How do people access these servers off of their home network (or do they not?).
That seems like most of the value to me, hosting some service you can access from anywhere without having to use Digital Ocean.
It seems like most residential ISPs don't provide a static IP and some block port 80? I think forcing ISPs to allow home users to serve traffic via some standard method would go a long way to enabling a more decentralized web.
I know Zero Tier, and Tailscale exist - but I don't really understand how they work (and I think they require intermediate server access anyway so might as well use Digital Ocean?).
I'd like a future where you could sell users a raspberry pi running a service they can just plug into their home switch and access it securely from anywhere.
My ISP provides me with a CGNAT IPv4 address, so I can't hope to access externally. They delegated a /56 IPv6 subnet to me though. So I just setup Prefix Delegation on my router and allowed in TCP port 443 in the IPv6 firewall. I setup an NGINX reverse proxy. I set a static IPv6 address in my subnet on my servers. My mobile phone provider has IPv6 dual stack. In my public DNS I setup an AAAA record. So I can access all of my services over IPv6 natively on my phone which meets my needs (syncthing, airsonic, bitwarden). I like that I don't have to have any Split DNS, only one set of records. I dont have to hijack the zone for my internal network. It's like I automatically 'roam' when connected to WiFi, it gives me a higher priority route to my server through wifi rather than over mobile network. It works really, really well.
Dyndns to solve the static IP issue, and if not all ports are blocked setup WireGuard on an open port and connect via that. To be honest I prefer to not expose a lot of these home server type projects directly on the web as a lot aren’t that secure. You’re better of going via WireGuard.
The only place you get stuck and need an intermediary vps is if you are behind CGNAT. I came across this recently that helps set all that up. https://github.com/erikespinoza/v4raider
> How do people access these servers off of their home network (or do they not?).
Wireguard, listening on the public IP with port forwarding, and using a dynamic dns client to ensure I can always connect even if the public IP changes.
> It seems like most residential ISPs don't provide a static IP and some block port 80?
Not the case here in my experience (Spain), but if you're fine being the only one with access you only need to forward the VPN port.
> I know Zero Tier, and Tailscale exist - but I don't really understand how they work
I only used ZeroTier a bit, but IIRC it was something like:
1) Create a new network in the ZeroTier One website
2) Download the ZeroTier client on your machine(s)
3) Enter the network ID
4) (optionally) authorize the device on the web UI
5) Now the device can connect to other ZeroTier peers on the network you created!
(So yeah, at least the "easy" way involves using their server, no need to selfhost it). Also this option should work without port forwarding.
I use WireGuard via Tailscale. it's been a breeze since switching from a self managed solution on my Pis. generating the keys, syncing them across the Pis, syncing the Pis keys to the clients, all too much work. Tailscale has automated this.
Yup, Wireguard is what I use. I toyed around with both Traefik and Caddy as reverse proxies (not simultaneously, of course), but found it to be much more complicated to set up than a VPN. I wouldn't touch a reverse proxy for personal use again.
Can the ZeroTier client create a tunnel without root access? That's the biggest weakness of WireGuard IMO. One of the things I like about ngrok is it doesn't require root.
> Can the ZeroTier client create a tunnel without root access? That's the biggest weakness of WireGuard IMO.
No idea about ZeroTier, but you should be able to use WireGuard without root access using the userspace implementation in Go[0] (that's the one used in non-rooted Android phones, Windows, and maybe the BSDs)
I tried wireguard-go and it required root to create a tunnel. I wonder if it would be possible to adapt it to forward to a local port rather than mapping directly to a network interface.
ZeroTier uses central servers to assist machines behind NATs in finding each other.
These central servers basically exchange the external IPs of each machine on the virtual network. The nodes on the virtual network then try their best to establish peer-to-peer connections using those external IPs.
I use it all the time with a number of colleagues working from home and it works great! We can all join a virtual LAN and see each others machines behind our home broadband routers.
ZeroTier runs fine on Raspberry Pi. I use it to link machines at home with machines at work, on AWS, Azure, etc.
