view the rest of the comments
Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
Another question: I set up the Immich docker image and I'm using Mullvad VPN, however Mullvad VPN removed in-app port forwarding last year. I'm curious whether there is a solution to use Split Tunneling for Immich via another VPN to setup secure remote access outside of the home network?
https://github.com/immich-app/immich/discussions/8299
I just got this working today and can say it's quite an elegant solution. It means anyone with a Google account (that I allow through Cloudflare settings) can take advantage of immich. I plan to be the storage server for my family so they can have automatic photo backups.
If you decide to go that route and have questions, hit me up. I spent a while troubleshooting issues caused by not creating a SaaS application in Cloudflare, so read the directions exactly.
Thank you for the comment, a very interesting solution! I'm thinking of using Google as little as possible however. I would like to look into how to setup some access from outside the network via some VPN shenanigans.
I was also looking at automating backups with Cron - both DB and images to other disks and devices.
I got Immich up and running but have had some stuff come in the way to spend more time with it.
Yeah, I would prefer not to use Google, so I'm going to figure out how to use another authenticator. I wish Proton had the ability to be an authenticator, but I haven't seen a way to do that yet.
But all my family has a Google account, so it just makes things easier.
Mullvad is great for outbound VPN, but inbound is a PITA without port forwarding (as you've said). I just host a Wireguard container for inbound connectivity now, and it works flawlessly.
I'm confused as to how outbound and inbound would be different. Would the traffic not go from the VPN endpoint to your device?
This may take us down a bit of a rabbit hole but, generally speaking, it comes down to how you route traffic.
My firewall has an always-on VPN connected to Mullvad. When certain servers (that I specify) connect to the outside, I use routing rules to ensure those connections go via the VPN tunnel. Those routes are only for connectivity to outside (non-LAN) addresses.
At the same time, I host a server inside that accepts incoming Wireguard client VPN connections. Once I'm connected (with my phone) to that server, my phone appears as an internal client. So the routing rules for Mullvad don't apply - the servers are simply responding back to a LAN address.
I hope that explains it a bit better - I'm not aware of your level of networking knowledge, so I'm trying not to over-complicate just yet.
I also route everything through my pfsense firewall to mullvad VPN. I've been looking at various ways to access the internal network from the outside internet safely, and I'm a bit hesitant to open that hole just yet. Cloudflare tunnel seems like the easiest option but apparently they can see everything you put through the tunnel and I'm not real comfortable with that.
Does one need a dynamic dns to use wireguard to tunnel back in, or is there another way of ensuring you can connect to the correct location? Does the wireguard server run on docker?
You do need to be able to reach your public IP to be able to VPN back in. I have a static IP, so no real concerns there. But, even if I didn't, I have a Python script that updates a Route53 DNS record for me in my own domain - a self-hosted dynamic DNS really.
You certainly can run Wireguard server in a docker container - the good folks over at Linuxserver have just the repo for you.
Thanks, I'll give this a shot in the coming week!
PIA allows split tunneling in their app