New user uncertain of what to do next with Raspberry Pi

I’m not super familiar with either electronics projects or software focused projects and it’s one of the mistakes I made in university of just focusing on passing the classes and not really exploring. I think trying to do Home Assistant stuff might be a good choice for trying to do inventory management alongside trying to learn what a good alternative is to port forwarding to have self hosted content available everywhere.

Though, I do kind of wonder if maybe just port forwarding and then nginx reverse proxy is actually all that’s needed and trying to do cloudflare tunnels or zerotier that I heard about yesterday may not be a substantial improvement in terms of router security.

You probably want to port forward a VPN and connect to your local network that way. It’s the most secure way. You can port forward nginx or haproxy and reverse proxy to your infrastructure though if you don’t want to mess with having a VPN.

Just a question what makes port forwarding a vpn and connecting to local network that way better then utilizing something like cloudflare tunnels?

I’ve seemingly pretty much broken everything I have set up and for now can’t even access the local bitwarden since it’s only locally currently and with that I can’t do the SSL that it needs to function.

So I ask for patience forgiveness and wisdom as I would like to know what is the proper way to do self-hosting on a Raspberry Pi. With being able to access self-hosted features remotely. So home assistant connected features could be accessed remotely, as could passwords.

At this point I’m willing to factory reset my RPi if that’s needed to properly securely do the Home Server stuff.

Probably don’t need to reinstall the OS on the Pi. My opinion about self-hosting at home is that it’s just a matter of trying to keep as few possible things unexposed, meaning that a VPN would fit that description. You connect to the VPN and everything else is internal to your network.

Of course, that’s not the only way and you can expose your services on the internet, but if you are not aware what things are safe to expose and what things should be kept local, it’s better to not risk it. Samba / SMB and RDP are a good examples of things that should never be exposed. For the web, if you don’t update your webservers and reverse proxies often, you probably shouldn’t expose them.

The general consensus I see on the internet is that if you want a simple setup, port forward your VPN and connect straight to your home. If you want to avoid the hassle of a VPN, like if you have more users and don’t want to give all of them access to your whole home network (although having a VPN in a segregated network is also an option), you should not expose your home’s IP address directly (I never understood why, to me it sounds silly, unless there are technical reasons, like your ISP blocking certain ports).

Most people say that if you want to expose services directly, you should use a reverse proxy on a VPS or Cloudflare. I don’t like the dependence on big tech, I believe it is antithetical to self-hosting, but if cloudflare fits the bill for anyone, use it. A direct cloudflare connection would have to be served straight to your home, unless you use both a VPS and Cloudflare, but at least only cloudflare and crazy people who scan the whole internet will know of your exposed services at home.

I saw that many people do stuff with a VPS:

• VPN on VPS
• Connecting from home to the vps through the vpn
• Setting up a reverse proxy on the vps
• Pointing the reverse proxy to point to your home server’s IP if the routes are set up properly through the tunnel
• Enabling TLS on the reverse proxy
• Happy serving

This makes the VPS your main gateway to your home, so it is important to secure it against attacks. You probably still want SSH access to it for troubleshooting purposes, so you need to set up firewall rules limiting the amount of connections can be done to it, probably a good thing to do the same on the other ports too (otherwise people can DDOS your service), then block all other incoming connections.

Since you are exposing things via HTTPS, you may also want to set restricted access to each page (user accounts on the page before you can access the actual page).

I heard of some people exposing jellyfin this way, so all their family can connect to the VPS and watch the media stored on the home server. Actually, there is one guy on this forum who does it too.

I have not set up my self-hosted services yet, because I’m retarded and don’t use hardware and software that works, so my services would be offline most of the time. The only thing I have is a few VPN sites (home connections), some security cameras that can be accessed through one VPN and my own Samba server on the other VPN. I plan on having my own chat server and Jitsi server, hopefully those would work better than the free programs you find on the like of google or apple stores (especially in voice and video quality).

Would it be a VPN like NordVPN and those other ones that are paid and are advertised or more like Wireguard VPN.

Self-hosted wireguard or openvpn or ipsec. I never witnessed home users using ipsec, most go with wireguard lately, some still swear by openvpn. I use both and I find that they have different uses.

If I do a peer to peer or peer to network, wireguard works flawlessly (I use the later for the aforementioned security cameras), but if I do network to network, it either works half-way (e.g. I’m on wireguard right now, many websites fail TLS handshakes and some don’t connect at all, like duckduckgo) or not at all (my VMs can’t connect to any website and they seem stuck to the local network, they can’t even ping beyond the local router where wireguard is running on, which is weird because my host can - I have no such issues when my router uses openvpn).

