By far the best solution I've seen is wireguard. Easy to set up, super fast and secure. My little swarm of VMs, containers, and raspberry Pis is all meshed together by wireguard.
The only "hard" thing is that wireguard doesn't port forward automatically, you have to add an iptables rule. Took me 10 minutes to figure out how and now whenever I add a service I simply copypaste previous rules and add relevant ports...
Edit: plus once you set it up you also get to use it as a VPN for your devices.
Several of the tools on the list are based on WireGuard, and I think we'll continue to see other useful abstractions over it in the future. It's an excellent technology.
The main reason to use something other than WireGuard today is that it requires root to run, in order to change the network configuration, so you can't use it to tunnel out on machines where you don't have elevated privileges.
My workplace always had web-proxies and openvpn used to allow me to login at home to admin stuff if needed.
Now I imagined wireguard would be perfect for this, but alas its only UDP which will never work on this network, sadly.
Also my cell proider somehow makes wireguard impossible, not sure if they block UDP too.
I was also sad when zerotier wouldn't work through the proxies.
I know, I know, busting proxies is wrong. But for me using it between linux boxes on permanent connections works fine, but its a very small portion of what I want from my VPN.
In the end it turns out Home Assistant on a dyndns HTTPs site solves most of my access problems. Even ssh can be solved using it!
That's very cool, I've seen many requests for an open source self hosted ngrok around here. I'll take a deeper look at this a bit later. Good stuff, and thanks for the contribution!
Thanks. It's not quite production-ready, but I do think it offers some unique features. There are reasons I decided to make it even after discovering 20+ alternatives that all do pretty much the same thing.
A lot has happened in the SBC market since - with (for example) Odroid C4 you'll get significantly more bang for not much more buck.
Just an idea if anyoine feels inspired: Organize with Pine64 to make an upgraded version based on their new architecture slated for release this year. With their strong focus on openness it seems like a perfect match to me.
And it's noteworthy that AFAIK, FreedomBox and YunoHost merely install apps on your server directly, whereas Sandstorm and Cloudron both containerize apps in a more secure environment.
I don't think it's a good idea to install a dozen plus web apps directly on a server, such that a bug in one can compromise the entire server.
I'm not the parent, but I use a debian VM inside of a proxmox cluster to run docker services. The config and data services for the various docker images are mounted via NFS, and live in a ZFS pool configured in RAID10.
For non-technical users I could see freedombox (or sandstorm.io) being useful, but if you have enough knowledge to manage a vm + use docker-compose, the flexibility is much better.
I can support any app that I have either the source for, or a binary. I just write my own docker images [0] if one doesn't exist already on dockerhub, or install the binary directly on a VM or LXC as needed. For example, I set up Jellyfin on its own LXC.
For me, stuff like freedombox/sandstorm directly limit me as I would have to spend time learning their GUI, etc, for no gain. All I need is an ssh session into my docker VM and I can set up pretty much anything I need exactly how I want. This lets me be very particular about services accessing files, networking, versioning, and so on.
There are 2 types of self-hosters: Those that want to host useful apps, and those that enjoy tinkering with the hosting setup as an end in itself. There is some debate as to whether there's actually any overlap between these groups.
+1 for Unraid. If I had a small installation where I didn't need easy-to-expand software raid, I'd probably go with something like Portainer just for the easy docker config.
Also not parent poster but I got into the homelab fever and back it, I just have a very beefy desktop where I run thousands of services on it. Its not like one of these people are running a critical enterprise operation in their living room.
Also not the parent. Right now I have a home NAS (on Debian) running HomeAssistant for home automation interfacing and a WireGuard VPN server.
I also have a VPS running a DNS server for ad and distraction filtering (AdGuard Home, I prefer it over Pi-hole for downstream DNS over TLS), another WireGuard VPN server (for more permanent use of the aforementioned DNS server), Etesync for E2EE contacts/calendar syncing, and a Signal TLS proxy for helping users connect to Signal. These services are all specified in Docker Compose files for easier management, although I should adopt an online management tool so I don't need to login over SSH every time.
Not the parent but I also do not prefer this setup, my preferred setup is setting everything up manually so I know exactly what is going on. It also allows for better debugging, flexibility and understanding of the software. It's also a great learning opportunity since I've learnt how different pieces of software come together but for most people freedom box is good as it's relatively quick and easy to setup.
Streaming your own media (Plex, Kodi, etc.), hosting your own password manager (BitWarden), home automation (Home Assistant, Node-RED), torrent seed box, a VPN so you can remote into your own network (OpenVPN), security NVR (Unifi Protect, Shinobi), a general file backup server (which can mirror to Google Drive, DropBox, etc. automatically with RClone), etc.
Really just depends on how much work you want to put into it. Pretty much any service you use online you can self-host a version of it.
That's not to say I don't pay for any online services. I still use Google Drive, Netflix, and Spotify, but self-hosting is getting me closer to "cutting the cord" with some of these.
That talk was inspirational, as was the follow up ~10 years in progress video that came up next. I'm going to give FreedomBox a try. It is sad that I've never heard of this until now.
I tried the demo a few months ago and decided to give it a shot this weekend, and I'm pretty happy so far. These are some things that drew me to it:
Dozens of actively maintained deployments of (mostly) popular open source apps, a functional multi-user system with app SSO and ACS where possible, an integrated email server, multiple app instances, easy encrypted backup configuration to off-site s3/b2/nas/etc, simple automatic backup and retention policies, restore/clone down to a per-app basis, broad and deep documentation, complete published api, active forum
For me paying $15/$30 a month for the ability to self-host is ridiculous (I'd consider it if it was 10 times less, just for the conenience of 1-click installs).
