Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
view the rest of the comments
Switch to self-hosting headscale when they enshittify in an attempt to become profitable, duh
Been meaning to do this. Tailscale was just there and easy to implement when I set my stuff up. Is it relatively simple to transition?
I mainly use Tailscale (and Zerotier) to access my CGNATED LAN, headscale will require me to pay a subscription for a VPS wouldn't it?
I really envy the guys who say only use them because they're lazy to open ports or want a more secure approach, I use them because I NEED them lol.
If (when?) Tailscale enshitify I'll stick with ZT a bit until it goes the same way lol, I started using it 1st, I don't know if ZT came before Tailscale though.
Same. I mean, I was already looking to rent a VPS, but at least there's some time so I can save money until things get weird.
Yeah, don't get me wrong, I can see value of getting a VPS, especially if you are gonna be using it for some other projects, I have had a DO instance in the past and I thinkered with WG back then BTW, but if it is only for remote accessing your home LAN, I don't feel like paying for it tbh, especially when some users get it for free (public IPv4) and it feels even dumber for me since I have a fully working IPv6 setup!
BTW my ISP is funny, no firewall at all with it, I almost fainted when I noticed everyone could access my self hosted services with the IPv6 address and I did nothing regarding ports or whatsoever... They were fully accessible once I fired up the projects! I think I read an article about this subject... But I can't recall when or where... I had to manually set up a firewall, which tbh, you always should do and it is especially easy to do in a Synology NAS.
Anyway, back to the mesh VPN part, if they enshitify so be it, but in the meantime we still can benefit from it.
Thats just how IPv6 works. You get a delegate address from your ISP for your router and then any device within that gets it own unique address. Considering how large the pool is, all address are unique. No NAT means no port forwarding needed!
I guess so, my previous ISP also gave me IPv6 address (I could navigate using it) but I could never access my NAS services with it from an IPv6 ready network, I thought it would be the same with the newer ISP, but nope.
Maybe some firewall is active by the ISP? I could not do much thinker back then as I used the stock modem (router) and it was heavily locked.
Vps can be really inexpensive, I pay $3 a month for mine
Or get something like a rapsberry-pi (second hand or on a sale). I have netbird running on it and I can use it to access my home network and also use it as tunnel my traffic through it.
I don’t think that would solve the cgnat issue. I use a vps because I don’t want to pay 250 a month for a starlink routable ip
Same, my Hetzner proxy running NPM, with pivpn and pihole is doing all it needs to do for $3 and some change.
My only open ports on anything I own are 80, 443 and the wg port I changed on that system. Love it.
How does WG work on the local side of the network? Do you need to connect each VM/CT to the wireguard instance?
I am currently setting up my home network again, and my VPS will tunnel through my home network and NPM will be run locally on the local VLAN for services and redirect from there.
I wonder if there is any advantage to run NPM on the VPS instead of locally?
The vps is the wg server and my home server is a client and it uses pihole as the dns server. Once your clients hang around for a minute, their hostnames will populate on pihole and become available just like TS.
You do have to set available ips to wg's subnet so your clients don't all exit node from the server, so you'll be able to use 192.168.0.0 at home still for speed.
As for NPM, run it on the proxy, aim (for example) Jellyfin at 10.243.21.4 on the wg network and bam.
I am a newbie so I am not sure I understand correctly. Tell me if my understanding is good.
Your Pi-Hole act as your DNS, so the VPS use the pi-hole through the tunnel to check for the translation IP, as set through the DNS directive in the wg file. For example, my pi-hole is at 10.0.20.5, so the DNS will be that address.
On the local side, the pi-hole is the DNS for all the services on that subnet and each service automatically populate their host name on pi-hole. I can configure the DNS server in my router/firewall (OPNSense in my case)
So when I ping service.example.com, it goes through the VPS, which queries the pi-hole through the tunnel and translates the address to the local subnet IP if applicable.
So when I have the wg connection active and my pi-hole is the DNS, every web request will go through the pi-hole. If the IP address is inside the range of AllowedIPs, the connection will go through the tunnel to the service, otherwise, the connection will go through outside the wg tunnel.
Does that make sense?
The VPS is Pihole, the dns for the server side is 127.0.0.1. 127.0.0.1 is also 10.x.x.1 for the clients, so they connect to that as the dns address.
server dns - itself
client dns - the server's wg address
Only if your router/firewall can directly connect to wg tunnels, but I went for every machine individually. My router isn't aware I host anything at all.
Pihole (in my case) can't see 192.x.x.x hosts. Use 10.x.x.x across every system for continuity.
Allowed ips = 10.x.x.0/24 - only connects the clients and server together
Allowed ips = 0.0.0.0/0 - sends everything through the VPN, and connects the clients and server together.
Do the top one, that's how TS works.
Thanks for the info, I appreciate it.
~$1.91 a month (paid 22.99 for a year) at racknerd!
Bookmarking "headscale"!
I only recently started using Tailscale because it makes connecting to my local network through a Windows VM running in Boxes on Linux a hell of a lot easier than figuring out how to set up a networked bridge.
This sounds like a great alternative, and it looks like it can even work on a Synology NAS.
I can't unfortunately. They only feature I use is that fact I can access my ipv6 only server via an ipv4 only network.