New post: Self-host at home

Signed-off-by: Sergio Durigan Junior <sergiodj@sergiodj.net>
This commit is contained in:
Sergio Durigan Junior 2023-05-23 00:58:54 -04:00
parent 6d9a033640
commit 0a908d134a
2 changed files with 220 additions and 0 deletions

View file

@ -1,5 +1,123 @@
#+hugo_base_dir: ../ #+hugo_base_dir: ../
* Comunidades difíceis :portugues:thoughts:rant:
:PROPERTIES:
:EXPORT_FILE_NAME: comunidades-dificeis
:END:
Uma constante em minha vida há muitos anos é o envolvimento com
comunidades de Software Livre. É uma parte integral daquilo que me
faz me sentir completo e feliz, e por isso eu não gosto de pensar que
a possibilidade de poder dedicar meu tempo livre (e ocupado também!)
pra tornar esse envolvimento concreto seja algo trivial. Pelo
contrário: até hoje, mais de 15 anos depois da minha primeira
contribuição pra um projeto Livre, eu ainda me pego agradecendo pelo
privilégio de poder fazer daquilo que eu acredito algo que permeia
minha vida. Mas é claro que nem tudo são flores.
"Comunidade" é só um nome bonito que a gente usa pra "um monte de
pessoas juntas". E pessoas são complicadas, obviamente. Ainda mais
aquelas que lidam com um ramo tão complexo, volátil e competitivo como
o da computação. Por algum motivo, algumas comunidades agem como ímãs
de pessoas mais complicadas, e ultimamente eu tenho pensado bastante
nisso. Pra mim, é sempre um mistério entender o porquê de alguém
perder seu tempo pra dificultar o trabalho de outros.
* DONE Using WireGuard to host services at home :english:howto:selfhost:wireguard:debian:
CLOSED: [2023-05-23 Tue 00:56]
:PROPERTIES:
:EXPORT_FILE_NAME: using-wireguard-host-services-home
:END:
It's been a while since I had this idea to leverage the power of
[[https://wireguard.org][WireGuard]] to self-host stuff at home. Even though I pay for a proper
server somewhere in the world, there are some services that I don't
consider critical to put there, or that I consider *too* critical to
host outside my home.
** It's only NATural
With today's ISP packages for end users, I find it very annoying the
amount of trouble they create when you try to host anything at home.
Dynamic IPs, NAT/CGNAT, port-blocking, traffic shapping are only a few
examples of methods or limitations that prevent users from making
local services reachable in a reliable way from outside.
** WireGuard comes to help
If you already pay for a VPS or a dedicated server somewhere, why not
use its existing infrastructure (and public availability) in your
favour? That's what I thought when I started this journey.
My initial idea was to use a reverse proxy to redirect external
requests to the service running at my home. But how could I make sure
that these requests reach my
dynamic-IP-behind-a-NAT-behind-another-NAT? Well, let's create a
tunnel! WireGuard is the perfect tool for that because of many
things: it's stateless, very performant, secure, and requires very
little configuration.
** Setting up on the server
On the server side (i.e., VPS or dedicated server), you will create
the first endpoint. Something like the following should do:
#+begin_src
[Interface]
PrivateKey = PRIVATE_KEY_HERE
Address = 10.0.0.1/32
ListenPort = 51821
[Peer]
PublicKey = PUBLIC_KEY_HERE
AllowedIps = 10.0.0.2/32
PersistentKeepalive = 10
#+end_src
A few interesting points to note:
- The =Peer= section contains information about the home service that
will be configured below.
- I'm using =PersistentKeepalive= because I have a dynamic IP at my
home. If you have a static IP, you could get rid of
=PersistentKeepalive= and specify an =Endpoint= here (don't forget
to set a =ListenPort= *below*, in the =Interface= section).
- Now you have an IP where you can forward requests to. If we're
talking about HTTP traffic, Apache and nginx are absolutely capable
of doing it. If we're talking about other kind of traffic, you
might want to look into other utilities, like [[https://www.haproxy.org/][HAProxy]], [[https://traefik.io/traefik/][Traefik]] and
others.
** Setting up at your home
At your home, you will configure the peer:
#+begin_src
[Interface]
PrivateKey = PRIVATE_KEY_HERE
Address = 10.0.0.2/32
[Peer]
PublicKey = PUBLIC_KEY_HERE
AllowedIps = 10.0.0.1/32
Endpoint = YOUR_SERVER:51821
PersistentKeepalive = 10
#+end_src
** A few notes about security
I would be remiss if I didn't say anything about security, especially
because we're talking about hosting services at home. So, here are a
few recommendations:
- Make sure to put your services in a separate local network. Using
VLANs is also a good option.
- Don't run services on your personal (or work!) computer, even if
they'll be running inside a VM.
- Run a firewall on the WireGuard interface and make sure that you
only allow traffic over the required ports.
Have fun!
* DONE Ubuntu debuginfod and source code indexing :english:ubuntu:debuginfod:debian:free_software:gdb: * DONE Ubuntu debuginfod and source code indexing :english:ubuntu:debuginfod:debian:free_software:gdb:
CLOSED: [2023-05-13 Sat 16:43] CLOSED: [2023-05-13 Sat 16:43]
:PROPERTIES: :PROPERTIES:

