• Bdaman@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    37
    arrow-down
    1
    ·
    10 months ago

    The only externally accessible service is my wireguard vpn. For anything else, if you are not on my lan or VPN back into my lan, it’s not accessible.

      • Bdaman@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        ·
        10 months ago

        Sorry, haven’t logged on in a bit. I use OPNSense on an old PC for my firewall with the wireguard packet installed.

        Then use the wireguard client on my familys phones/laptops that is set to auto connect when NOT on my home wifi. That way media payback, adguard-home dns and everything acts as seamless as possible even when away while still keeping all ports blocked.

    • calm.like.a.bomb@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      1
      ·
      10 months ago

      Same here. Taught my wife how to start WireGuard on her android phone and then access any of the services I run. This way I only have one port open and don’t have to worry too much.

      • MigratingtoLemmy@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        10 months ago

        How about running your wireguard server on a VPS and then connecting to the same interface as clients from your mobile and home network? No ports open on your side!

  • Atemu@lemmy.ml
    link
    fedilink
    English
    arrow-up
    15
    ·
    10 months ago

    Nothing I host is internet-accessible. Everything is accessible to me via Tailscale though.

    • BearOfaTime@lemm.ee
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      2
      ·
      edit-2
      10 months ago

      Tailscale with the Funnel feature enabled should work for most ISPs, since it’s setup via an outbound connection. Though maybe they’re Super Cunts and block that too.

      • empireOfLove2@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        NAT to extremes… it’s Starlink so I think I’m almost completely obfuscated from the internet entirely.

        quite frankly i don’t really host anything that needs to be accessible from the general Internet so I never bothered with workarounds.

  • harsh3466@lemmy.ml
    link
    fedilink
    English
    arrow-up
    10
    ·
    10 months ago

    Available to the internet via reverse proxy:

    • Jellyfin
    • Navidrome
    • Two websites
    • matrix chat server
    • audiobookshelf

    LAN only:

    • homepage
    • NGINX Proxy Manager
    • Portainer

    There’s more in both categories but I can’t remember everything I have running.

  • grue@lemmy.world
    link
    fedilink
    English
    arrow-up
    9
    ·
    edit-2
    10 months ago

    I currently keep everything LAN-only because I haven’t figured out how to properly set up outside access yet.

    (I would like to have Home Assistant available either over the Internet or via VPN so that automations keyed off people’s location outside the home would work.)

    • jkrtn@lemmy.ml
      link
      fedilink
      English
      arrow-up
      1
      ·
      10 months ago

      Yeah, same, except I tunneled HA out via that Cloudflare daemon. Kinda janky because I cannot use the app with it to do locations, but I can check in on the pets from anywhere.

      I’m planning to set up a legit VPN sometime soon.

        • jkrtn@lemmy.ml
          link
          fedilink
          English
          arrow-up
          1
          ·
          10 months ago

          I cannot get the app to connect to my HA with the current setup. I have Cloudflare doing email verification, and the app doesn’t understand how to collect the cookies to make that possible.

  • pHr34kY@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    10 months ago

    Everything exposed except NFS, CUPS and Samba. They absolutely cannot be exposed.

    Like, even my DNS server is public because I use DoT for AdBlock on my phone.

    Nextcloud, IMAP, SMTP, Plex, SSH, NTP, WordPress, ZoneMinder are all public facing (and mostly passworded).

    A fun note: All of it is dual-stacked except SSH. Fail2Ban comparatively picks up almost zero activity on IPv6.

  • muntedcrocodile@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    1
    ·
    10 months ago

    Most of my things are open to the web but thats kinda nessasary for them to be functional file shairing links, link shortening, mc server etc etc

  • kratoz29@lemm.ee
    link
    fedilink
    English
    arrow-up
    2
    ·
    10 months ago

    Only my Stremio add-ons, such as Knightcrawler, Annatar and Stremio-Jackett.

  • notannpc@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    10 months ago

    I expose most things to the web so long as they have auth and 2FA options. The one exception being my Jellyfin server. I share it with friends and needed to make it as easily accessible as possible.

    With Cloudflare WAF, reverse proxy, and an isolated subnet with IDP I feel comfortable with public services. Nothings perfect but if they get through it and pwn my lab I’ll just nuke it and rebuild.

  • habitualTartare@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    10 months ago

    I keep everything behind a VPN so I don’t have to worry much about opening things up to the Internet. It’s not necessary about the fact that you’re probably fine but more so what the risk to you is if that device is compromised, ex: a NAS with important documents, or the idea that if that device is infected, what can that device access.

    You could expose your media server and not worry too much about that device but having it in a “demilitarized zone”, ensuring all your firewall rules are correct and that that service is always updated is more difficult than just one VPN that is designed to be secure from the ground up.

  • ALostInquirer@lemm.eeOP
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    10 months ago

    Each time I’ve read into self-hosting it often sounds like opening stuff up to the internet adds a bunch of complexity and potential headaches, but I’m not sure how much of it is practicality vs being excessively cautious.

    • LuckyDuck@lemmynsfw.com
      link
      fedilink
      English
      arrow-up
      4
      ·
      10 months ago

      It’s always a balance between security and convenience. You have to mitigate what risk you are willing to well…risk

  • Kusimulkku@lemm.ee
    link
    fedilink
    English
    arrow-up
    1
    ·
    10 months ago

    Jellyfin and Miniflux are internet facing because it would be turbo annoying otherwise to deal with them