I’m not sure I follow. If you want friends to access your stuff, you’re gonna need to set up some kind of remote access unless they’re only accessing your stuff when at your place.
Oh, I see. This is how much of an amateur I am. I haven’t yet read through all of the abundance of information folks provided here.
At the surface, I thought the remote access was referring to to admin access. Something like Tailscale is necessary for folks to open my hosted Discourse in a browser? Not just for me to manage my server remotely?
Correct! There’s tons of articles out there about sharing a homelab with friends via tailscale.
I give you a simple advice to ease your mind. Whatever you do, do not open you router ports. Doesn’t matter if you wanna use reverse proxy or double reverse proxy or whatever. Because when you do open those ports, there is so many bots out there that there is basically 100 % chance they will start scanning your router for vulnerabilities.
So, do not open those ports. If you want to access your network, use e.g. Tailscale (and set that each new device or user has to be approved by you). This is the simplest thing you can do and you can learn about self hosting without worrying too much about security.
When you are ready, you will eventually start reading up on firewalls and securing your network, but the main point is, you don’t need to do it now. It is scary now. It will be fun in the future if you still enjoy selfhosting.
Edit: yes I answered first, now I read there is a lot of good people already saying…
This is super helpful. Thank you so much! Yes, others have mentioned Tailscale and some comparable tools. But your explanation is very simple and clear. So I appreciate it very much.
Hi, I’m also a bit of a noob. Just curious why learning and setting up a firewall and network security should come after implementing something like tailscale?
I also started looking into self hosting earlier this year, but due to some life circumstances have put that project on hold. Before I even started setting up a server, I figured it would be best eatablish a secure network layout. I set up a network with an opnsense router with a router-on-a-stick configuration attached to a switch which then had wireless access point and physical clients attached. Had a super basic, aka zero fine-tuning, firewall and 4 different vlans, two of which accessible over wireless. Starting from 0 knowledge and experience, it took a bit for me to figure out lol. If I hadn’t had to put the project on hold, my next steps were going to be additional security steps taken within opnsense and some of their available plugins, but I never got that far. And of course, never even started setting up my server.
The way I looked at it, it would be easier to set up the network first, and not have to contend with the results of changing things around as I explored and implemented security features.
Container escalation exists. A gentle reminder Docker is a deployment strategy, it just so happens to have some security benefits. Don’t rely on these to secure your server.
Just curious why learning and setting up a firewall and network security should come after implementing something like tailscale?
The reason, based solely on my opinion, is simply that when people start self hosting, they usually want to try different applications, its enjoyable, fairly simple, but you can still learn a lot. Networking is a little bit harder to understand and mistakes can be dangerous. Also the results are not as tangible.
Last but not least, if you decide to stay local, you can avoid some of the networking hardships altogether.
One more thing I saw happening. If you start with networking you may find yourself abandoning homelabing simply because you may feel overwhelmed with complexity and the intangible reward.
Feel free to do whichever part you want first, in the end its about what you want to do
Hi,
mind commenting, what your experience so far is and why you favor Netmaker over other products (Headscale, Netbird)? I still got some questions left:
- Is Netmaker suitable for typical home-lab road warrior setups, incl. (CG)NAT home router and/or dynamic IP?
- Does it use STUN/UDP hole punching and other “NAT magic tricks” sufficiently for NAT traversal, or did you need to resort to port forwarding on home router?
- Does it provide end-to-end encryption (in contrast to WireGuard hub and spoke with a public VPS)?
- Cross-platform support like iOS/Android apparently wasn’t so good in the past - has it improved since? IIRC, a separate agent app needs to publish current peer info like public key, ip etc. over HTTPS, to leverage NAT traversal - at least Tailscale does this.
- Are you using the pro version? I’ve heard they switched up their plans and don’t provide relay server support for community versions anymore.
Thanks in advance for any clarifications.