However, when you need to install a more complex app like Taiga, it's often simpler to use the free Cloudron account to do it rather than install it by hand.
Indeed as you mention, complex apps like Taiga are quite time-consuming to package in a way to ensure proper updates for the future. In fact I am right now in the process to iron out the update to Taiga v6 and that price-tag allows us to focus on such things so our users get a smooth experience without missing out on updates (disclaimer, I am one of the Cloudron founders :D )
For sake of our vision we surely would like to make it more cost-effective in the long run, however we are bootstrapped and thus walk a thin line with a focus more on long-term sustainability not just blind growth. (10x cheaper though would realistically even pose an accounting problem with micro-payments or plain transaction fees taking large chunks)
“ridiculous” is a strong word.
Sure if you’re addicted to free, and being used as a product, $15 sounds crazy.
If you want to take control of your data and don’t have the time or inclination to do it all yourself, $15 isn’t so bad.
I use DietPi on my Raspberry Pi (other small boards are supported too). It's easy to install, and provides a simple TUI installer for all the common services, from Git and Syncthing to various game emulators.
As a newbie to this, I got one of the olimex units with ready-to-go SD Card. I've had it for a couple of years, I think. I've tried various of the apps and have settled on using it as an always-on syncthing node and to run Privoxy on my home network.
To access away from home, it is running a Tor hidden service. Wireguard is also provided, so I'm thinking of trying that out as well. It snapshots, so if I get into trouble with a new app... I roll back. I keep all my syncthing data on an attached usb drive. I realize the SD card won't last indefinitely.
What makes it feasible for me is that installation, configuration, and backup is handled by its web interface. I haven't needed to edit config files.
Has anyone here tried using WireGuard as a VPN for selfhosting? It is built into the Linux kernel (starting in 5.4?) and has lots of tutorials. Thinking of using it for my next project.
I use Wireguard regularly when I'm out to access my home LAN where I have some VM's running various things like pihole (DNS server to block ads), mail server, hobby dev server, etc.
Wireguard is very light (cf: OpenVPN) and easy to setup/use- highly recommend using it.
Many email servers (e.g. gmail) won't even accept email from residential IPs. I have a janky setup where I proxy mail from my home network to my VPS and then send it from there (outbound-only, and only to myself - for notices like "backup started", "backup finished" etc)
Cloudron also has a full email stack ready to go, however you are totally right about the residential IPs. They are basically all blacklisted by default, which is also why we had to add easy relay-provider support.
> They are basically all blacklisted by default, which is also why we had to add easy relay-provider support.
While I understand why people are doing this, I believe it's not the right way to deal with the problem - basically we're handing over e-mail (as a service) to a few big corps. Each time I have this problem I go through the long and painstaking process of whitelisting the IP and fight to make it work. Usually having it work with Gmail, Yahoo and Microsoft is enough - many smaller orgs don't use balcklisting by default because they have enough problems with mail deliverability already.
SMTP is among the things I wouldn't self host. Chances are your entire ISP is already blacklisted for some reason and mail ports are blocked. You'd have to create a relay host on some cloud provider and secure it to avoid having an open relay then navigate through all the configurations related to spam and malware filtering, gray lists, DNS registers and so on.
Dealing with mail servers is the only thing I don't miss from my classic sysadmin days. Although it should be noted popular MTA software nowadays are really solid software.
Why would one market a device to non-experts as a Dropbox alternative, a NAS to backup for all your computers, and a Bittorrent client, when it ships with a 32GB SD card?
I have a feeling that tunneling might just be a better option that creating VPN in enterprise setting. For instance, if you have confluence, jira etc running in your enterprise private network, instead of creating a VPN and asking endusers to connect to that VPN. They could expose each app with a authenticated tunnel. In this way the threat matrix reduces down to the application that is exposed and not whole private network. I wondering if something like this exists.
I think tunneling is a good way for individuals and small companies to implement BeyondCorps-type systems. That's what I personally do rather than using WireGuard, ZeroTier, etc. Obviously there are tradeoffs either way.
I read my ISPs terms of service (the biggest ISP in Australia), and it specifically says you can't host servers on your residential connection. They expect you to buy an extremely expensive small business service to do that. I would assume this is the same for many ISPs, and I think it is terrible.
Telstra? Yeah, they're about as consumer unfriendly as it's possible to be. I went out of my way to avoid paying them any money a few years ago, including moving my workplace (>10 branches around Australia) off Telstra comms infrastructure and onto a competitors whilst also saving about 30% per year.
Having to convince older, management types to roll the incumbent provider. 30% savings helped, but they were still quite nervous for the integrity of the new network. Had to do a fair bit of convincing and putting my neck on the line.
Just thinking about it (it was 10+ years ago), it would have been much easier to just sign contract extension with Telstra, no management involvement, no additional research, no putting my reputation in danger.
In my (limited) experience, it all boils down to how well the services actually run in such solutions. Yunohost had many services that were completely broken and not well integrated (to be fair it's really complex to do it well) so the user experience at the end of the day will vary from one to another.
I’ve tried it, and it works surprisingly well. They even have pagekite integration if you’re stuck behind a crappy residential internet provider, like any of the main US providers.
How does it handle updates? Can the non-expert user just click a button? Mediawiki strikes me as a service that would absolutely need command line access to upgrade?
