Investigate how to make homelab servers publicly reachable

[fshrr]

There are multiple ways of giving access to our local resources to the internet. Main three being DDNS+exposed ports, tunnels or private vpns. Here are some of the pros and cons and points to remember for each.

DDNS+exposed port

Expose a port from the local network allowing outside traffic to hit the external IP directly. Using DDNS with cloudflare-ddns allows us to update dns records on for a domain when ISP changes our external IP.

pros

• direct access without involving third-party services

cons

• more vulnerable to attacks if proper security measures are not put in place
• app vuln translated to system vuln

Points to note

• implement fail2ban for ssh
• implement some sort of authentication for the internal services (authentik)
• keep all services updated
• monitor vulnerbilities in the system using a monitoring tool (wazuh) - more research needed
• use docker containers to prevent a single app's vulnerability allow access to whole system
• security in reverse proxy
• implement own ssl (lets encrypt)

Tunnels (cloudflare tunnel+cloudflare access, ngrok)

Use something like cloudflare tunnel where users make a request to cloudflare's data centres. Cloudflared daemon is installed on the server to keep a persistent https outbond tunnel open with cloudflare. The data is transferred between this tunntel. Cloudflare access is a complementary service used to authenticate any users.

pros

• no exposed ports
• cloudflare tunnel takes care of ddos protection, web app firewall and ssl
• cloudflare access takes care of authentication
• relatively easy to set up

cons

• reliance on external service
• free tier discourages media streaming
• all data is decrypted inside cloudflare for inspection
• if they limit their usage in future, it could require changing solution

Private vpns (wireguard, tailscale, netbird)

The server and all devices making requests to the server are inside a vpn. Wireguard can be implemented on its own. There are services like tailscale that set up mesh vpn with zero config. Unlike tailscale, netbird offers self hosted solution.

pros

• only the intended users can make requests because they will need to be in the vpn

cons

• requires setting up vpn on all clients
• limited user count for tailscale. but there are other solutions (https://www.youtube.com/watch?v=eCXl09h7lqo)
• limited number of users
• if the saas solutions limit their usage in future, it could require changing solution

[fshrr]

Currently leaning towards ddns or netbird. But researching more

[wintermelons]

Thanks for the detailed notes. I've looked into Cloudflare DDNS in #1 but I agree that it's probably the least secure method and makes the servers prone to DoS attacks.

Is there any avenues I can help in exploring more?

[fshrr]

Is there any avenues I can help in exploring more?

Nothing that comes to mind right now. I havent gotten the chance to research more. But I have come across traefik which seems to be an alternative to nginx. Since if we are go the first route (which I want to do because I dont want to go through cloudflare or have to install a client on every device), we are going to need to reverse proxy so we don't open up too many ports.

[fshrr]

Found a video discussing Traefik vs Nginx proxy manager (a web ui for nginx). https://www.youtube.com/watch?v=scrtJ1U4wJU Quick summary: Seems like traefik is a more robust solution with more enterprise focused features, especially involving cloud orchestration. But the learning curve is also higher for that reason. I think ideally I want to learn Traefik but for the sake of getting things running initially, lets do Nginx proxy manager. We can build traefik configs to replace NPM over time.