Hi all,
I’m looking at exposing some self-hosted web-based services externally so that some relatives can access them and would appreciate some advice.
Vikunja is the starting point (mostly to facilitate my spouse and I using it when away from home) but in future I want to set up Immich or similar to replace Google Photos, and that in particular will need to be shared with friends and family (especially so that immediate family can have camera uploads on automatically).
I understand that ideally I’d use SSH, a VPN, or tailscale or similar (although I don’t have experience with tailscale), but that’s not going to be feasible. Most of the family will not be able to set up those connections themselves (which means I would need to) and several are far enough away that it is impractical for me to provide on-site support or do it myself. Even if I could get a VPN or similar deployed on all their devices, I suspect that they’re going to struggle with needing to connect to it just to upload or view photos, then disconnect afterwards to resume using the Internet – I really need this to “just work” for them.
So this brings me back to safely exposing these services to the outside world. My network architecture complicates this a little, so for context:
- Modem/router has basic firewall and points to a Raspberry Pi for DHCP. I already have No-IP set up with a domain name so that I can SSH into my LAN when away from home.
- RPi runs Pi-hole + dnscrypt, acting as DHCP and DNS server for the network.
- I want to use nginx as a reverse proxy running on this RPi, as I have experience with it and it can add SSL using certbot. The router would be configured to use port forwarding to direct external traffic for ports 80 and 443 to the RPi.
- Vikunja is hosted on a separate Raspberry Pi (with other things like Shiori)
- I have not yet determined where Immich or similar is going to go. I have existing home server that I use for backups and important family stuff, but I really don’t want this to be vulnerable to the outside world. If I were to install Immich here, I’d need it to be well-isolated from the rest of the system. The other option is to get a NUC or similar, which is what I am leaning towards as the less stressful option.
So my main questions are:
-
Beyond fail2ban and my router’s firewall, what else can I do to protect my network once I open ports 80 and 443?
-
How do I handle fail2ban configuration when the services are on different devices to the nginx proxy? I understand the best place to put fail2ban would be on the Pi running nginx (since it’s the access point to the outside world), but that it also needs to read the logs from Vikunja, etc. to be effective.
-
Where would you put Immich in my network architecture?
Any other tips/recommendations for making this easy to use for my less tech-inclined friends and family would be much appreciated as well. Thanks.
This is an interesting thread. Seems to make remote access easy. But are you not putting the trust on those that run that pangolin infrastructure? I suspect the answer is to go VPS if you dont trust? Also, are there workable step by step guides to help you set this all up? I find YT giudes a bit fustrating. Prefer reading :-)
I have several services exposed and I am using cloudflare since I have starlink and traefik as reverse proxy paired with crowdsec via a plugin. Works nice. I have not tried exposing immich yet though, that can only be reached via VPN.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters CGNAT Carrier-Grade NAT DNS Domain Name Service/System ISP Internet Service Provider LXC Linux Containers NAT Network Address Translation SSH Secure Shell for remote terminal access SSO Single Sign-On VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting) nginx Popular HTTP server
9 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.
[Thread #17 for this comm, first seen 18th Jun 2026, 11:00] [FAQ] [Full list] [Contact] [Source code]
I used swag, dockerproxy, and cloudflare in the past. That allowed me to run things without exposing ports on my home router.
I recently moved to Pangolin cloud. Still not exposing any ports on my home server. Also repositioned my VPS to use pangolin as well. Haven’t hashed out the details, but the idea will be to allow port 443 on public IP, and anything else over tailnet.
Moral of the story: look very hard for ways to do what you want to do without having to expose ports on your router. Unless you want your hobby to become your second job. I enjoy self hosting. I don’t enjoy being paranoid about some script kiddie pummeling my setup with some AI-generated attacks while I’m asleep.
Yeah, I don’t like the thought of worrying about vulnerabilities either, hence my asking this question!
I haven’t heard of Pangolin cloud before – I’m assuming this is a competitor to tailscale. Are you self-hosting it or using one of their paid plans, and if you’re self-hosting, how hard was it to set up?
Pangolin handles proxying (it runs traefik under the hood) and cloudflare-like protection (crowdsec). I did self-host it, but the free tier does what I need.
It does set up a wireguard tunnel between itself and the Newt resources you set up. That’s hard for proxy traffic. I have Tailscale set up for any other traffic between my resources.
