I want to start with self hosting something available from internet. Currently I have jellyfin, nas etc but everything is available in local network.

My biggest concern is securing local network. I thought i will run application on separate server, I will use small vps as proxy, but Im not sure if it will be enough

  • irmadlad@lemmy.worldEnglish
    0·
    2 hours ago

    Have you considered Cloudflare Tunnels/Zero Trust. When you use Cloudflare Tunnels/Zero Trust, you don’t need to fiddle with NAT, open any ports, in fact you don’t need any open ports. You just install Cloudflare Tunnels/Zero Trust on your server, connect to your Cloudflare Tunnels/Zero Trust account, and Cloudflare does the rest. To deploy Cloudflare Tunnels/Zero Trust you will need a domain name. Cloudflare will sell you a domain name but I think most get something cheap from NamesCheap or Pork Bun. When you have secured a domain name, switch the nameservers to the ones that Cloudflare assigns you. Jacks a doughnut, Bob’s your uncle.

    ETA: Obviously you’ll need port 22 for administration.

    sudo ufw default deny incoming

    sudo ufw default allow outgoing

    • Kkk2237pl@lemmy.worldOPEnglish
      0·
      2 hours ago

      Yeah, but if my server is in the local network, I have potential threat that someone will access my lan through public server

      • irmadlad@lemmy.worldEnglish
        0·
        1 hour ago

        Well, you could do network segmentation:

        • Put the server in a DMZ or separate VLAN if your router supports it. This isolates it from your main devices (computers, phones, IoT). I’m not sure what router you have buy many consumer routers have a “guest network” that can serve this purpose.

        Utilize UFW rules. Mine are:

        • sudo ufw default deny incoming

        • sudo ufw default allow outgoing

        • Anywhere ALLOW IN 192.168.1.0/24

        • 22 ALLOW IN 192.168.1.0/24

        • 22 on tailscale0 ALLOW IN Anywhere

        • 22 (v6) on tailscale0 ALLOW IN Anywhere (v6)

        Also:

        • sudo ufw allow out to 1.0.0.1 port 53 # DNS only
        • sudo ufw allow out to 1.1.1.1 port 53
        • sudo ufw deny out to 192.168.1.0/24 # Block LAN access except admin

        So now I have SSH capability locally and through Tailscale installed on the server and this prevents the server from initiating connections to other LAN devices. You can do alot with UFW and Fail2Ban in conjunction with Cloudflare Tunnels/Zero Trust.