Hi All, I know it was asked multiple times but I’m a noob.

What is the best way to access my server from external network? I know I can open a port on router (not recommended), Tailscales, Wireguard or Direct VPN. I will access from android phone and maybe from other devices.

What I want to try to access (mainly docker on NAS)

  • bitwarden
  • calibre
  • setup home assistant
  • possibly RSS server
  • nextcloud
  • plex server (already remote access)
  • maybe docker apps too

Thanks

  • 𝘋𝘪𝘳𝘬@lemmy.ml
    link
    fedilink
    English
    arrow-up
    3
    ·
    2 years ago

    I know I can open a port on router (not recommended)

    This is basically the only option you have if you want to provide access from external to selfhosted applications. Just forward the desired ports to the machine where the services are running on.

    The less entry points you have, the better. You could “bundle” all web-based applications on port 443 and use a reverse proxy to route the traffic to the actual port based on the hostname the access was done on.

    So in your router you define that all https traffic (port 443) is forwarded to your server, and on your server there is running a reverse proxy listening on port 443. All of your applications are listening on different ports that are not accessible from external. The reverse proxy then takes the hostname used for access and proxies the traffic to the actual host based on that hostname.

    With this you have only one port open on your router and this one port is only forwarded to one single machine. Everything else is handled by that machine.

    • wolfowl@beehaw.orgOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 years ago

      Thanks. I tried setting up reverse proxy through synology and failed miserably. I might try again.

    • marsara9@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 years ago

      This doesn’t stop the requirement to open at least one port on your router… but you could just setup a Wireguard server instead of exposing a reverse proxy. This way any attack on your network has to get through Wireguard rather than the reverse proxy and/or any of the services that it’s exposing.

      • 𝘋𝘪𝘳𝘬@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        2 years ago

        Yep. You need at least one forwarded port to at least one “endpoint”.

        What exactly that endpoint may be depends on the individual setup. Let it be a Wire guard server, or an reverse proxy, or some VPN server.

        In my setup the entry point is a reverse proxy is in a Docker container with exposed port 443 doing all the proxying and certificates to web applications.

  • ram
    link
    fedilink
    English
    arrow-up
    3
    ·
    2 years ago

    You could use Cloudflare Tunnels. If you want to be the only one with access to them, you could set it in your private networks, which are only accessible to you on any device with the WARP client installed.

  • Tenebris Nox@feddit.uk
    link
    fedilink
    English
    arrow-up
    1
    ·
    2 years ago

    I’m fairly noob-ish but have run Tailscale like this for about a year:

    Tailscale on your NAS runs as the host and when you open the Tailscale app on your phone you copy the IP it gives you and use that (plus the port that your services like Bitwarden, Calibre etc each use). Eg.

    100.121.9.23:8081

    THAT’s the sort of IP you the add to the Bitwarden app or type into your web browser.

    I’m pretty amateur with tech but found Tailscale pretty easy to set up and run.

  • kraxyk@beehaw.org
    link
    fedilink
    English
    arrow-up
    1
    ·
    2 years ago

    So really you have a decision to make here. Will you always have access to the VPN when you want to use those services. I suspect the answer is no in practicality. So I prefer to use something like Cloudflare tunnels to provide secure access to my network resources I’m choosing to share. I dont have to worry about ever use and every device always using a VPN. That’s just my preference though. It should be noted that I believe video and audio streaming is still against thr ToS for cloudflare tunnels. So for those applications I night use a different strategy like a VPN or wireguard.

  • Parsnip8904@beehaw.org
    link
    fedilink
    English
    arrow-up
    1
    ·
    2 years ago

    I use tailscale for this with no issues. It traverses my CGnat without significant speed reduction. Just install tailscale on the hosts with the services on them and use magic dns or install tailscale on a vm/container and have it advertise your home subnet as a subnet router.