/ and a domain i had laying around anyways.

Regarding Wireguard: Wireguards (imho) best feature is split tunneling. You can decide which ips or subnets to route through the tunnel. See AllowedIPs.

As a default it says something like

AllowedIPs = 0.0.0.0/0

Which means "just route everything through me".

However you could allow your subnets only. Like this I use my private and my business vpn at the same time.

AllowedIPs = 10.0.0.0/24,10.0.1.0/24,10.0.2.0/24,10.0.3.0/24

You mentioned, that you have not a lot experience with networking, so your subnet may look like that. Just check your local ip and replace the last digit with 0/24

AllowedIPs = 192.168.2.0/24
[–] javiwhite@feddit.uk 1 points 12 hours ago

Your mileage may vary, as it's a project that doesn't look to be actively worked on anymore, but selfhosted-gateway is a simple wireguard docker setup that's relatively easy to set up. It spins up the relevant proxies and tunnel, Doesn't cost anything, nor is there any signups etc... all you need is a VPS, a domain name and a home machine.

[–] KarnaSubarna@lemmy.ml 13 points 1 day ago (1 children)

Tailscale, if you don’t want to make your services available to anyone else than you (and people you want to grant access to).

[–] mikedd@lemmy.world 4 points 12 hours ago

I second this.

[–] Evil_Incarnate@sopuli.xyz 2 points 23 hours ago

Have a look at Zerotier. I have some devices running it and it works a treat. Basically, add devices to your network and it gives them addresses that you can access as if it was on your home network. Your usual 192.168.. still work, but also you can choose a bunch like 172.25.. that you can only access when running Zerotier.

I use it to access jellyfin from my phone or laptop or to SSH into my server.

[–] monkeyFromTheLake@programming.dev 11 points 1 day ago* (last edited 1 day ago) (1 children)

I am using wireguard for this purpose. My router supports that. It's a very easy setup and works fine in every is case I encountered except for android car. You do not expose anything to the outside. It's kind of like logging in to your home network.

[–] B0rax@feddit.org 5 points 1 day ago (1 children)

I heard you need to exclude Android auto in the WireGuard settings, then it should work.

The reason is that the car communicates via IP with your phone. But when all phone traffic is routed through your home, it can not reach the car.

Oh thanks. I knew the reason for the issue but had not thought of looking for a solution. Well I thought there was none.

[–] Auli@lemmy.ca 4 points 1 day ago (1 children)

Depends I just have a proxy and open port 443. Its not wide open but open enough that others can use it. I geo block have IP lists filter through it and suricata. Or use a VPN if others don't need access.

[–] irmadlad@lemmy.world 3 points 1 day ago (1 children)

Its not wide open but open enough that others can use it

How does that work? Are you saying you are filtering with Suricata? Curious as in my mind a port is either on or off. I am always ready to be schooled.

[–] WhyJiffie@sh.itjust.works 1 points 3 hours ago

a firewall can be used to filter incoming traffic by its properties. most consumer home routers don't expose the firewall settings

[–] iggy@lemmy.world 9 points 1 day ago (1 children)

I went a different path than the VPN route that seems popular in the other comments...

I use a reverse proxy (caddy) with wildcard SSL (so all my hostnames aren't in the public cert registry) plus port knocking. So normally no outside IPs are allowed to access my internal services, but I can knock and then access anything for a while. Working well so far.

[–] Cyber@feddit.uk 3 points 1 day ago

How'd you setup the port knocking? Is that something caddy does?

I'm using haproxy and was thinking of trying the same thing... not sure if haproxy supports it though, or whether I have to do something else ...?

[–] wesker@lemmy.sdf.org 26 points 2 days ago (1 children)

Tailscale's free offering goes a long way.

[–] leaf_skeleton@lemmy.world 6 points 2 days ago (5 children)

Well, yes I looked at tailscale too, but that would prevent me from using my normal commercial VPN, which I would still like to use. The way I understand it, if I routed my entire network through tailscale to my server, it would essentially make all my internet traffic exit at my server. So, everything would still appear to be coming from my home IP address. I’m trying to get the best of 2 worlds: using the VPN to hide my IP from services that i visit and my ISP, and a secure connection to my home server.

[–] Krukenberg@lemmy.world 3 points 1 day ago

Wouldn't a MullvadVPN exit node from Tailscale suit your need perfectly? I'm a noob though.