I guess if wireguard or OpenVPN is set up just on the Raspberry Pi it should be possible for the stuff to work without there being an effect on other machines even if they can still connect to the self-hosted equivalent of the vault.bitwarden.com page. Right?

Unless I missed it I didn’t see pihole mentioned, check it out, add blocking at that level is nice

I’m aware of pihole though I wasn’t sure if I’d want to use it just because I don’t pay for the internet so while portforwarding is fine there are limitations to what I feel comfortable modifying in terms of the internet that my home uses.

The ability for local machines to connect to the Pi on the same network won’t be affected by installing wg or ovpn-server on it. But if everything runs on the same box, it would probably make sense that when you VPN to your pi, to use your Pi VPN’s ip address to connect to your other self-hosted services, as opposed to the IP of the LAN, but it doesn’t matter that much, as long as the client knows the route to the other Pi’s IP (which, if you redirect all traffic through your Pi will, you won’t have to worry about network routes).

Using Pi-Hole and not changing the default DNS on the network will not affect the other machine’s DNS. You will just have to manually set the DNS to your Pi-Hole on the devices you use. Another good project for the Pi.

So what would be the order set up the VPN, connect the VPN to PiHole and then do self hosted things through the VPN?

The order doesn’t really matter. You already have your self-hosted stuff, like vaultwarden. You just install wireguard or openvpn-server, port forward the vpn port in your router, install something like duckdns to have a dynamic domain name for when your home IP’s changes, connect to your VPN with your phone from your mobile data (as an example), then access your vaultwarden like you would access normally if you were at home.

for setting up the vpn port should I force routing IPv6 to block leakage or might that risk causing functionality not to work for other things?

You can ignore ipv6 for now. I don’t have enough experience to make it work, so try not to bother with it for now. Besides, you won’t be leaking anything besides potentially some DNS queries, which don’t even matter that much in the grand scheme of things, especially if you have a pseudo-domain, like vault.reverseproxy.local or something like this.

I just wanted to check since it showed up in the installer for the VPN and wasn’t mentioned in the guides. I don’t even need to use a pseudo domain as I own an actual domain that I plan on using for vaultwarden at the very least if not for other self-hosted stuff.

since I don’t have a local pi-hole DNS server set up yet I should use a public DNS provider being the cloudflare right?

I’m not sure I understand what you mean. Since you don’t have a public DNS that you can point your domain to on your domain registrar’s page, you will have to use the domain registrar to bind IPs manually, even if these are private IP addresses (I never tried doing it with private IPs, but I don’t see a reason why it shouldn’t work, unless you registrar explicitly filters private IP classes).

But you will still need a dynamic way to allocate an IP to a domain, which is where a DynDNS comes in handy. DuckDNS is just an example, there are more dyndns services out there. You run their software on your Pi and the pi will send out a request every n minutes to their servers and if your public IP address on your router changes, the dyndns provider will notice the message came from another IP and update your DNS entry with the new IP.

I’m not sure if you can use your domain on a dynDNS server, but what you can do is use that dyndns domain and in your own domain management page on your registrar’s website, you can do a CNAME entry to something like vpn.yourdomain.tld to the dyndns domain. That way you can use your own domain if you really want to.

Pi-Hole has nothing to do with the VPN, it’s just a DNS filter to block malware and ads.

So, for vaultwarden, you’d go to your registrar and map the IP address that the Pi has on your LAN at home. vault.yourdomain.tld will be mapped to something like 192.168.0.151. If the service is not accessible on the internet, a domain is not exactly necessary.

I was talking about for filling this out I imagine I’d go with cloudflare since while cloudflare isn’t my registrar I have DNS stuff set up with them from previous tutorials.

image1113×626 13.6 KB

Oh, no wonder! I suppose yes. I have no idea how Pi-VPN works, all I know is that it uses openvpn and that’s about it.

In case that goes wrong, there are 2 guides on this forum on how to set up wireguard if you are interested, one by PLL, one by Wendell.

No idea if cloudflare will be able to resolve your domain name to the public IP address of your router though, as I also have no idea how their DNS works (I mean, you can add manual entries there, but if you IP changes, then you need to change it manually for your domain to work again).

yeah, I’ve not really got a good idea for what the whole thing is for domain name to public IP of the router and what not. I know I was able to reserve a value for the Raspberry Pi but not more then that.

Maybe I should start reading the Computer Networking, A Top-Down Approach textbook I never touched from Uni. Though, this is also part of why I talked about just trying to start from scratch maybe being easier.