I see a lot of you posting awesome pics of your home pages with all your setups and services, I swear I learn something new each time. (If only I had the time to look into all of it - one of these days…).
But I’m wondering… What method do you use to dial in from outside your LAN? VPN or do you expose everything through reverse proxy, or something else? I currently run a WG VPN and it’s great, but just curious what everyone else is running.
The general rule of thumb is to not directly expose services unless you have to (such as when you need to serve many users or users you don’t want to have on your home network, etc). As such it seems most people around here typically use a VPN for most things and only expose the odd service here or there when necessary.
Personally I only use a VPN because I have no reason to expose services directly. It’s only family members living in my house that need to access things when away so they each have the WG client setup on their phone and it auto-connects when not on our home WiFi. I also bought a travel router recently for family trips so we’re basically always connected to the home VPN and thus our services.
I have WireGuard on my UDM Pro. Easy to setup and haven’t had to think about it in a long time.
I use tailscale for remote access which works awesome in my case!
I use ssh tunnels to connect to my homelab from abroad, and ssh SOCKS services for laundering browser connections.
Yep, run an OpenVpn server on my router.
If it’s a service that has authentication and I use externally or share with others, then I expose it by reverse proxy (vaultwarden, guacamole, WebDAV, etc). If it’s ease of use or QoL, then VPN in for it.
I don’t need to stream a movie or song over my phone data, I can just VPN in and transfer it to my phone and play it locally
WG VPN via PiVPN. Can’t get more convenient
I can’t use VPN at my work place, so using Cloudflare tunnel with $1.5 domain I bought
Some services use reverse proxy, like Jellyfin, Navidrome. Others use WG.
I use VPN for what doesn’t need to be exposed, and reverse proxy for the rest hahaha
I do. I run Wireguard as my only exposed service, which I use both to use as a legit VPN when I’m in hotels or other hostile networks, and to access other services running on my network.
I use an OPNsense VPS (get a 5$ VPS with FreeBSD and follow the bootstrap manual). This provides you with a full router OS with a good interface to manage users, VPN plugins, port forwarding or even reverse proxy.
I have another instance running at home that connects as a client and makes systems on its network reachable for the hosted one.
I use both as I expose some services directly without auth/direct read access without a user account. Most services are behind authelia with traefik and then oidc. So you can’t access even the login Page of the apps without being logged into authelia and then you need to login to the app to use it.
The VPN is only for me and my IoT devices and servers to debug them.
A lot of my services are setup for multiple users so I have a domain through cloudflare and everything is proxied along with SSL certs, reverse proxied into my network, etc. Part of the enjoyment for me is having my own websites and it’s cool to see friends and family use them. I’ll still use a VPN for when I need into the backend of things, but it seems like I have more forward facing sites than most
I use this VPN server: GitHub - hwdsl2/docker-ipsec-vpn-server: Docker image to run an IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2
You don’t need apps to connect from your device. Has been working great for >5 years.
That being said I rarely use it these days. Most of the services I selfhost are behind a 2FA SSO portal (Authelia). And for SSH I use Guacemole. I rarely need the VPN.
I fully moved in 2020 to the cloud and have 5 active VMs deployed over the globe. I only have a small powered mini pc at home for some small services like wlan controller and adguard. Everything is connected with VPN and Cloudflare Tunnels without the need to expose a single port.
I do host a VPN. I use it for safeguarding traffic when I need to connect to hotels/airport WiFi’s. I also expose via Cloudflare tra very restricted set of essentials, like what need direct access from a native mobile app or if I need access from my work laptop that is bound to be in the endpoint protected work VPN and can’t access any different VPN
Yup. Openvpn on TP-Link router running on openwrt firmware. And it works.
Personally I have everything exposed through 2 reverse proxies. One hosted on a vps, which forwards any and all traffic to my house. Only that IP is allowed to send traffic to the proxy at my house.
The proxy at my house sits in an isolated network segment from which its only allowed access to the apps/tools/sites it proxies for.
All those apps/tools/sites also sit in an isolated network segment. Ofcourse everything is containerized as well.
A good part of those apps are also proxied trough authentik, which acts as a security layer for apps that don’t have proper authentication management and as single sign on platform for the apps that support it.