this post was submitted on 07 Oct 2024
17 points (90.5% liked)

Selfhosted

40313 readers
185 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I'm re-setting up my HomeLab and one of the things I'm trying to learn about on this go-around is Zero Trust networking. To accomplish this I am planning on using NetBird's mesh overlay network. I would like all of my services to use the NetBird mesh network at all times, whether they are communicating within my homelab's LAN or I am accessing them from outside via the greater internet.

I have successfully set up the NetBird management interface on a Hetzner VPS, however the issue I run into is if I lose internet access at home, none of my services are able to function as they can no longer reach the management interface. However, if I self host the management interface in my homelab, I am unable to access it from outside my home LAN.

I've identified 2 solutions that could solve this:

  1. Self host the management interface and set up a Cloudflare tunnel to the management interface, which would allow access from outside my home network.

  2. Self host the management interface, then set up a wireguard proxy/tunnel on a VPS that forwards traffic to my management interface (Similar in my mind to option 1, but not relying on Cloudflare)

What are your thoughts? Any other ideas?

I appreciate your comments/criticisms!

you are viewing a single comment's thread
view the rest of the comments
[–] sxan@midwest.social 1 points 1 month ago

I don't know anything about the Zero Trust network you're working with, but this is essentially the same as what I'm doing with Home Assistant. It runs on the LAN, because it's controlling everything in my house. The server is on a battery backup, most of my devices are z-wave, and several are battery powered. I can lose internet and power to the house, and still disarm the alarm and unlock the front door, at least until the UPS runs out, which is several hours.

Since HA is on my LAN, accessing it while traveling requires exposing my server to the internet, which terrifies me. I do have VPSes, though, and I have one locked down s.t. it's only accessible via VPN. It's not exposing any ports to the WAN except the Wireguard ports. To get to my HA, I connect to that one VPS via the VPN, which is on a VPN subnet with my home server.

The downside is that it is not possible to access my LAN (and, therefore, my HA server) without a pre-configured client. If I don't have my laptop or phone, I can't get to my LAN. If my VPS went down, I couldn't get to my LAN. And, obviously, if my home internet goes down, I can't get to my LAN. I'd rather be safe than sorry, though.