I use Nordvpn’s Meshnet. I find this simpler than Tailscale. I don’t have a nordvpn promo code for you because Meshnet is FREE.
If you use this route, please use token to sign into nordvpn on your server where you host immich. For added reliability, I have a sign in script run during boot.
If you don’t use Meshnet or Tailscale, what do you use?
note: yes, I’m a total noob to pis, networking, self host etc.
tldr of comments: No one else uses Nordvpn LOL.
I have wireguard running on my home server and router
I use cloudflare tunnels with 2FA via a google login, as well as Geoblockers. You don’t really want to expose it to the internet without a good layer of security.
Publicly accessible as family use it. Protected by crowdsec.
I bought a domain through cloudflare and use them as a reverse proxy. I also run an nginx proxy manager server locally. SSL encryption is fully enabled. Works great, only cost is the domain which is $7 a year for the one I got.
Caddy V2 with cloud flare
yes, I’m a total noob to pis, networking, self host etc.
I am an even bigger noob. I use Cloudflare Tunnel and my domain to connect to it from outside.
Immich is on my unraid server. That, along with several other services, all go via reverse proxy SWAG, and are linked to my subdomain, photos.mydomain.com
WireGuard - it’s great!
I used to use OpenVPN, but I switched to WireGuard once I realised how much easier it was to use.
Cloudflared and / or Tailscale.
I use a VM running nginx as reverse proxy, which then connects to my home network via wireguard.
Edit: +crowdsec for protection
Reverse Proxy and VPN
I am using since last 1.5 years with no issues
Just have to connect to its VPN which connects my home server directly from my phone and it starts the sync on Immich or blocks any ads through Ad Guard which is also installed on the same server
Authelia authentification
Nginx Proxy Manager for local dns
Pihole for hostnames
Cloudflare proxy to mask my IP (not cloudflare tunnel)
Ddclient to update IP my subdomain for immich since I don’t have static IP
DNS entry in cloudflare with a CNAME
OPNSense box with wireguard.
Cloudflare tunnel as for my other published services like HA, nextcloud, etc.
I banned all countries but mine, plus I added some other waf rules to restrict accesses mostly based on ips.
Oh, and immich is also behind authentik for 2fa.
Wireguard on my phone and server.
Cloudflare tunnels. Takes like 2 minutes
Split brain DNS and #Yolo public access, could not be bothered with anything else.
Just use a reverse proxy with fail2ban and a firewall. No real need for a vpn but to each their own. If you run a subdomain you can share pictures via a link