this post was submitted on 17 Oct 2023
28 points (91.2% liked)

Selfhosted

40040 readers
729 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 
  • For my first goal, I want to get around my ISP's CGNAT so I can access my NAS outside my network. Tailscale doesn't work. Attempting to access my NAS always goes through their relays. From what I've gathered, a VPS is a good way to get around this so I got the basic $1/mo Racknerd KVM VPS. I'd like a performant way to manage this with low latency being ideal. That is my primary goal. From what I've researched, wireguard would be the most performant way to make that connection. I'd like to be able to access my NAS's primary IP or even set up reverse proxies so I can access it from outside the network, without sending all my network traffic through the NAS. I was under the impression tailscale did this but for some reason when I have tailscale active on my macbook, speedtests show major lag over 100ms.
    • I've heard wireguard was the most performant but anything will do with the goal of accessing my NAS. The maximum I need is to be able to stream 4k hdr/dolby atmos content from my NAS.
  • My second goal is to set up Unbound, Blocky and maybe have a fallback to quad9. I'd also like my devices to be able to use this externally. I set up a basic version of this today using this guide. However upon more investigation, I've learned Blocky causes much less latency than pihole. I went down a rabbit hole, researching nextdns, dnsfilter, etc. I think Blocky and Unbound will be great, but I'm more interested in the goal than the technology used to get there. I'm primarily interested in a low latency content/ad/tracker/malicious blocker that's available on and off my network.
    • Would it introduce less latency to run this locally off my NAS, and have a separate version set up in the cloud for when I'm away from home? I'll happily do this if there's any tangible benefit. My routing setup is ISP modem/router -> asus zenwifi router-> 10g switch, then my PC and NAS. All connected by cable.
    • Is there a way to set this up with the primary goal of having external access to my NAS? I feel like there's a way to kill two birds with one stone with this. Like maybe having the DNS resolve my NAS's internal IP to the VPS external IP which will then forward traffic requesting that IP address to the NAS somehow (not sure how exactly to accomplish this, or if it's possible).
    • I set this up originally on GCP due the guide I followed mentioning performance benefits. I'd be willing to host all this on the VPS if that's possible, but would prioritize high availability, reliability and low latency, which I believe GCP would give me better than my budget VPS. Strangely, the latency when connected to the current setup, GRC DNS benchmark is showing 100+ ms latency, while with it deactivated I get about 50ms average.
  • My third and kinda stretch goal is to host my website and side projects with the help of the VPS since I'll most likely not be using all the storage, bandwidth or computing power from just my primary and secondary goals. I currently host using github pages and redirect to my domain using cloudflare. I had my projects hosted on heroku. It seems like there's a heroku free tier popping up and then quickly enshittifying every other week so it just seems more reliable to host it myself.
  • It goes without saying that I'd like to have this be as secure as possible as I've read lots of self hosting horror stories. My priorities are security, cost, reliability, performance in that order. I think hosting unbound/blocky on the VPS would make for a more elegant and easy to maintain solution, but I'm not 100% sure of the reliability and performance of Racknerd's budget level VPS offerings.
  • So to retierate, I'd like to access my NAS which is behind a CGNAT externally, set up ad/tracker/malicious content blocking, and host my website/projects, with security, cost,reliability and performance in mind.

I think I want to use something like NPM, pfsense, blocky, unbound, authentik, fail2ban, and wireguard. either divided between free tier cloud hosts like GCP and oracle, and my VPS for less critical stuff like NAS access, or just put it all on the VPS if that's easier. I've done an absolute boatload of research to try and educate myself, which I've not included here because this would make this already lengthy post even longer. That said I'm still very noobish with all of this and appreciate any advice!

you are viewing a single comment's thread
view the rest of the comments
[–] thelittleblackbird@lemmy.world 3 points 1 year ago (1 children)

Take wiht a bit (or a lot) of salt what I am gonna say. Because undoubtedly I am. Missing something here.

But if what you a already say is true probably you are not restricting anything. The recommended way to do so is with a firewall rule (probably in your router).

You are extending the subnet definition beyond the 16 bits. This can create problems and I doubt that your router will block anything if something crafted is received from Internet.

But of course, being the extremely big address space your are probably safe.

I any case, with a firewall rule in your router allowing only the proxy to go receive connections, you should be good and more standard conform

[–] stown@lemmy.world 0 points 1 year ago* (last edited 1 year ago)

I already do use firewall rules, this is just an extra step I take to segment things which also serves to make it a bit easier for me to remember certain addresses. It is entirely unnecessary, but I like it this way.

Let's say I have a static IPv4: 72.235.228.162

And IPv6 block: 2660:1100:45f0:c17:: /60

What I do is set up a Virtual IP in OPNSense and give it the address 2660:1100:45f0:c171:72:235:228:162

Then I set up the firewall rules for that IP.

Then I NAT 1:1 that IP to the NGINX VM's IP and now the Internet doesn't need to know about it.