New post: Self-host at home
Signed-off-by: Sergio Durigan Junior <sergiodj@sergiodj.net>
This commit is contained in:
parent
6d9a033640
commit
0a908d134a
2 changed files with 220 additions and 0 deletions
|
@ -1,5 +1,123 @@
|
||||||
#+hugo_base_dir: ../
|
#+hugo_base_dir: ../
|
||||||
|
|
||||||
|
* Comunidades difíceis :portugues:thoughts:rant:
|
||||||
|
:PROPERTIES:
|
||||||
|
:EXPORT_FILE_NAME: comunidades-dificeis
|
||||||
|
:END:
|
||||||
|
Uma constante em minha vida há muitos anos é o envolvimento com
|
||||||
|
comunidades de Software Livre. É uma parte integral daquilo que me
|
||||||
|
faz me sentir completo e feliz, e por isso eu não gosto de pensar que
|
||||||
|
a possibilidade de poder dedicar meu tempo livre (e ocupado também!)
|
||||||
|
pra tornar esse envolvimento concreto seja algo trivial. Pelo
|
||||||
|
contrário: até hoje, mais de 15 anos depois da minha primeira
|
||||||
|
contribuição pra um projeto Livre, eu ainda me pego agradecendo pelo
|
||||||
|
privilégio de poder fazer daquilo que eu acredito algo que permeia
|
||||||
|
minha vida. Mas é claro que nem tudo são flores.
|
||||||
|
|
||||||
|
"Comunidade" é só um nome bonito que a gente usa pra "um monte de
|
||||||
|
pessoas juntas". E pessoas são complicadas, obviamente. Ainda mais
|
||||||
|
aquelas que lidam com um ramo tão complexo, volátil e competitivo como
|
||||||
|
o da computação. Por algum motivo, algumas comunidades agem como ímãs
|
||||||
|
de pessoas mais complicadas, e ultimamente eu tenho pensado bastante
|
||||||
|
nisso. Pra mim, é sempre um mistério entender o porquê de alguém
|
||||||
|
perder seu tempo pra dificultar o trabalho de outros.
|
||||||
|
|
||||||
|
* DONE Using WireGuard to host services at home :english:howto:selfhost:wireguard:debian:
|
||||||
|
CLOSED: [2023-05-23 Tue 00:56]
|
||||||
|
:PROPERTIES:
|
||||||
|
:EXPORT_FILE_NAME: using-wireguard-host-services-home
|
||||||
|
:END:
|
||||||
|
|
||||||
|
It's been a while since I had this idea to leverage the power of
|
||||||
|
[[https://wireguard.org][WireGuard]] to self-host stuff at home. Even though I pay for a proper
|
||||||
|
server somewhere in the world, there are some services that I don't
|
||||||
|
consider critical to put there, or that I consider *too* critical to
|
||||||
|
host outside my home.
|
||||||
|
|
||||||
|
** It's only NATural
|
||||||
|
|
||||||
|
With today's ISP packages for end users, I find it very annoying the
|
||||||
|
amount of trouble they create when you try to host anything at home.
|
||||||
|
Dynamic IPs, NAT/CGNAT, port-blocking, traffic shapping are only a few
|
||||||
|
examples of methods or limitations that prevent users from making
|
||||||
|
local services reachable in a reliable way from outside.
|
||||||
|
|
||||||
|
** WireGuard comes to help
|
||||||
|
|
||||||
|
If you already pay for a VPS or a dedicated server somewhere, why not
|
||||||
|
use its existing infrastructure (and public availability) in your
|
||||||
|
favour? That's what I thought when I started this journey.
|
||||||
|
|
||||||
|
My initial idea was to use a reverse proxy to redirect external
|
||||||
|
requests to the service running at my home. But how could I make sure
|
||||||
|
that these requests reach my
|
||||||
|
dynamic-IP-behind-a-NAT-behind-another-NAT? Well, let's create a
|
||||||
|
tunnel! WireGuard is the perfect tool for that because of many
|
||||||
|
things: it's stateless, very performant, secure, and requires very
|
||||||
|
little configuration.
