Hi all,
I’m looking at exposing some self-hosted web-based services externally so that some relatives can access them and would appreciate some advice.
Vikunja is the starting point (mostly to facilitate my spouse and I using it when away from home) but in future I want to set up Immich or similar to replace Google Photos, and that in particular will need to be shared with friends and family (especially so that immediate family can have camera uploads on automatically).
I understand that ideally I’d use SSH, a VPN, or tailscale or similar (although I don’t have experience with tailscale), but that’s not going to be feasible. Most of the family will not be able to set up those connections themselves (which means I would need to) and several are far enough away that it is impractical for me to provide on-site support or do it myself. Even if I could get a VPN or similar deployed on all their devices, I suspect that they’re going to struggle with needing to connect to it just to upload or view photos, then disconnect afterwards to resume using the Internet – I really need this to “just work” for them.
So this brings me back to safely exposing these services to the outside world. My network architecture complicates this a little, so for context:
- Modem/router has basic firewall and points to a Raspberry Pi for DHCP. I already have No-IP set up with a domain name so that I can SSH into my LAN when away from home.
- RPi runs Pi-hole + dnscrypt, acting as DHCP and DNS server for the network.
- I want to use nginx as a reverse proxy running on this RPi, as I have experience with it and it can add SSL using certbot. The router would be configured to use port forwarding to direct external traffic for ports 80 and 443 to the RPi.
- Vikunja is hosted on a separate Raspberry Pi (with other things like Shiori)
- I have not yet determined where Immich or similar is going to go. I have existing home server that I use for backups and important family stuff, but I really don’t want this to be vulnerable to the outside world. If I were to install Immich here, I’d need it to be well-isolated from the rest of the system. The other option is to get a NUC or similar, which is what I am leaning towards as the less stressful option.
So my main questions are:
-
Beyond fail2ban and my router’s firewall, what else can I do to protect my network once I open ports 80 and 443?
-
How do I handle fail2ban configuration when the services are on different devices to the nginx proxy? I understand the best place to put fail2ban would be on the Pi running nginx (since it’s the access point to the outside world), but that it also needs to read the logs from Vikunja, etc. to be effective.
-
Where would you put Immich in my network architecture?
Any other tips/recommendations for making this easy to use for my less tech-inclined friends and family would be much appreciated as well. Thanks.
Posted in a similar thread
My baseline is a public VPS with Pangolin/Crowdsec installed. I have authentik as a login system. Pangolin let’s me put authentik in front of any service so they have to log into it before it gets to the service in question whatsoever. This is different than the app itself just using Authentik as the OIDC provider. Helps give a bit of peace of mind with the services which themselves might not be security focused. Also, these pangolin routes are able to block anything outside my country by rules, so that trims a good portion of attacks as well.
Some things don’t like that authentik layer in front though. Audiobookshelf’s phone app for example cant handle it. For that, I route those domains through cloudflare tunnels. Their tunnels do a good job blocking lots of attacks, so not having authentik in front is more acceptable.
But then there’s jellyfin that doesnt want to be on cloudflare tunnels and doesnt want authentik in front. For that, I just have it on my pangolin side with only crowdsec helping. Not ideal, but best I can do without making my grandma install a VPN on a raspberry pi in so her TV can connect or some shit.
And lastly, I have some private services like forgejo that don’t like authentik in front and only I myself care about. I tailscale to those rather than exposing sometimes.
Going to throw myhat in the ring. I used to use Cloudflare tunnels which are super easy to use and work well. Issue: it’s cloudflare and cloudfalre bad, and works best if you also have your domain registered there.
Anyways, I now use https://docs.pangolin.net/ which does a very similar job. It works great and IMO is easier to admin than tunnels, especially with auth and such.
I run pangolin on a racknerd cheapo server and traffic in forwarded to the box in my cupboard. Pangolin have some refetal links to hosting that give you some discounts.
Make a new gmail or something everyone can access and then have them login through tailscale, its automati after doing it once, then they copy your devices ip, go http:ip:port eveytime and if your app is exposed over local networks it should work. Just safer than actually exposing over the web. Downside is shared gmail account ofc.
Make sure everything is behind a VPN, like tailscale. Then you setup your router to only forward the tailscale ports, and that will be the only possible attack vector
As long as tailscale is safe, you should be safe
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters CGNAT Carrier-Grade NAT DNS Domain Name Service/System ISP Internet Service Provider LXC Linux Containers NAT Network Address Translation SSH Secure Shell for remote terminal access VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting) nginx Popular HTTP server
[Thread #17 for this comm, first seen 18th Jun 2026, 11:00] [FAQ] [Full list] [Contact] [Source code]
I used swag, dockerproxy, and cloudflare in the past. That allowed me to run things without exposing ports on my home router.
I recently moved to Pangolin cloud. Still not exposing any ports on my home server. Also repositioned my VPS to use pangolin as well. Haven’t hashed out the details, but the idea will be to allow port 443 on public IP, and anything else over tailnet.
