this post was submitted on 05 Jul 2026
66 points (100.0% liked)

Selfhosted

60542 readers
1061 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details. Tags [CBH] or [AIP] are required, see the link in Rule 8 for details.

  8. AI-related discussions and AI-involved promotional posts have additional requirements for tagging, as noted in Rule 7 and the AI & Promotional Post Expanded Rules post. )

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
 

I have a VPS that I secure as much as possible since the IP is public, but does a wireguard-access-only homelab warrant the same efforts? Those with homelabs like this, what do you do?

top 33 comments
sorted by: hot top controversial new old
[–] originalucifer@moist.catsweat.com 71 points 5 days ago (1 children)

i duct-tape a 22 to the side of the server with the trigger trip-wired to the wan port.

your move, iptables

[–] GalacticSushi@piefed.blahaj.zone 35 points 5 days ago (1 children)

No salt circle to prevent hostile spirits from possessing it? No anti-seabear circle? Talk about amateur hour.

[–] dethedrus@lemmy.dbzer0.com 3 points 4 days ago

And while YOU were worrying about the seabear, you foolishly forgot your anti sea rhinoceros undergarments?!?!

[–] CoreLabJoe@piefed.ca 5 points 3 days ago (1 children)

Anything that I publicly expose, I have protected with multiple layers up and down my entire stack...

https://corelab.tech/cybersecroadmap/

[–] flint@lemmy.zip 2 points 2 days ago (1 children)

This is such a nice overview. Thank you for sharing!

[–] CoreLabJoe@piefed.ca 1 points 1 day ago (2 children)

No worries, hope it helps, let me know if you have questions =)

[–] lokalhorst@feddit.org 1 points 5 hours ago

I access my home server with Jellyfin exclusively via Tailscale. Until now, I thought I was safe, as I haven't opened anything to "the open internet". After reading your very nice guide, I feel like I forgot a lot. Supposed I trust Tailscale, is that enough?

[–] flint@lemmy.zip 2 points 1 day ago (1 children)

Actually, I was wondering:

I have used tailscale, and lately netbird, for remote access and it has worked well for Jellyfin streaming, ssh/rsync and accessing other WebUIs. All with non-default passwords of course.

However I have not set up any of the internal network hardening like OPNSense, VLANs or ReverseProxy. Is it safe to configure these remotely or am I risking locking myself out?

[–] CoreLabJoe@piefed.ca 2 points 1 day ago (1 children)

It can be done, just carefully. You can definitely accidentally block yourself out if you set a firewall rule up incorrectly, or in higher precedence of order for example. OPNsense (like almost every firewall known) processes rules in a "top down" order. So you put your blocks at the bottom!!!

Reverse proxy won't lock you out, essentially that's just slapping HTTPS on a webserver/service like Jellyfin, so you can access it without requiring a VPN.

Here's a reverse proxy explainer, pt 2 is the actual setup!

[–] flint@lemmy.zip 2 points 1 day ago

Thank you very much for the pointers! There is so much info at different levels out there that it's encouraging to get recommendations.

Gicen the risk of locking myself out (have been prone to do that even IRL) I may limit firewalling to times where I have physical access.

Reverse proxy sounds intriguing though. I've got a domain already, so just missing... well.. the rest (:

[–] nitroemdash@lemmy.wtf 23 points 4 days ago

I have a hammer hanging above the hard drive on a string, and every time I want to access it, I have to convince an AI it's really me. If doubt level rises above 20%, the hammer drops.

[–] muusemuuse@sh.itjust.works 2 points 2 days ago

As much as practical. Modern security relies on layers of protection to mitigate failures in methodology. Your strategy isn’t makes a single perfect defense. It’s mitigating risk. If one method fails, then what happens?

[–] surewhynotlem@lemmy.world 22 points 5 days ago (1 children)

If it's just wireguard on a nonstandard port, then you are pretty much done. It's UDP and won't reply to incorrectly signed packets so it's essentially invisible.

[–] jobbies@lemmy.zip 4 points 3 days ago

You're kind of there but if you live the zero-trust life always be on the lookout for ways to improve security.

If something will make your setup more secure, is low effort, uses few resources and costs you nothing it would be madness not to use it.

[–] Decronym@lemmy.decronym.xyz 2 points 3 days ago* (last edited 5 hours ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
SSO Single Sign-On
UDP User Datagram Protocol, for real-time communications
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)

4 acronyms in this thread; the most compressed thread commented on today has 5 acronyms.

[Thread #46 for this comm, first seen 7th Jul 2026, 20:50] [FAQ] [Full list] [Contact] [Source code]

[–] irmadlad@lemmy.world 2 points 3 days ago

To me, the question is 'How much do you secure a home server ~~that's only accessible with VPN?~~' to which I would answer, secure everything, every last jot and tilde. Especially in a homelab environment where a nefarious actor could gain lateral movement. The data on my server, tho important to me, is not the prime concern as much as becoming a zombie in someone's botnet. The very first Linux server I stood up got hacked overnight. Since then, I'm keen to lock everything down. I've been told I go overboard, but I'd rather that scenario.