|
||||||
|
|
||||||
|
** Setting up on the server
|
||||||
|
|
||||||
|
On the server side (i.e., VPS or dedicated server), you will create
|
||||||
|
the first endpoint. Something like the following should do:
|
||||||
|
|
||||||
|
#+begin_src
|
||||||
|
[Interface]
|
||||||
|
PrivateKey = PRIVATE_KEY_HERE
|
||||||
|
Address = 10.0.0.1/32
|
||||||
|
ListenPort = 51821
|
||||||
|
|
||||||
|
[Peer]
|
||||||
|
PublicKey = PUBLIC_KEY_HERE
|
||||||
|
AllowedIps = 10.0.0.2/32
|
||||||
|
PersistentKeepalive = 10
|
||||||
|
#+end_src
|
||||||
|
|
||||||
|
A few interesting points to note:
|
||||||
|
|
||||||
|
- The =Peer= section contains information about the home service that
|
||||||
|
will be configured below.
|
||||||
|
- I'm using =PersistentKeepalive= because I have a dynamic IP at my
|
||||||
|
home. If you have a static IP, you could get rid of
|
||||||
|
=PersistentKeepalive= and specify an =Endpoint= here (don't forget
|
||||||
|
to set a =ListenPort= *below*, in the =Interface= section).
|
||||||
|
- Now you have an IP where you can forward requests to. If we're
|
||||||
|
talking about HTTP traffic, Apache and nginx are absolutely capable
|
||||||
|
of doing it. If we're talking about other kind of traffic, you
|
||||||
|
might want to look into other utilities, like [[https://www.haproxy.org/][HAProxy]], [[https://traefik.io/traefik/][Traefik]] and
|
||||||
|
others.
|
||||||
|
|
||||||
|
** Setting up at your home
|
||||||
|
|
||||||
|
At your home, you will configure the peer:
|
||||||
|
|
||||||
|
#+begin_src
|
||||||
|
[Interface]
|
||||||
|
PrivateKey = PRIVATE_KEY_HERE
|
||||||
|
Address = 10.0.0.2/32
|
||||||
|
|
||||||
|
[Peer]
|
||||||
|
PublicKey = PUBLIC_KEY_HERE
|
||||||
|
AllowedIps = 10.0.0.1/32
|
||||||
|
Endpoint = YOUR_SERVER:51821
|
||||||
|
PersistentKeepalive = 10
|
||||||
|
#+end_src
|
||||||
|
|
||||||
|
** A few notes about security
|
||||||
|
|
||||||
|
I would be remiss if I didn't say anything about security, especially
|
||||||
|
because we're talking about hosting services at home. So, here are a
|
||||||
|
few recommendations:
|
||||||
|
|
||||||
|
- Make sure to put your services in a separate local network. Using
|
||||||
|
VLANs is also a good option.
|
||||||
|
- Don't run services on your personal (or work!) computer, even if
|
||||||
|
they'll be running inside a VM.
|
||||||
|
- Run a firewall on the WireGuard interface and make sure that you
|
||||||
|
only allow traffic over the required ports.
|
||||||
|
|
||||||
|
Have fun!
|
||||||
|
|
||||||
* DONE Ubuntu debuginfod and source code indexing :english:ubuntu:debuginfod:debian:free_software:gdb:
|
* DONE Ubuntu debuginfod and source code indexing :english:ubuntu:debuginfod:debian:free_software:gdb:
|
||||||
CLOSED: [2023-05-13 Sat 16:43]
|
CLOSED: [2023-05-13 Sat 16:43]
|
||||||
:PROPERTIES:
|
:PROPERTIES:
|
||||||
|
|
102
content/posts/using-wireguard-host-services-home.md
Normal file
102
content/posts/using-wireguard-host-services-home.md
Normal file
|
@ -0,0 +1,102 @@
|
||||||
|
+++
|
||||||
|
title = "Using WireGuard to host services at home"
|
||||||
|
author = ["Sergio Durigan Junior"]
|
||||||
|
date = 2023-05-23T00:56:00-04:00
|
||||||
|
tags = ["english", "howto", "selfhost", "wireguard", "debian"]
|
||||||
|
draft = false
|
||||||
|
+++
|
||||||
|
|
||||||
|
It's been a while since I had this idea to leverage the power of
|
||||||
|
[WireGuard](https://wireguard.org) to self-host stuff at home. Even though I pay for a proper
|
||||||
|
server somewhere in the world, there are some services that I don't
|
||||||
|
consider critical to put there, or that I consider **too** critical to
|
||||||
|
host outside my home.
|
||||||
|
|
||||||
|
|
||||||
|
## It's only NATural {#it-s-only-natural}
|
||||||
|
|
||||||
|
With today's ISP packages for end users, I find it very annoying the
|
||||||
|
amount of trouble they create when you try to host anything at home.