[–] TunaLobster@lemmy.world 2 points 1 day ago

I don't have an exit node in my tailnet. Through the magic of routing, tailnet stays in tailnet and vpn stays in vpn. I got extra fancy and used gluetun to handle docker vpn traffic, but only for some ports of some containers.

Well, yes I looked at tailscale too, but that would prevent me from using my normal commercial VPN

You can split your devices traffic, Tailscale traffic through Tailscale, everything else through your masking VPN.

I’m trying to get the best of 2 worlds: using the VPN to hide my IP from services that i visit and my ISP, and a secure connection to my home server.

For that, what I would do is put the masking VPN (like PIA or whatever) on your router (not all routers can do this) and then have Tailscale on the devices or individual services. In theory, everything would still be able to talk to each other (even if your mobile device is not behind the router), but everything that is behind the router would enter and exit their traffic wherever you have the masking VPN set to. Downside of doing this is that EVERYTHING that is behind that router is also behind that VPN which can cause problems with some services, like banking and streaming.

It would also mean that the only way you could host a public service is to have an external VPS acting as a reverse proxy. Cloudflare might also have something that could work around this setup, but I'm not familiar with their offerings.

This setup also doesn't mask your traffic (origin and destination) from your mobile provider (just your home ISP), but that is a harder nut to crack as they can see, real time, where you are physically, and depending on your device, may have deeper device access anyways. I'm thinking prepaid phones and phones bought from the carrier (at least here in the US) or if your carrier has "asked" you to install an app to manage your account. My assumption is that my mobile provider can see anything I do while I have my phone or tablet with me, and just work around that.

You might want to ask in !privacy@lemmy.ml and !privacy@lemmy.world, as this is more up their alley.

[–] irmadlad@lemmy.world 4 points 2 days ago

I’m trying to get the best of 2 worlds: using the VPN to hide my IP from services that i visit and my ISP, and a secure connection to my home server.

How about Cloudflare Tunnels/Zero Trust? The caveat being that you have to own a domain that you can change the nameservers to the ones Cloudflare assigns you. You can purchase a domain from Cloudflare, but I think a lot of people get one from NamesCheap or PorkBun. I purchased on for less than $5 USD. With Cloudflare Tunnels/Zero Trust, you don't have to open ports, fiddle with NAT, or any of that. You install it on your server and it punches a hole in to allow communication.

Some people like Cloudflare, some people don't. Personally, I've never had any issues except for a very brief downtime a while back.

[–] wesker@lemmy.sdf.org 3 points 2 days ago* (last edited 2 days ago)

I have all my services spun up in docker containers, which makes it easier to pick and choose which services use Tailscale and which use a VPN. I guess I haven't yet been put in a position where I wanted one to use both.

I’ve been looking at VPNs, but it feels weird, to route everything through my home IP

You don’t have to route all traffic through the VPN. Only traffic for your home network.

[–] EntropyPure@lemmy.world 13 points 2 days ago (4 children)

Cloudflare Tunnels work great and are really easy to setup. Plus you are not exposing you machine completely to the outside, as the cloudflared service/container „calls out“, and Cloudflare is your reverse proxy. Downside is, you’re binding yourself to one of the US hyperscalers.

Pangolin uses the same principle, but is a bit more challenging to setup. Plus you need some kind of cloud server to make it work.

As you already have a VPN active at all times (at least it sounds like that), a VPN home seems out of the picture.

Unless you have a dedicated firewall at home, maybe reconsider the reverse proxy route. Personally would not feel comfortable with exposing a machine at home to the internet in full without a handle on what it can do or how it may be reached.

load more comments (4 replies)
[–] Kagu@lemmy.ml 7 points 1 day ago* (last edited 1 day ago) (2 children)

I'll recommend netbird as its entirely running on your server, is free, and I found it way easier to set up compared to Tailscale/Headscale

[–] kratoz29@lemmy.zip 1 points 12 hours ago (1 children)

So is this like a Tailscale alternative and not a way to expose your services?

[–] Kagu@lemmy.ml 1 points 6 hours ago

Correct. Its just a mesh VPN

[–] rektdeckard@lemmy.world 2 points 1 day ago (2 children)

Are the free limits suitable for light media streaming by a few users? I'm currently running a simple setup with Caddy reverse proxy and port knocking, but my ISP doesn't do static IP and they change my address every few months.

