32

I'm currently running both a home server and a VPS. The former is not reachable through the internet, only through vpn. The latter hosts public services.

The VPS is regularly cutting it very close with storage and today I messed up and crashed the whole stack trying to make an impromptu backup. Lesson learned: we need more storage! I could just rent more storage but just today I updated my home server with 16 TB of raid 1 enterprise HDDs.

So I thought I could maybe do a (wireguard) VPN tunnel directly to some storage service that I host on my homeserver. The upload is not great but realistically I dont need much. The important stuff stays on the VPS. Mainly videos, pictures and other stuff that doesnt get accessed a lot should go there. The rest should be "cached" at the VPS.

I would have to host wireguard on a server port, only have it access one folder which doesnt contain anything important, forward the port on the router and have the vps have the keys. Even if someone gets into the VPS and steals the keys, they only get that one file storage folder.

Has anyone done this? Are there services that do this or do I just host wireguard and thats it?

Thanks for reading. Have a good one! :)

top 30 comments
sorted by: hot top controversial new old
[-] Dran_Arcana@lemmy.world 16 points 8 months ago

You should consider reversing the roles. There's no reason your homelab cannot be the client, and have your vps be the server. Once the wireguard virtual network exists, network traffic doesn't really care which was the client and which was the server. Saves you from opening a port to attackers on your home network.

[-] haui_lemmy@lemmy.giftedmc.com 1 points 8 months ago

Thats a pretty cool idea! Thank you very much!

[-] TCB13@lemmy.world 4 points 8 months ago

You can also configure your server to only accept traffic on the VPN port coming from your home IP address if you've a static one. Or.. only allow incoming connection from your country (https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching). This will provide you an extra layer of security.

Either way don’t be afraid to expose the Wireguard port because an attacker won’t even know there’s something listening on that port as it will ignore any piece of traffic that isn’t properly encrypted with your keys;

[-] haui_lemmy@lemmy.giftedmc.com 2 points 8 months ago

Thanks for the info. That sounds doable.

[-] solrize@lemmy.world 5 points 8 months ago

Tbh I sometimes sshfs mount a vps onto a home machine but doing it the other way around doesn't seem worthwhile. The idea of a vps is that it's in a data center, has tons of bandwidth, backup power, you can set up a failover scheme if you need high availability, etc. Stuff like media is on your home server so you can use it locally, and maybe it's backed up remotely just in case, but doesn't need to be live mounted. That said, I'm used to home internet being unreliable compared to VPS, so mounting it to a vps sounds flaky.

If you want more storage on your vps, just get a bigger one, I would say. Or if you want tons of remote storage, get something with better connectivity.

[-] istanbullu@lemmy.ml 4 points 8 months ago

I have a orangepi at home with a 2tb usb disk. I made it reachable via wireguard, and works very well as a samba server. No need to open any ports.

[-] haui_lemmy@lemmy.giftedmc.com 2 points 8 months ago

Very cool.

How exactly did you manage to make it available without forwarding a port? If the server is behind your routers with no way through, a vpn shouldn’t reach it either.

[-] BreakDecks@lemmy.ml 1 points 8 months ago* (last edited 8 months ago)

A VPN eliminates the need for port forwarding.

Edit: Not talking about a "privacy VPN", but an actual VPN that lives up to the name "Virtual Private Network", where you are connecting to the private network you wish to access.

[-] haui_lemmy@lemmy.giftedmc.com 1 points 8 months ago

I totally get that with a vpn that goes from a device within a closed network to a public one but my impression was that the commenter before me meant going from a public device to a device in a protected network which I found hard to believe

[-] zooi@feddit.nl 2 points 8 months ago

They said "no need to open any ports" but that is false. The wireguard port obviously has to be opened for the VPN to work.

[-] haui_lemmy@lemmy.giftedmc.com 2 points 8 months ago

Thats how I view it as well. I love to learn so I‘m not evasive of the idea that I missed something. But from the downvotes and no meaningful answers except yours I derive that there might be a misunderstanding.

[-] BreakDecks@lemmy.ml 1 points 8 months ago

going from a public device to a device in a protected network

You mean the literal function of a VPN?

[-] haui_lemmy@lemmy.giftedmc.com 2 points 8 months ago

I‘m not sure you understand how a vpn works. It usually connects to the outermost part of a network (the router in my case) and then enters through there. The vpn port is always open and thats why I asked since you said thats not the case. (Incase that comes up: there are setups where another port is used for „knocking“ and opens up the entry port. Still one port has to be open to receive anything)

Also, you have no reason to talk down to me. We might have had a misunderstanding here, idk. I‘m just asking to find out what you meant.