Moral of the story: look very hard for ways to do what you want to do without having to expose ports on your router. Unless you want your hobby to become your second job. I enjoy self hosting. I don’t enjoy being paranoid about some script kiddie pummeling my setup with some AI-generated attacks while I’m asleep.
Yeah, I don’t like the thought of worrying about vulnerabilities either, hence my asking this question!
I haven’t heard of Pangolin cloud before – I’m assuming this is a competitor to tailscale. Are you self-hosting it or using one of their paid plans, and if you’re self-hosting, how hard was it to set up?
Pangolin handles proxying (it runs traefik under the hood) and cloudflare-like protection (crowdsec). I did self-host it, but the free tier does what I need.
It does set up a wireguard tunnel between itself and the Newt resources you set up. That’s hard for proxy traffic. I have Tailscale set up for any other traffic between my resources.
I asked a similar question as you a few months ago (I think in this community), and one of the responses kind of put the fear in me. I went forward anyway, and never really did anything with my VPS. I’m still setting this new arrangement up, but so far really happy with it.
Thanks. I think I’ll need to do a bit more reading - I have no experience with any of the wireguard technologies (my VPN experience is with OpenVPN and enterprise-grade networking hardware that uses IPsec tunnels), but Pangolin’s abilities do sound useful.
I guess I need to work out if something like tailscale (as per one of the other comments) set up on just the small group I want to share with will do the job, or whether I really need to expose services to the Internet and hence would benefit from a VPS with something like Pangolin.
i have a VPS offsite to act as a gateway. it’s just a small piece of a machine somewhere in my region that routes requests to my home network via Tailscale. this has a few benefits:
- i don’t have to worry about my ISP changing my IP. my VPS has more stable IPs.
- i don’t have to expose ports directly to the internet. Tailscale authenticates the connection. plus i have Caddy routing the whole system. i use subdomains like
foundry.chrash.net,jellyfin.chrash.net, etc. - another benefit of Tailscale to point out is that you don’t need local IPs to be static either; Tailscale will allow you to access your machines by hostname or another static IP. this helps to decouple your local topology from your service network.
Thanks. So, just to make sure I’ve understood correctly, your recommendation would be a VPS that hosts nginx (or Caddy) as the reverse proxy and uses tailscale (or equivalent) to access my home LAN and make services (e.g. Vikunja) available?
the key is just an offsite machine with a stable IP plus a VPN. that way you can route all public traffic to that stable IP and send it where it needs to go regardless of its physical destination.
There are even solutions that automate a lot of the configuration for such a setup. I’m using Pangolin for example:https://github.com/fosrl/pangolin
But you could set up something like this manually if you want more flexibility (pangolin is based on traefic rather than Nginx)
This is how my network is set up just as an example. Not to imply that this is the gold standard by any stretch of the imagination. It has served me well over the years, so I figured I’d drop it here and maybe you could get a few ideas.
- I would recommend a VPS for publicly facing services, you simply don’t want to open your home network, one mistake is enough, old router software, one small misunderstanding or a bit of bad luck. If someone gets into your VPS, few services will be hurt, if someone gets into your home network its game over.
- There is nice little app called immich proxy, I didn’t yet try it myslef (but I plan to), but basically if you want to just share some albums or photos, you can make the proxy accessible publicly but your Immich stays safe.
Thanks, didn’t know about Immich proxy. Sounds useful.
On the VPS point - beyond protection against DoS, I assume the main benefits only arise if you host the services on it? My understanding is that, if I open a port and forward it to nginx, then the largest attack surface would be nginx itself and the services it is acting as a reverse proxy for (e.g. Vikunja). nginx is well-established and I think most of the risk is from the plugins rather than nginx vulnerabilities itself, which leaves Vikunja and any other services I’d want to expose as the main attack surface. If I’m using a VPS as a gateway (e.g. hosting nginx there and still keeping Vikunja and Immich within my LAN), then that doesn’t seem like it’s much of a risk reduction. What am I missing?
Yes, the best option is to deploy your services on it. That Nginx is well established doesn’t mean its secure. A) popular software is preferred target for hackers and B) Nothing is safe, especially now, when LLMs are getting good at finding holes in software.
Since you’re just sharing things within a small group, I think it’s safe to give out your IP or a domain pointing to it. However, you need to put your services behind a DMZ. Make a separate VLAN on your network and put the Pis behind it. Make sure traffic from your private LAN can enter the DMZ but nothing from the DMZ can go to your LAN unless it’s return traffic for a session started in your LAN. If a machine in your DMZ is compromised, it shouldn’t affect your LAN.
Thanks. I had forgotten about setting up a DMZ and appreciate the reminder!
I’d suggest you to investigate either Tailscale or similar solutions. I’m using Tailscale, and it’s really easy to set up. It can automatically connect to the VPN when you access their resource, and the internet works as well. So technically, they can be connected all the time. That’s much safer than the alternative of just opening a port, and dealing with things like CGNAT.
The alternatives to Tailscale I know about are Headscale (which you need self-hosting), Netbird, WireGuard. At least, but there are more.
And search for tunnels as well. You could utilise Cloudflare Tunnel, but I wouldn’t go that way.