[–] SirHaxalot@nord.pub 2 points 1 day ago

The free version is mainly just a number of user and device limit. Although the relaying service might be limited as well, but that should only matter if both of your clients have strict NAT, otherwise the Wireguard tunnels gets directly connected and no traffic goes through Netbirds managed servers.

You can also self-host the control plane with pretty much no limitations, and I believe you no longer need SSO (which increased the complexity a lot for homelab setups).

[–] Kagu@lemmy.ml 2 points 1 day ago* (last edited 1 day ago)

I think this may be a your milage may vary thing. I only personally use netbird for remote server management, as I barely consume anything other than streamed music remotely. I host netbird community edition on my server in a VM so the streaming quality isn't dependent on any tier of service purchased from the company

[–] potatoguy@mbin.potato-guy.space 10 points 2 days ago

I run my instance using cloudflare tunnels, directly from my thinkpad (over wifi), these tunnels are helpful because you don't need to open ports, etc, also, there are other tunneling options, like hosting a server on a VPS that tunnels to your own selfhosted server, as there are some alternatives to cloudflare in that aspect.

Idk, might be an option.

[–] eightys3v3n@lemmy.ca 12 points 2 days ago* (last edited 2 days ago)

Personally, I use headscale (self-hosted tailscale) that is open to the internet. Then my phone and all other devices use tailscale clients to connect to that. All my other services are accessed through the tailscale magic DNS service.

Nothing except headscale is open to the internet, and I can access anything I need on the server and other devices. It also doesn't just route All traffic through my server, only the stuff to other tailscale nodes.

[–] flork@lemy.lol 12 points 2 days ago (5 children)

NGINX Proxy Manager and DuckDNS.

Get DuckDNS set up first.

Then go to DuckDNS.org and register a domain.

Then go into NGINX proxy manager.

It's pretty straightforward, click "add proxy host", then type the domain from duckdns (I like to do a different subdomain for each service, ie: calibre.mydomain.duckdns.org, homeassistant.mydomain.duckdns.org, etc.) and point it at your container with the service you want to access remotely.

You'll want to enable let's encrypt. But other than that the defaults should be fine.

[–] kratoz29@lemmy.zip 2 points 12 hours ago (1 children)

CGNAT sends its regards.

(Although if you have IPv6 access you might get around this... But even in 2026 you will face issues going only this way).

[–] vaionko@sopuli.xyz 2 points 11 hours ago

I am behind GCNAT, and my ISP doesn't do IPv6. I have a free tier VPS from Oracle that uses wireguard to tunnel packets to my home server.

[–] user314_lemmus_v3s@lemmy.world 2 points 13 hours ago

I've been using this setup for years, then one day just installed caddyserver. No certbot, no boilerplate nginx config etc.

I was still using nginx for internal services but then replaced it with "fabio lb" because it works well with consul.

I was so happy do discover it that I want to share it with everyone ¯_(ツ)_/¯.

Thank you for your attention on this matter.

load more comments (3 replies)
[–] GeraltvonNVIDIA@lemmy.ml 5 points 1 day ago

Personally, i would use VPN, Pihole for Local-DNS Records and a simple Local Reverse Proxy to address my Network-Services. I wouldnt open anything from my Homelab to the Internet.

[–] tirateimas@lemmy.pt 4 points 1 day ago

Tailscale or Netbird, any of them is better than setting up DDNS and securing the network access yourself.

[–] ohshit604@sh.itjust.works 6 points 2 days ago* (last edited 2 days ago) (1 children)

I’ve been looking at VPNs, but it feels weird, to route everything through my home IP when I’m also trying to use a commercial VPN for privacy / to combat services fingerprinting me based on my IP.

My ASUS WRT router (running Merlin Firmware) forwards my Home WireGuard VPN server through one of my Proton VPN clients, I get all the added bonuses of being connected to my home network, utilizing my PiHole an such, while benefiting from appearing across the world.

I'm currently considering a reverse proxy setup with an authentication provider like authentik or authelia, but as far as I understand, that wouldn't work well with accessing services through an app on my mobile device (like for jellyfin music for example.)

This is correct, you cannot host an authentication service in front of Jellyfin’s proxy otherwise the Jellyfin Media Player will not connect to your server however, there is a Jellyfin SSO plugin for authentication which is what I use and I disabled the manual login form via CSS but be warned if you take this route that the CSS can be re-enabled on the login screen using your browsers element inspect, I wish you can disable it outright but it’s heavily baked into Jellyfin from what I’ve read.

I suggest setting up a IP-Blacklist for Jellyfin and only whitelisting the known IP’s.

[–] Scrollone@feddit.it 1 points 1 day ago (1 children)

Sorry to burst your bubble, but removing the login form via CSS is just a cosmetic effect and it doesn't have any effect on your security, since bots will try to brute force the login directly using the login endpoint.

[–] ohshit604@sh.itjust.works 3 points 1 day ago* (last edited 1 day ago)

Oh I am fully aware it just cosmetic, that’s why I added this line In my original comment:

but be warned if you take this route that the CSS can be re-enabled on the login screen using your browsers element inspect

hence why I also suggest just outright blacklisting all IP’s and only whitelisting the known few at the reverse proxy level.

[–] Decronym@lemmy.decronym.xyz 6 points 2 days ago* (last edited 3 hours ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
CGNAT Carrier-Grade NAT
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
IP Internet Protocol
NAS Network-Attached Storage
NAT Network Address Translation
PIA Private Internet Access brand of VPN
PiHole Network-wide ad-blocker (DNS sinkhole)
SSH Secure Shell for remote terminal access
SSO Single Sign-On
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)
nginx Popular HTTP server

[Thread #110 for this comm, first seen 22nd Feb 2026, 16:31] [FAQ] [Full list] [Contact] [Source code]

[–] TechLich@lemmy.world 5 points 2 days ago* (last edited 2 days ago) (1 children)

My recommendation is a VPN server to connect in from outside and have the default gateway for the VPN clients be a server that acts as a router that's set up with your commercial VPN.

That way, you can be outside on a phone or a computer, access your internal network and still have your public internet traffic go out through your commercial VPN without having to be able to configure multiple VPN connections at once (eg. Android doesn't support that).

Eg. 2 debian proxmox containers. One that runs wireguard (head/tailscale might also work here?) for external access and one that runs mullvad(or whoever) VPN cli and IP forwarding to be the gateway for your clients.

Only downside is the extra hops to send everything through your home network first rather than straight to the commercial vpn which is probably fine depending on your speeds. You can always disconnect and connect directly to the commercial VPN for faster internet traffic if you need to.

[–] pleksi@sopuli.xyz 3 points 1 day ago* (last edited 1 day ago)

This is what i did but on the router. I have openwrt on the router. You can install an extension called PBR (policy based routing) on it.

Then you set up one wireguard interface that’s in the same firewall zone as your LAN to your lan and another that’s in the WAN. You can create policies to route any outbound connections (including the ones from your mobile client devices) through the commercial WAN wireguard connection.

In addition for family members access i set up a pangolin instance (kind of like tailscale but selfhosted) on a Hezner VPS and a very simple oauth provider (pocket id) for authentication. Ive got a bunch of users and nobody had any problems with the signup process after i sent them the invite link.

That way i can always be directly in my lan but other users can access without accessing my lan at all.

[–] okwithmydecay@leminal.space 5 points 2 days ago* (last edited 2 days ago)

I've been using frp to create a reverse proxy between my NAS at home and a DigitalOcean droplet. Been using it for over a year now, and not had any issues.

[–] TechLich@lemmy.world 4 points 2 days ago

For the unprivileged container thing, containers tend to be lighter on resources than VMs at the cost of a little isolation (they share the same kernel as proxmox which could have security implications).

The ability for lxc containers to run unprivileged with all the restrictions that entails alleviates a bit of that security risk.

Both options are generally considered pretty secure but bugs/vulnerabilities could break isolation in either case. The only real 100% safe isolation is bare metal.

I tend to run containers unless I have a really good reason to need a VM, and run unprivileged unless I have a really really good reason not to.

If you're running insecure services, you can restrict them to be accessible by vpn. I have a mix of internet accessible and vpn accessible services using the tailscale nginx plugin.

If you want to send all your traffic over a vpn, you will either need to route all your traffic through your own vpn or use some sort of multiplexed vpn. tailscale can do this with mullvad, but it's not yet possible with headscale.

load more comments
view more: next ›