[–] Zwuzelmaus@feddit.org 11 points 4 days ago

VPS bad!

Can't put your rings of garlic around it.

[–] neidu3@sh.itjust.works 9 points 5 days ago* (last edited 4 days ago)

My home servers have generally a lot smaller attack surface, as only a few ports are actually routed to them, so in theoey I could get away with a more relaxed approach. But I'm also a big believer in defense-in-depth, so I follow the same rules of thumb:

  • iptables (or equivalent) that drops anything incoming that isn't wanted. It also rejects anything going out that isn't planned for.
  • any public facing service (except ssh) gets its own user
  • disable root login via ssh
  • ssh login with key only on any user in sudoers
[–] moonpiedumplings@programming.dev 9 points 5 days ago* (last edited 5 days ago)

Yes, I do lock it down. It's still worth securing it because "internal servers" can still get exposed and touched, even though there are less paths to them, and it's not as punishing to slip up vs a public server. For example, One of the wireguard client devices downloads a virus, and now you have a cyberattacker with access.

Another problem is supply chain issues. If the distributor of a docker container is hacked, it's not that bad... as long as your kernel is up to date and is protected against some of the recent vulns, that would enable someone to break out of a docker container

Blajah.zone's lemmy instance was hacked partially becuase internal servers weren't being held to the same security standards as the public ones:

https://pen.blahaj.zone/supakaity/weve-been-hacked

I had not patched these internal servers that nobody should have access to against this. Rebooting DB servers causes downtime, and in my hubris – I thought nobody should (nay COULD) be on my servers except me, right?

I have a comment on that post with some potential solutions, that would have cut off attack paths.

Though, I guess, it still does depend. Like if it's just gonna you wireguarding in and no one else, then the data on your devices is probably worth more than the data on the server, so no, it wouldn't be worth spending too much effort to secure less valuable data.

But if you are handing out internal access to people, including to some relative who keeps falling for scammers, then yeah, I'd take some time to harden the systems.

[–] i_stole_ur_taco@lemmy.ca 8 points 5 days ago

I use pangolin and traefik together and expose a few of my services that way. But not everything.

I slot services into categories based on:

  • do I really need to be able to access this externally?
  • …with full admin rights?
  • what write/delete access am I granting?
  • if an attacker got in, how much damage could they do with what they could access?

Then the service is either not externally open at all, secured behind pangolin SSO, or secured behind pangolin SSO AND that service’s native auth. Which is an annoying double auth, but I feel like it’s another layer of protection in case one of them gets a 0-day exploit.

[–] in_the_dark_forest@feddit.org 4 points 4 days ago

I have my home server behind a wireguard vpn access.

While I am no security expert, or precisely because of that, I still try to follow security best practices for the internal setup if I can.

Of course you propably do not have to be as vigilant as if your services were publicly exposed. But I believe it is still a good idea to have some "defence in depth" and not assume only one possible attack vector, e.g. what if there already is a bad actor on your home network maybe via a trusted device that has some virus. Also a plus is i guss if you ever decide to expose something later on you wont have as many issues.

[–] EarMaster@lemmy.world 5 points 5 days ago

You should consider the VPN as a part of the protection (and also as a part of an attack vector).

After installing tailscale with my Headscale server, I just left it as is. Maybe people in the comments can chime in but if you expose only your VPN server or broker (Headscale), you kinda narrowed down your attack vectors and a VPN itself is really solid. From my basic knowledge, it's the server and client which are the bottleneck at that point, but there's only so much you can do and if you continuously update both and maybe stay on stable / ltsc branches, you kinda did everything.

I guess there's something to say about the encryption algorithms used. What I remember from back in the day is everything elliptic curves that's common is quite good so if you see "ECDSA" / "ECDH" you should be fine. RSA unfortunately is not that great anymore.

[–] Brkdncr@lemmy.world 4 points 5 days ago (1 children)

I run a weekly vuln scan against my ip ranges. If anything comes up I deal with it.

[–] NarrativeBear@lemmy.world 10 points 4 days ago (1 children)

Could you provide some more information on how you perform a vuln scan, or what services/softwares you use to perform the scan?

[–] Brkdncr@lemmy.world 5 points 4 days ago (1 children)

I use tenable but i get it from work for free. You could use Nessus.

[–] frongt@lemmy.zip 2 points 4 days ago

Tenable owns Nessus. But they have a free tier.

The FOSS equivalent is Greenbone OpenVAS: https://greenbone.github.io/docs/latest/