I’d suggest testing waters with Tailscale as it’s the easiest, and tweak from there. They have a YouTube channel which helps at starting, I found it just recently. (I use them for a year or two now.)
Thanks. My main concern is needing to have the tailscale client set up on my relatives’ devices, so it’d need to be easy to do and the configuration straightforward.
If I wanted to route just traffic to Vikunja and Immich through it, so all their other apps (if on a phone) or web browsing (on a PC) didn’t go through tailscale, is that straightforward to do and is it something that has to be done in the client-side configuration?
If you don’t setup or activate exit node, no traffic is routed through any of your nodes. All you have is the access to the nodes. Which is what you need. I tested exit nodes only recently, they’re very easy to setup as well, but I found no practical need for my use case.
I think installing and logging in should be trivial remotely. Like hey mum, install this app, and log in (trivial with Google or Apple accounts). The rest is on you. Just test the waters yourself first, you’ll get the idea, it’s pretty straightforward. Even if it’s not what you’re looking for, you’d have more information and skills to move to the next thing.
Thanks, sounds like a potential option. I’ll add to the list of things to look into and test out.
I also use Tailscale.
It’s fair to say that I don’t really know what I’m doing, so am picking my way through the world of self-hosting one lesson at a time, but even with that in mind, I’ve found Tailscale an absolute breeze to set up, even if I still don’t fully understand how it all works, and what it can all do.
In short, I have my server at home as part of my tailnet. I’ve also installed it on my Hetzner VPS, which is running YunoHost. Within YunoHost I’ve set up a bunch of redirects which take the Tailscale ips of my various services and turn them into URLs.
So in essence, my Navidrome server goes from being http://100.111.11.1:4533/ to navidrome.mysite.co.ck.
I’ve got Navidrome, Immich, Home Assistant, Invidious, and Jellyfin running like that, and as far as I can tell I’ve not had any security issues at all.
+1 for tailscale. Its very easy to setup and very secure.
I recommend proxmox. One VM for sensitive private data and backups, one VM for stuff exposed to the internet
I was going to build my system like that, but recently learned that host client isolation is not as strong as people make you believe.
just a few weeks ago we learned that copy fail (security vulnerability) was on major distros for years until it was fixed, it would allow containers and VMS to infect the host system. Xz utils could also lead to a broken host client separation, as proxmox uses ssh for clustering and the like.
So for really important stuff I am going to have a dedicated physical server or put it in cold storage altogether.
That said, I am by no means an expert so feel free to correct me if I got something wrong.
copy fail allows VMs to infect the host system? I thought it was a kernel vulnerability, not a hypervisor vulnerability. Containers and LXCs share the kernel with the host, full VMs do not. So a kernel exploit allows container escape but not VM escape.
Kernel exploits happen a few times a year. Hypervisor exploits and VM escapes are VERY rare.
Using SSH for clustering is optional. You can just use normal VMs. You don’t have to install SSH into the VM, you can view it through proxmox. The only difference between a VM and a separate physical machine is the hypervisor, so the only security difference is the security of the hypervisor. And as I mentioned, hypervisor exploits are very rare.
Edit: for a sense of perspective, think about this. Almost every major tech company in the world relies on hypervisors for security. Qubes OS, known in the privacy/security world as one of if not the most secure OSes, relies on the hypervisor for security. An easily exploitable hypervisor escape would be a vulnerability on the scale of the XZ utils backdoor (which was unsuccessful). I have not seen a vulnerability of that scale since heartbleed.
Edit2: a word
Good post. And i would like to add for anyone to be able to use hypervisor escape, you also need a vulnerability in the software presented to the internet. And even then, the chance that anyone would waste a zero day on a homelab is pretty slim…
Almost 20 years ago, Theo de Raadt (founder of OpenBSD) said: “you think that a worldwide collection of software engineers who can’t write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.” I would like to think that we’ve figured out the security holes since then, but… you know…
Nobody believes virtualization is perfect, it’s just the best we got because:
- smaller attack surface
- security is the priority over adding new features (the opposite of most other development cycles)
- in practice we have seen how secure it is relative to other systems like the kernel
And anyways, even a separate physical computer can be hacked. If it has networking, there could be a vulnerability in the networking stack. Just making an outbound tcp connection can be enough to be pwned.
I think the closest thing we have to an “invincible” system is seL4, but I rarely hear about amybody using them
Thanks for the recommendation. I have no experience with Proxmox, so this might be part of a longer-term project once I’ve got the Vikunja access working (at least that’s on a separate Pi and so would be similar to a distinct VM in that regard).
I have a raspberry pie with Home assistant on it and I run Nginx Proxy Manager on it. It does the whole HTTPS thing and exposes specific services from my internal network for easy access for me and my family.
You’re going to be sending a url to your family to put into vikunja. That url could contain a port. You’ll dodge a LOT of hassle if you don’t use 80, 443, or any other well known port.
Good call. I’ll have to play around with certbot using DNS validation (only ever tried with HTTP validation), but certainly worth including in my plan. Thanks.
deleted by creator