I've got a static-ish address, meaning that my ISP hasn't changed my IP in many years, even with modem or router reboots. I've been meaning to get a dynamic DNS provider, but it hasn't been a priority.
In terms of accessing local services, I'm using StrongSwan on a VM with the relevant ports forwarded from my router. Ideally, the router would run StrongSwan, but until I switch to pfSense I'm living with this setup.
iOS and MacOS devices get a .mobileconfig profile which automatically connects when needed and disconnects when the device returns to my home WiFi network. My Linux travel laptop can also connect, but I haven't figured out how to make this happen automatically yet.
I’m using a 3$ VPS (hetzner) as a VPN server and access my local servers that way. You also get a regular VPN for free that way and setup is trivial if you use wireguard.
+1. Allows me to access my Jellyfin and file server from my laptop no matter where I am, all for a few bucks and a good learning experience with Wireguard.
My home IP is technically not static but doesn't change, even with router reboots. I still have dynamic dns set up, however, because I don't trust that to not change. My ISP threw a warning when I forwarded port 80 (something about the TV service) but I haven't had any issues (though I serve stuff mostly off 443). It's actually really convenient, especially since I have a few ten-year-old laptops I can use to host stuff. Since I got symmetric gigabit FTTH, I can do basically anything with it, even hosting big files.
If you have a linux box that's always on on your network, you can throw in a simple cron entry to curl a dynamic dns provider (entrydns.org works pretty well in my experience), which updates their dns entry for a url you set. Set up OpenVPN on your router, VPN to the URL, voila, access to your self-hosted services.
You definitely shouldn't expose most of these things directly to the net, they're not always bulletproofed as much as one would like.
I just enabled OpenVPN server in my router (gl-inet, openwrt-based), transferred the client.ovpn file to my phone, and bam. Whenever I'm away from home, I light up the VPN on the phone, and bam. There's my TheLounge IRC instance and other stuff just as if I was local.
Oh, I also set up a dynamic DNS service on said router, even though my IP address seldom changes, Murphy's law says the most important time for me to be able to tunnel home would be after an outage or something that reassigns the IP.
Up until recently I used dynamic DNS and it worked well for a small website and calender server (radicale).
For hosting an email server a static IP is all but required, so I got the free tier VM.Standard.E2.1.Micro VPS at Oracle Cloud. It has a static IP and I forward stuff to my rpi3 with dyndns. All you need for this is a credit card.
One way to get a static IP is to rent a cheap VPS, put wireguard on it and use DNAT to forward IP to the client PI as wg client. Works well with an NGINX reverse proxy on the PI redirecting traffic to anything on your LAN.
My domain is hosted on namecheap and it has complimentary dyndns service. On my pi I have a cron dealio that occasionally shoots off to namecheap's API to update my home subdomain.
I use a little Raspberry Pi to host a little website as well. I use Cloudflare and run ddclient on the Raspberry Pi to notify Cloudflare when my dynamic ip address changes.
I don't see how this is seriously a suggestion. Not everyone lives in Silicon Valley and earns a >20k/yr paycheck. There are other things to consider like reliability, cost, that force your hand.
Anyway ISP that blocks port 80 or uses CGNAT is obviously not good a selection for such a user. So it's serious suggestion if you can choose ISP. There are many places where can choose ISP even not in SV (maybe outside US).
What else do you want? If your ISP blocks incoming connections then thats the end of the story. The answer is either complex things like tor or switching ISP.
My dynamic IP address with Comcast is pretty much static but I guess it is not a guarantee... I can get it to change by spoofing my router MAC address though.
That seems like most of the value to me, hosting some service you can access from anywhere without having to use Digital Ocean.
It seems like most residential ISPs don't provide a static IP and some block port 80? I think forcing ISPs to allow home users to serve traffic via some standard method would go a long way to enabling a more decentralized web.
I know Zero Tier, and Tailscale exist - but I don't really understand how they work (and I think they require intermediate server access anyway so might as well use Digital Ocean?).
I'd like a future where you could sell users a raspberry pi running a service they can just plug into their home switch and access it securely from anywhere.