My current setup is that I have a home server running a number of services that are only accessible to myself on my local network (Jellyfin, Home Assistant, etc.) and a DigitalOcean droplet I rent that runs a number of public facing items (personal websites). I’ve been looking into running my own Matrix server for myself and some friends, but while it will be public facing, I would prefer to run it on my own hardware for cost and storage reasons.

I have gotten it up and running the “old fashioned way”, by pointing my domain at my home network, setting up port forwarding and a reverse proxy. Is this the recommended solution? I have heard vague references made to somehow using a VPS service to forward specific traffic to a home server via WireGuard. I’m not sure how this is done, or really what the benefits are, so I was curious if anyone had any advice.

  • @AES@lemmy.ronsmans.eu
    link
    fedilink
    English
    1011 months ago

    I started to do it the VPS - Wireguard - Home way recently. The advantage is that you do not need to expose an inbound port at home.

    • @InverseParallax@lemmy.world
      link
      fedilink
      English
      1
      edit-2
      11 months ago

      Agreed, though recommend nginx as proxy, have it do ssl, can set it up with letsencrypt, but mostly you can run multiple services off multiple internal hosts as subdirectories (assuming they cooperate).

      Works great for me.

  • @PixelAgent007@feddit.de
    link
    fedilink
    English
    611 months ago

    One of the main reasons to do this is if you are behind CGNAT and cannot port-forward. However, giving out your home IP isn’t ideal regardless. If you decide to not use a VPS as a reverse proxy, then you might want to look into using cloudflares proxy, which hides your IP and also serves your content more efficiently. However, I’m not quite familiar on how matrix works so this might not be possible if you need ports other than 80 and 443 as all other ports are not forwarded by the cloudflare proxy.

  • HousePanther
    link
    fedilink
    English
    511 months ago

    I do the very thing that you are seeking to do. I have a free Oracle Cloud VM running nginx as a reverse proxy. Between the reverse proxy and my home server is a WireGuard tunnel. There are some benefits in that ports do not need to be opened on your home network’s firewall so you don’t have to do any port forwarding. If you want to go this route, the advice I have for you is to get a free Oracle cloud VPS, install NGINX Proxy Manager on it, and configure a WireGuard tunnel between it and the actual server that the service you want to provide resides on. NGINX Proxy Manager is actually not hard to get going and there are plenty of YouTube videos on it. In fact, for people new to self-hosting I really recommend NGINX Proxy Manager as I started out that way. NGINX Proxy Manager has a well designed GUI. In fact it is so well designed that most of the options are self-explanatory.

    As I learned nginx and became better with it, I decided to decommission NPM in favor of a pure nginx environment because I am actually faster on the command line than a GUI. The hardest part for me was getting the WireGuard tunnel built between my home server and my cloud VM. That more pointed out to the fact that I didn’t have a good grasp of how firewalld works and firewalld is used in Alma Linux which is on my cloud VM. That was the real challenge.

    • @zaplachi@lemmy.ca
      link
      fedilink
      English
      211 months ago

      Just wanted to add this link explaining how to use tunnels in a more privacy respecting way

      https://help.nextcloud.com/t/is-cloudflare-tunnel-safe-privacy-focused/150268/2

      Problems with TLS (free option of routing on cloudlfare tunnels)

      interception (or HTTPS interception if applied particularly to that protocol) is the practice of intercepting an encrypted data stream in order to decrypt it, read and possibly manipulate it, and then re-encrypt it and send the data on its way again. This is done by way of a “transparent proxy”: the interception software terminates the incoming TLS connection, inspects the HTTP plaintext, and then creates a new TLS connection to the destination.

    • qaz
      link
      fedilink
      English
      211 months ago

      I’ve used this and it’s really easy