View file

@ -0,0 +1,102 @@
+++
title = "Using WireGuard to host services at home"
author = ["Sergio Durigan Junior"]
date = 2023-05-23T00:56:00-04:00
tags = ["english", "howto", "selfhost", "wireguard", "debian"]
draft = false
+++
It's been a while since I had this idea to leverage the power of
[WireGuard](https://wireguard.org) to self-host stuff at home. Even though I pay for a proper
server somewhere in the world, there are some services that I don't
consider critical to put there, or that I consider **too** critical to
host outside my home.
## It's only NATural {#it-s-only-natural}
With today's ISP packages for end users, I find it very annoying the
amount of trouble they create when you try to host anything at home.
Dynamic IPs, NAT/CGNAT, port-blocking, traffic shapping are only a few
examples of methods or limitations that prevent users from making
local services reachable in a reliable way from outside.
## WireGuard comes to help {#wireguard-comes-to-help}
If you already pay for a VPS or a dedicated server somewhere, why not
use its existing infrastructure (and public availability) in your
favour? That's what I thought when I started this journey.
My initial idea was to use a reverse proxy to redirect external
requests to the service running at my home. But how could I make sure
that these requests reach my
dynamic-IP-behind-a-NAT-behind-another-NAT? Well, let's create a
tunnel! WireGuard is the perfect tool for that because of many
things: it's stateless, very performant, secure, and requires very
little configuration.
## Setting up on the server {#setting-up-on-the-server}
On the server side (i.e., VPS or dedicated server), you will create
the first endpoint. Something like the following should do:
```nil
[Interface]
PrivateKey = PRIVATE_KEY_HERE
Address = 10.0.0.1/32
ListenPort = 51821
[Peer]
PublicKey = PUBLIC_KEY_HERE
AllowedIps = 10.0.0.2/32
PersistentKeepalive = 10
```
A few interesting points to note:
- The `Peer` section contains information about the home service that
will be configured below.
- I'm using `PersistentKeepalive` because I have a dynamic IP at my
home. If you have a static IP, you could get rid of
`PersistentKeepalive` and specify an `Endpoint` here (don't forget
to set a `ListenPort` **below**, in the `Interface` section).
- Now you have an IP where you can forward requests to. If we're
talking about HTTP traffic, Apache and nginx are absolutely capable
of doing it. If we're talking about other kind of traffic, you
might want to look into other utilities, like [HAProxy](https://www.haproxy.org/), [Traefik](https://traefik.io/traefik/) and
others.
## Setting up at your home {#setting-up-at-your-home}
At your home, you will configure the peer:
```nil
[Interface]
PrivateKey = PRIVATE_KEY_HERE
Address = 10.0.0.2/32
[Peer]
PublicKey = PUBLIC_KEY_HERE
AllowedIps = 10.0.0.1/32
Endpoint = YOUR_SERVER:51821
PersistentKeepalive = 10
```
## A few notes about security {#a-few-notes-about-security}
I would be remiss if I didn't say anything about security, especially
because we're talking about hosting services at home. So, here are a
few recommendations:
- Make sure to put your services in a separate local network. Using
VLANs is also a good option.
- Don't run services on your personal (or work!) computer, even if
they'll be running inside a VM.
- Run a firewall on the WireGuard interface and make sure that you
only allow traffic over the required ports.
Have fun!