[-] BreakDecks@lemmy.ml 0 points 8 months ago

No shit the VPN requires an open port, I never said otherwise, but if your router is the one running the server, you aren't forwarding the port. The router itself is listening on its WAN interface.

The VPN prevents you from having to forward any ports, because the router allows you to tunnel in. The only open port will be whatever port the VPN server listens on, and it isn't a forwarded port.

Source: I literally work at a VPN company.

[-] haui_lemmy@lemmy.giftedmc.com 1 points 8 months ago

I hope you dont work in a customer facing position then. You literally have no idea how to talk to someone in a respectful manner.

So, my initial take was correct. You do need an open port and if you want your router to manage it, you have to isolate the vpn from the rest of the network.

Anyway, since this isnt going anywhere and you keep being irritating, I‘m gonna call it. Good luck with that attitude.

[-] istanbullu@lemmy.ml 0 points 8 months ago

You need to have one member in the vpn that has a public ip address.

Also my internet provider at home gives ip6 addresses that are public.

[-] N0x0n@lemmy.ml 1 points 8 months ago

Well, you still have to open wireguard's UDP port to make it reachable outside your LAN.

Just sayin' 🤷

[-] istanbullu@lemmy.ml 0 points 8 months ago

I also need to plug in the ethernet cable 🤣 I assumed this was a given.

[-] Max_P@lemmy.max-p.me 4 points 8 months ago

For the backup scenario in particular, it makes sense to pipe them through right to the destination. Like, tar -zcv somefiles | ssh $homeserver dd of=backup.tar.gz, or mysqldump | gzip -c | ssh $homeserver dd of=backup.sql.gz. Since it's basically a download from your home server's perspective it should be pretty fast, and you don't need temporary space at all on the VPS.

File caching might be a little tricky. You might be best self host some kind of object storage and put varnish/NGINX/dedicated caching proxy software in front of it on your VPS, so it can cache the responses but will ultimately forward to the home server over VPN if it doesn't have it cached.

If you use NextCloud for your photos and videos and stuff, it can use object storage instead of local filesystem, so it would work with that kind of setup.

[-] h3ndrik@feddit.de 3 points 8 months ago* (last edited 8 months ago)

You could self-host a S3-compatible storage bucket with something like MinIO or Garage.

S3 backends are available in a lot of software and it's kinda made for a similar use-case. I don't know which projects have caching available in a way that aligns with your setup. But I found these two being easy to set up.

[-] cyclohexane@lemmy.ml 2 points 8 months ago

I've been wanting to do this exact thing. I already have wireguard setup. Please update us if you do this.

[-] haui_lemmy@lemmy.giftedmc.com 1 points 8 months ago

Will try to remember to do it! Thanks for chiming in. :)

[-] sunstoned@lemmus.org 2 points 8 months ago

My solution is to use Rathole. I rent a wildly cheap (2 core, 4GB memory) VPS and basically just run Traefik there. Then I use Rathole to make some services hosted on my desktop available to Traefik.

I like this solution better than Wireguard for my application. It reduces attack surface to services you've explicitly set up, rather than a full data layer trunk between your machine and a potential malicious actor.

[-] harsh3466@lemmy.ml 2 points 8 months ago

Also been thinking about doing something like this. Would love to hear about your experience deploying it.

[-] haui_lemmy@lemmy.giftedmc.com 1 points 8 months ago

Thanks! Will try to update when implementing :)

[-] jeena@jemmy.jeena.net 2 points 8 months ago

I haven't done it yet but I plan on doing it. But I never bothered with a VPN and just expose a ssh port. So I plan just to mount a directory with sshfs.

[-] possiblylinux127@lemmy.zip 1 points 8 months ago

I run everything local and have nginx proxy manager on the VPS

[-] haui_lemmy@lemmy.giftedmc.com 2 points 8 months ago

I use proxy manager as well. Twice actually. :)

You can look at my setup on Github

[-] possiblylinux127@lemmy.zip 2 points 8 months ago
[-] Decronym@lemmy.decronym.xyz 1 points 8 months ago* (last edited 8 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
HTTP Hypertext Transfer Protocol, the Web
IP Internet Protocol
UDP User Datagram Protocol, for real-time communications
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)
nginx Popular HTTP server

5 acronyms in this thread; the most compressed thread commented on today has 12 acronyms.

[Thread #701 for this sub, first seen 22nd Apr 2024, 11:05] [FAQ] [Full list] [Contact] [Source code]

this post was submitted on 21 Apr 2024
32 points (92.1% liked)

Selfhosted

40734 readers
762 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS