this post was submitted on 22 Dec 2023
35 points (100.0% liked)

Selfhosted

40296 readers
251 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

My self-hosting experience is primarily with Plex and qBittorrent, but I'm trying to get a digital library set up that will be available remotely. I've been reading about some options, but I'm not sure about what is best to use or how to deploy it.

What is the best way to make Kavita available to remote users safely from a home server?

top 17 comments
sorted by: hot top controversial new old
[–] godzillabacter@lemmy.world 16 points 11 months ago (2 children)

You'll have to strike a balance between security and ease. Your two major options are reverse proxy and VPN (Tailscale is one option for VPN)

For reverse proxy, you functionally open the app to the internet. Anyone with the correct web address can access the login page. This is inherently less secure than VPN, but not irresponsibly so. Beyond the reverse proxy itself, you'll also have to learn how to configure an HTTPS certificate to increase security since it will be open to the internet.

For VPN, every user you want to be able to access the service has to be tied into the VPN and have the VPN running throughout their access. Tailscale is arguably the easiest way to configure a VPN right now, as you won't have to manually deal with VPN configuration files for every device. VPN use will functionally make it like you're on your home network. VPN access to your network should not be given to tons of people if at all possible.

[–] tristan@aussie.zone 7 points 11 months ago (1 children)

Tailscale also has the funnel option to open up a single service to the outside world without needing a reverse proxy and has its own ssl certificates

[–] WeirdGoesPro@lemmy.dbzer0.com 2 points 11 months ago

This is what I’m looking for! Would I basically pay for a remote server that bounces the signal through Tailscale securely?

[–] Atemu@lemmy.ml 3 points 11 months ago (2 children)

VPN use will functionally make it like you’re on your home network. VPN access to your network should not be given to tons of people if at all possible.

Note that Tailscale does not give other users access to your entire home network but just specific machines and you need to explicitly share those machines.

[–] WeirdGoesPro@lemmy.dbzer0.com 4 points 11 months ago (1 children)

This is exactly what I need. I’m only trying to open one service in one container to the outside world.

[–] Atemu@lemmy.ml 2 points 11 months ago (1 children)

Hm, in that case Tailscale isn't quite what you want. It's not about opening up to the internet but rather your own virtual private network (hey, a VPN) with manually approved devices.

They do have a new Funnel feature which allows exposing specific parts to the Internet via their proxy though: https://tailscale.com/blog/introducing-tailscale-funnel

[–] WeirdGoesPro@lemmy.dbzer0.com 1 points 11 months ago (1 children)

Why wouldn’t the funnel solution be exactly what I’m looking for? Feels almost too good to be true.

If I’m understanding this correctly, I just have to set up Tailscale funnel on my local server, and it will generate a publicly accessible IP through their proxy that can be accessed remotely in a similar fashion to how Plex premium routes signals through their proxy for easy remote access? If that’s correct, that’s basically my dream solution because it only exposes kavita and doesn’t require a secondary server to bounce the signal through.

[–] Atemu@lemmy.ml 1 points 11 months ago* (last edited 11 months ago) (2 children)

There's three reasons:

  • As mentioned in the blog post, Funnel is still a rather new feature. It's still in beta.
  • It goes far beyond Tailscale's core purpose; it's basically a separate service.
  • It's free for now but probably won't be for long. TS' core functionality will likely be free or at worst very low cost for a long time but public hosting is a helluvalot more costly and also dangerous.

That said, if I had to share something with the public internet temporarily, I'd try not doing that first but could see myself using TS Tunnels.

[–] WeirdGoesPro@lemmy.dbzer0.com 1 points 11 months ago (1 children)

I need to share permanently though. Would it be better to use tailscale to make a connection to a remote server and then use that server as a front end that bounces back to my home server?

[–] Atemu@lemmy.ml 1 points 11 months ago* (last edited 11 months ago)

Not really. As soon as you have a path from global internet into your home network, all bets are off and you're now in charge of securing all of that against the entire world.

That said, if this is a regular old HTTP service, I believe Cloudflare Tunnels offer a way to put an authentication mechanism in front. This can work if, just like with Tailscale, you have a limited known set of users but the difference is that those users don't to have to install and use a VPN client to access your service but rather authenticate using an "external" HTTP service through their browser. Again, I do not believe this works for services accessed through APIs and certainly not ones using custom protocols.

I can't stress enough that getting those remote users to use Tailscale is probably the best and easiest solution.

[–] Rootiest@lemmy.world 1 points 10 months ago (1 children)

I would disagree.

Particularly on the cost/beta stuff.

Tailscale has long supported DNS addresses that link to your tailnet. Typically they only accept connections from addresses allowed within your tailnet, but there isn't anything particularly complex about how funnel allows any incoming address.

Further, like most of tailscale's operations, funnel isn't requiring them to host or even proxy any significant amount of data, it's just directing incoming connections on that domain to a device on your tailnet.

The hosting cost to tailscale is insignificant and really no different than what they do on a basic tailnet.

I don't think it will become a paid only option and I don't think it's too beta to use for a home server.

Personally I don't bother using it because I'm comfortable exposing my IP address and opening a port to my home server using direct DNS.

But there are some advantages to using tailscale funnel in that your ip will be obfuscated and the traffic will be routed through WireGuard so potentially more secure.

[–] Atemu@lemmy.ml 1 points 10 months ago (1 children)

Typically they only accept connections from addresses allowed within your tailnet, but there isn’t anything particularly complex about how funnel allows any incoming address.

P2P wireguard connections that is. Funnel needs to accept arbitrary connections.

Further, like most of tailscale’s operations, funnel isn’t requiring them to host or even proxy any significant amount of data, it’s just directing incoming connections on that domain to a device on your tailnet.

And how is that supposed to work without proxies? You can't just point DNS at some device's public IP and then expect everyone to be able to connect to it; that's not how firewalls work. TS IPs aren't routed on the public internet either (100.0.0.0/8 is IANA reserved).

AFAIK the way TS has always worked is that it does its P2P magic to build WG tunnels between devices and then does regular IP over those. IP traffic cannot go between devices otherwise (unless they're on the same network ofc.).

there are some advantages to using tailscale funnel in that your ip will be obfuscated and the traffic will be routed through WireGuard so potentially more secure.

How exactly is your IP going to be obfuscated without proxies? How will traffic be routed through WG without proxies?

[–] Rootiest@lemmy.world 2 points 10 months ago

You are right, I dunno why I thought it wasn't actually proxying all the traffic.

I can see how that could potentially be expensive for them if you were using it to stream video or something

[–] MSgtRedFox@infosec.pub 0 points 11 months ago

These are good suggestions. I've heard very good things about zerotier, tailscale, and a couple of open source alternatives that let you run your own coordination server on a static IP.

Point of clarification, a good VPN product gives ACL options that can restrict the tunneled traffic to specific hosts. You doing have to give remote VPN users access to an entire network.

Between these two options, the consequences of doing it wrong might be a little higher when you open up public access like proxy. A little less risk doing VPN or overlay remote access like tailscale.

[–] rambos@lemmy.world 5 points 11 months ago

I was asking the same question a year ago and now Im running 30-40 services, all available remotely using VPN.

Everyone is talking about tailscale and how easy it is to setup (never tried it), but I went for pure wireguard VPN and IMO its not complicated at all. I have 3 devices with access to VPN, but I also use reverse proxy NPM (+ pihole as DNS server) just to be able to use custom domain like nextcloud.example instead of typing IP:PORT. I dont feel comfortable with opening ports to public, but had 0 issues with wireguard port opened (so far).

Just giving you an example, other people here might have better advices

[–] Decronym@lemmy.decronym.xyz 2 points 11 months ago* (last edited 10 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
HTTPS HTTP over SSL
IP Internet Protocol
Plex Brand of media server package
SSL Secure Sockets Layer, for transparent encryption
VPN Virtual Private Network

6 acronyms in this thread; the most compressed thread commented on today has 8 acronyms.

[Thread #371 for this sub, first seen 24th Dec 2023, 14:05] [FAQ] [Full list] [Contact] [Source code]

[–] m12421k@iusearchlinux.fyi 1 points 11 months ago

given that you're looking at vpns I'm assuming you can't do port forwarding on your network. Am I right?

Have you seen zerotier? it lets you create a virtual network. super easy to setup but in the default configuration you're relying on a third party service. not sure if that's ok with you.

The most user-friendly way to do it is hosting it on a https server. for this you need a reverse proxy. checkout caddy. or if you're on docker try traefik.

Most home isps don't let you open port 80 and 443 so you have to use alternative ports which is ok for https but it will make renewing certificates really hard. you have to do it with dns. if it works great. but in my experience it was usually finicky.