What's the best way to remotely access my home server?
VPN, proxy, reverse-proxy, etc? What do the last 2 terms mean? Which is more secure? Which is more convenient and easier to use? And how to set one up?
Please don't feel obligated to answer all questions. They're just pointers to get the best help possible.
22 Replies
VPN is the most secure. Tailscale is the one I use and it's easy to set up and use.
@codercoffeecake It'd be worth looking up what all three are so you can make a good choice. In this situation a regular proxy is probably not what you want. A reverse proxy basically takes web requests from the wider Internet and proxies (relays) them to another server inside your network.
@codercoffeecake I have a reverse proxy running on my router (firewall) that passes requests from the Internet on to my immich server.
Not sure VPN is really the most secure. If you set it up right everything gets encrypted either way. VPN can be clunkier to use.
VPN is the most secure because everything is encrypted end-to-end + you rely on asymmetric cryptography for authentication underneath (although with solutions like Tailscale you really delegate authentication to 3rd parties like Github but that's nitpicking). With a reverse proxy, if your setup is basic, you're relying on the application you're exposing being secure. For example in this case you would be relying on the robustness of Immich's authentication system. I love Immich but I don't think it's secure enough and it's not built to be exposed to the internet anyway. More advanced solutions exist like Authelia + reverse proxy or Cloudflare tunnels but a VPN would still be the more secure solution.
Maybe I don't have enough expierence with Cloudflare tunnels but I don't it adds any layer of security other than DDOS protection right?
I asked myself the same
Tunnels can do a bunch of things. It will use a secure connection to the edge for non-https services. They also have the same general features as the rest of cloudflare like firewall, zero trust, etc
It may be possible to suggest that as Cloudflare will route traffic over the backbone, performance could be better than a peer-to-peer solution like wireguard. This very much depends on location and peering
A proxy server is not going to be beneficial in this scenario as it's just a way of routing your internet connection through another server. Others would be able to access the server without the proxy if desired.
+1 on a VPN solution. One added advantage of tailscale over hosting your own VPN solution (wireguard) is that you don't even have to open up a port out. This means there's no open ports in to your home
I plan to use Unifi Teleport when away from home which opens a secure connection to my server.
You'll be completely relying on a third party though, correct?
Yes
There is an OS version of their control server called headscale that you can self-host if you want. Some folks do it but imo it's not worth the trouble
https://github.com/juanfont/headscale
GitHub
GitHub - juanfont/headscale: An open source, self-hosted implementa...
An open source, self-hosted implementation of the Tailscale control server - GitHub - juanfont/headscale: An open source, self-hosted implementation of the Tailscale control server
Isn't tunnel the same as VPN?
And looking at the discussions, I believe tailscale is the best solution đź‘Ť
More or less. But traditional solutions require you to open a port. Cf/tailscale doesn't
It can also do double NAT and inter-NAT routing which is pretty cool
Tailscale looks like the best option then. I'll go with that
do you find public networks to be an issue?
especially ones that only allow ports 80/443 and block udp?
One specific problem I have with tailscale is it prevents me from using a dns adblocker (Rethink dns).
Tailscale does have the option to use nextdns but I noticed quite a few public networks (especially ones that rely on opendns) have dns.nextdns.io blocked both at the dns level and SNI level (connection resets)
I think you can specify your own DNS with Tailscale as well
True i'm not sure how it will act depending on dns. Example if you use cloudflare or google the local tailscale dns (on device) will make a doh request (from device) to google/cloudflare/next dns. I'm not sure how specifying your own dns would behave
Not at all, tailscale has some spacial NAT traversal magic sauce that makes it work out of the box almost all the time
https://tailscale.com/kb/1082/firewall-ports/
Tailscale
What firewall ports should I open to use Tailscale?
Nearly all of the time, you don’t need to open any firewall ports for Tailscale. Tailscale uses various NAT traversal techniques to safely connect to other Tailscale nodes without manual intervention—it “just works.”
For DNS you can set up split DNS to use your own server, here is a video explaining how you can do it
https://youtu.be/Uzcs97XcxiE?si=rUFkvUA9XGzhqlnl
KTZ Systems
YouTube
Split DNS Magic with Tailscale - Access remote services from anywhere!
Tailscales Split DNS function within the MagicDNS feature allows us to access devices by name, not IP. But what if we could also access any service running in a remote subnet via a Tailscale subnet router? That's what we'll cover in today's video.
- Blog post - https://blog.ktz.me/splitdns-magic-with-tailscale/
- Tailscale MagicDNS blog - https...