I asked a similar question as you a few months ago (I think in this community), and one of the responses kind of put the fear in me. I went forward anyway, and never really did anything with my VPS. I’m still setting this new arrangement up, but so far really happy with it.
Thanks. I think I’ll need to do a bit more reading - I have no experience with any of the wireguard technologies (my VPN experience is with OpenVPN and enterprise-grade networking hardware that uses IPsec tunnels), but Pangolin’s abilities do sound useful.
I guess I need to work out if something like tailscale (as per one of the other comments) set up on just the small group I want to share with will do the job, or whether I really need to expose services to the Internet and hence would benefit from a VPS with something like Pangolin.
If you’re not going the VPS route it’s even easier. Pangolin handles the wireguard tunnel for you with a docket container running newt. Very straightforward.
My goals have been:
- Avoid opening ports on my home network.
- Don’t require people using my services to join my Tailnet (or some other VPN).
- Require 2FA/passkeys (via Authentik for the moment) on anything that’s publicly accessible.
There’s plenty of YT stuff out there for Pangolin, but I haven’t seen a lot for their cloud service. Personally, I prefer it to self-hosting it. Similar to tailscale, the free tier meets my needs, and their security team is (hopefully) more competent and better staffed than… me.
Of course, you get what you pay for, but I see this as a similar position as Tailscale & Cloudflare. With my free account, I’m piggy-backing off the security infrastructure of their enterprise offerings. Obviously I don’t get all the fine-grained controls of those tiers, but like the other two companies, they have a reputation to uphold, and from that perspective a breech is a breech. Even if it only affects free tier users, it makes them look bad.
That sounds like it may be a good fit for my use case, then. Thanks again and I’ll definitely look into it!
I recommend proxmox. One VM for sensitive private data and backups, one VM for stuff exposed to the internet
I was going to build my system like that, but recently learned that host client isolation is not as strong as people make you believe.
just a few weeks ago we learned that copy fail (security vulnerability) was on major distros for years until it was fixed, it would allow containers and VMS to infect the host system. Xz utils could also lead to a broken host client separation, as proxmox uses ssh for clustering and the like.
So for really important stuff I am going to have a dedicated physical server or put it in cold storage altogether.
That said, I am by no means an expert so feel free to correct me if I got something wrong.
copy fail allows VMs to infect the host system? I thought it was a kernel vulnerability, not a hypervisor vulnerability. Containers and LXCs share the kernel with the host, full VMs do not. So a kernel exploit allows container escape but not VM escape.
Kernel exploits happen a few times a year. Hypervisor exploits and VM escapes are VERY rare.
Using SSH for clustering is optional. You can just use normal VMs. You don’t have to install SSH into the VM, you can view it through proxmox. The only difference between a VM and a separate physical machine is the hypervisor, so the only security difference is the security of the hypervisor. And as I mentioned, hypervisor exploits are very rare.
Edit: for a sense of perspective, think about this. Almost every major tech company in the world relies on hypervisors for security. Qubes OS, known in the privacy/security world as one of if not the most secure OSes, relies on the hypervisor for security. An easily exploitable hypervisor escape would be a vulnerability on the scale of the XZ utils backdoor (which was unsuccessful). I have not seen a vulnerability of that scale since heartbleed.
Edit2: a word
Thanks for evaluating! The exploit was explained to me that an unpriviliged user/Programm could use it to get root access on the whole system, which I my mind included the hypervisor. Further reading seems to proof you right, while containers were broken VMs were not.
My point still remains, although weaker: If you know exactly what you are doing you can get a system quite secure, if you are a hobby server owner like me, its not that easy. I would have not know that the use of VMs instead of containers has sooo major security implications, that something so fundamental as ssh could be exploited in such large scales, and clustering would have been needed to avoid being unsafe.
Sure, noone would use an zero day on me targeted, the thing is: I am not working in the field, from publishing of the exploit till learned about it and had the time to patch, there were a few weeks. If in those few weeks someone deploys a tool going for mass and not for single targets, I would probably be infected and added to some botnet, cryptominer or whatever.
If I have a bare metal dedicated server, which has only access to IPs contained in my whitelist on a dedicated opnsense, I have less to wory about. Sure, someone could still find a openbsd/opnsense exploit and get me, but my point is: complex systems break in complex ways, the more complex systems you use, the more attack surface u have, need to know and understand to control and mitigate it.