|
||||||
|
Dynamic IPs, NAT/CGNAT, port-blocking, traffic shapping are only a few
|
||||||
|
examples of methods or limitations that prevent users from making
|
||||||
|
local services reachable in a reliable way from outside.
|
||||||
|
|
||||||
|
|
||||||
|
## WireGuard comes to help {#wireguard-comes-to-help}
|
||||||
|
|
||||||
|
If you already pay for a VPS or a dedicated server somewhere, why not
|
||||||
|
use its existing infrastructure (and public availability) in your
|
||||||
|
favour? That's what I thought when I started this journey.
|
||||||
|
|
||||||
|
My initial idea was to use a reverse proxy to redirect external
|
||||||
|
requests to the service running at my home. But how could I make sure
|
||||||
|
that these requests reach my
|
||||||
|
dynamic-IP-behind-a-NAT-behind-another-NAT? Well, let's create a
|
||||||
|
tunnel! WireGuard is the perfect tool for that because of many
|
||||||
|
things: it's stateless, very performant, secure, and requires very
|
||||||
|
little configuration.
|
||||||
|
|
||||||
|
|
||||||
|
## Setting up on the server {#setting-up-on-the-server}
|
||||||
|
|
||||||
|
On the server side (i.e., VPS or dedicated server), you will create
|
||||||
|
the first endpoint. Something like the following should do:
|
||||||
|
|
||||||
|
```nil
|
||||||
|
[Interface]
|
||||||
|
PrivateKey = PRIVATE_KEY_HERE
|
||||||
|
Address = 10.0.0.1/32
|
||||||
|
ListenPort = 51821
|
||||||
|
|
||||||
|
[Peer]
|
||||||
|
PublicKey = PUBLIC_KEY_HERE
|
||||||
|
AllowedIps = 10.0.0.2/32
|
||||||
|
PersistentKeepalive = 10
|
||||||
|
```
|
||||||
|
|
||||||
|
A few interesting points to note:
|
||||||
|
|
||||||
|
- The `Peer` section contains information about the home service that
|
||||||
|
will be configured below.
|
||||||
|
- I'm using `PersistentKeepalive` because I have a dynamic IP at my
|
||||||
|
home. If you have a static IP, you could get rid of
|
||||||
|
`PersistentKeepalive` and specify an `Endpoint` here (don't forget
|
||||||
|
to set a `ListenPort` **below**, in the `Interface` section).
|
||||||
|
- Now you have an IP where you can forward requests to. If we're
|
||||||
|
talking about HTTP traffic, Apache and nginx are absolutely capable
|
||||||
|
of doing it. If we're talking about other kind of traffic, you
|
||||||
|
might want to look into other utilities, like [HAProxy](https://www.haproxy.org/), [Traefik](https://traefik.io/traefik/) and
|
||||||
|
others.
|
||||||
|
|
||||||
|
|
||||||
|
## Setting up at your home {#setting-up-at-your-home}
|
||||||
|
|
||||||
|
At your home, you will configure the peer:
|
||||||
|
|
||||||
|
```nil
|
||||||
|
[Interface]
|
||||||
|
PrivateKey = PRIVATE_KEY_HERE
|
||||||
|
Address = 10.0.0.2/32
|
||||||
|
|
||||||
|
[Peer]
|
||||||
|
PublicKey = PUBLIC_KEY_HERE
|
||||||
|
AllowedIps = 10.0.0.1/32
|
||||||
|
Endpoint = YOUR_SERVER:51821
|
||||||
|
PersistentKeepalive = 10
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## A few notes about security {#a-few-notes-about-security}
|
||||||
|
|
||||||
|
I would be remiss if I didn't say anything about security, especially
|
||||||
|
because we're talking about hosting services at home. So, here are a
|
||||||
|
few recommendations:
|
||||||
|
|
||||||
|
- Make sure to put your services in a separate local network. Using
|
||||||
|
VLANs is also a good option.
|
||||||
|
- Don't run services on your personal (or work!) computer, even if
|
||||||
|
they'll be running inside a VM.
|
||||||
|
- Run a firewall on the WireGuard interface and make sure that you
|
||||||
|
only allow traffic over the required ports.
|
||||||
|
|
||||||
|
Have fun!
|
Loading…
Reference in a new issue