Not that its impossible, but for a hobbyist who tries to self teach with man pages, tutorials and forums, you can get pwnd in unexpected ways (like because you used a container for dodgy Chinese smart home devices and expected that your production environment would be safe even if one of them was malicious, but in fact you were not, because that would have needed to be a VM. AND: before copy fail was published, users would have probably also told you that containers are safe.
If I have a bare metal dedicated server, which has only access to IPs contained in my whitelist on a dedicated opnsense, I have less to wory about.
Sure, someone could still find a openbsd/opnsense exploit and get me, but my point is: complex systems break in complex ways, the more complex systems you use, the more attack surface u have, need to know and understand to control and mitigate it.
The way I would frame it is: using complex systems that you are unfamiliar with is risky. In your case, you are familiar with OPNsense and firewalls. So that may be the more secure option for you. But for somebody who isn’t familiar with firewalls, there are a lot of ways to mess up. For example, IP and mac spoofing is very easy. OPNsense and firewalls often don’t have very good defense against IP spoofing, especially if the malware is already inside your LAN (for example, a malicious app running on a smartphone).
Using proxmox and other virtualization platforms has one big advantage: you can experiment and play around and learn, without much risk. With a physical server, if you mess up and get infected, you may have to throw away the whole server. You can’t just re-install the OS, because the malware could have installed a rootkit or infected the bios or other firmware. But with a VM, if the VM gets infected you can just delete the VM and create a new one. One of the main goals of a hypervisor is to sandbox the VM, so that malware is contained.
Valuable insight, thanks :)
Almost 20 years ago, Theo de Raadt (founder of OpenBSD) said: “you think that a worldwide collection of software engineers who can’t write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.” I would like to think that we’ve figured out the security holes since then, but… you know…
Nobody believes virtualization is perfect, it’s just the best we got because:
- smaller attack surface
- security is the priority over adding new features (the opposite of most other development cycles)
- in practice we have seen how secure it is relative to other systems like the kernel
And anyways, even a separate physical computer can be hacked. If it has networking, there could be a vulnerability in the networking stack. Just making an outbound tcp connection can be enough to be pwned.
I think the closest thing we have to an “invincible” system is seL4, but I rarely hear about amybody using them
Why is a hypervisor the best we got? Why would better than a dedicated bare metal server? Why would the attack surface if a hypervisor be smaller than the attack surface without one?
Honest question
“best” is of course subjective. Bare metal could be better, but imo the marginally smaller attack surface isn’t worth it. If the Qubes project trusts that a hypervisor is secure enough, then I trust it as well.
I run 10+ VMs all the time, no way am I going to buy 10 bare metal servers. The ability to create new secure environments on-demand is unbeatable.
And bare metal does have security disadvantages too. It has a physical attack surface that a VM does not. For example, defending against usb attacks. Of course for a VM, the hypervisor/host can be attacked physically, but you only need to worry about securing that one. Securing 10 physical servers is a lot more work than securing just one, so you’re more likely to get lazy, slip up, etc.
Well, i never argued against the clearly powerfull capabilities, those are obviously huge, my point was that as a hobbyist you should consider having the important stuff (finances, official documents, biometrics) in cold storage or on a separate machine as well as stuff like security cameras or doorlocks if you do stuff like this out of it until you fully understand the risks, which are not that easy to grasp for people without experience.
Ofc proxmox and qubes are incredible useful tools of technology, but their high versatility and customizability gives you a lot of tools you need understand and use properly on top of what you are already doing. (More so with proxmox as with qubes, qubes is a little less industry focused IMHO)
Make a new gmail or something everyone can access and then have them login through tailscale, its automati after doing it once, then they copy your devices ip, go http:ip:port eveytime and if your app is exposed over local networks it should work. Just safer than actually exposing over the web. Downside is shared gmail account ofc.
Thanks for the suggestion. I’m trying to move away from Google, but the idea of a shared account for tailscale (which seems to support a lot of different SSO options) may be useful.
You can also use github so sign up for tailscale! if i remember correctly
You can indeed: https://tailscale.com/docs/integrations/identity
Make sure everything is behind a VPN, like tailscale. Then you setup your router to only forward the tailscale ports, and that will be the only possible attack vector
As long as tailscale is safe, you should be safe
Tailscale also has Funnel.
Good to know, thanks.