from the perspective of a normie I’d like to ask if the following is something that can be done realistically without (much) headache:
Quarantine lockdowns have pushed about a dozen elderly family members that had previously been mostly technology-abstinent to crank engagement to 110 %, mostly with messenger apps.
Now they mostly share stuff among each other (standard stuff like garden photography or watching recordings of the family’s younglings playing).
My primary issue is that they quite regularly make tiny big mistakes with the selection of a message’s recipient and send very personal/private stuff to non-family or “third-party” contacts…
My secondary issue is that the amount of data cloggs up their devices at home. Compared to them I have basically unlimited storage and backup possibilities so I’d like to store everything centrally so if one of the senior’s devices breaks they don’t have to fear that they lost stuff.
Long story short, I’d like to host a small forum at home that is only reachable via VPN since these guys are prime targets for spam bots.
I have a “full” dual stack internet connection with a changing public IPv4 and IPv6 address
My router has an option to send an email containing the new IP addresses if they change;
Currently I have a 4750G/64 GB ECC/SATA SSDs with powerloss protection running as my small everday NAS and HTPC;
Since I “need” the APU to work with UHD/HDR properly I’m going with Win 10 as the host OS and VMware Workstation as a Hypervisor;
I have an asymmetrical 1000/50 Mbit/s connection, the upload isn’t the greatest but I have zero stability issues;
Can someone paint a rough picture what VMs/steps/forum software I should be looking into to test this project?
I know that self-hosting can be extremely dangerous - this is why I’d like to have it only accessable via VPN in the hope that keeping that VPN configuration “up-to-date” and “secure” is more realistic than having a completely public host.
Since most of the data is so personal I’m also reluctant to use an external service provider/web hosting service for this
Most modern routers have support for DDNS, so you can configure no-ip on it. Asus has their own DDNS. Some ISPs offer you DDNS directly on your connection, you may enable it via their website.
I suggest you don’t host services on your HTPC and inside VMWare. You may want to reboot your HTPC from time to time, or power it off altogether (windows is a b****). The NAS is very beefy as it is, you should probably have a separate HTPC (lower-powered), maybe something like a NUC with the better Iris graphics, or a small build with a cheaper APU (like 3200G) and 8gb of RAM, then use your current HTPC as a Virtualization host (where you can host all the services you need for the forum + more, maybe share movies with your family). I recommend Proxmox, but you could use the free tier VMWare maybe (I see software that requires license as a liability).
Set up Wireguard in a VM, set a permanent DHCP mapping in your router, port forward your router to your VM for the Wireguard traffic and the VPN server-part is done. On the client side, you can configure static routes and only allow traffic to your network (instead of redirecting all traffic through your home, so you can save some bandwidth).
For the forum stuff, you can use discourse, like this website (I would say it’s pretty normie friendly). You probably don’t need TLS since everything is in your home intranet, but you could use one just to learn stuff. Not sure if discourse supports TLS directly, but I always suggest you use a reverse-proxy anyway. You can set up Apache (easier) or nginx as a reverse-proxy, enable TLS, generate a self-signed certificate, configure the vhost to point to it and redirect traffic from http to https and you’re good to go.
Forgot to mention, the HTPC is already being used for pleibeic VMware Workstation homelab stuff, hence the 8-core SKU and the 64 GB of memory.
(And I have the slight shimmer of hope of somehow getting UHD 120 Hz without chroma subsampling out of the APU to a TV so Intel is currently out)
Back to the main topic:
I’d like to check the list of every “good-practice” security/encryption stuff to be as safe as possible and to learn these “for life” - basically so that you can say “The only idiotic thing is running it in VMware Workstation on Windows instead of ESXi et al.”.
I don’t know the proper nomenclature yet so I hope I’ll not write stupid stuff.
There’s a lot of “good practice” stuff to explain, but that would take a long time. For short, you should have separate vlans for the stuff you serve “outside” and your inside stuff. Usually this is done via a DMZ, but as you probably don’t have 2 firewalls (and that would be too much for a home user), you can just make a separate VLAN and restrict all access to your main LAN, but allow your LAN to access the “DMZ” (not a dmz, just a different, more restricted subnet). I know how to do it in Proxmox and libvirt, I have no idea how to do it in VMware.
Another good practice is to keep everything up to date, especially the stuff facing the internet (in your case, that would be the wireguard VM with both wireguard and the OS it is running on, plus the host OS of the VM). Since you are only going to port forward the wireguard port, you shouldn’t worry too much about other stuff (like the above mentioned TLS on Discourse). There are lots of good-practice stuff I could tell a business how to run their networks, but this is not the place. You could encrypt the drives / raid volume that you are running stuff from, but I doubt your threat model needs such measures, but it’s a good thing to do so anyway (like, to prevent official or unofficial burglars from seeing your or your family’s nudes).
There is “nothing wrong” (stretching the meaning of the words a little) with running services on Windows on WMware Workstation, but I think that is just making your life harder and your services being inefficient. You can test for starters, but then you need to make bridges on your PC to your local network (all type 2 hypervisors usually make separate networks for each VM by default, putting them behind a NAT with your server’s ip being the main gateway). Also, you can’t really control your traffic on a per-network basis, you would have to set firewall rules individually on each VM (technically, that is more secure, but it is more prone to mistakes and to lose track of your rules). There is a place for Type 2 Hypervisors, but I IMO hosting services isn’t one of them.
As for encryption one the internet side, wireguard will take care of it and you don’t have to worry about it.
I’ve been thinking of simpler alternatives to VPN for the elders, I’m kind of wondering, what if OP used https with just basic http auth enforced by nginx in front of discourse, so that it applies to everything in the domain.
It’d certainly make client side setup easier - as browsers typically cache this forever.
Does Discourse support some type of external / frontend auth where a webserver like nginx can just pass in the logged in username in a header? (specifically not sso, just e.g. an X-Discourse-User or something like that - for simplicity).
I understand that a type-2 hypervisor is about as efficient as Ryan’s Toyota Prius but even though I have no experience hosting web services yet I think handling the (VPN) traffic and processing needs for the dozen users doesn’t bring the APU to its knees.
Since the amount of active users is more likely to shrink than grow (cough) I don’t have to worry about scalability.
If helpful for planning:
The HTPC’s motherboard has two Intel I211 NICs and I’m getting a manageable Mikrotik switch for the living room devices soon, the central router is also connected to a larger Mikrotik switch (CRS326-24S+2Q+RM) that can be used with their easier Switch OS or more complex Router OS.
VMs in VMware Workstation can use VLAN and you can build virtual switches and their performance is only limited by the oomph of the host computer.
How about running off of a potato? By potato I mean something like a cheap quad-core 64bit arm w/ 2GB ram. EU distributor link + small nvme (over usb3/uasp) for database and photos that you can luks encrypt.
Either way you, should probably develop the everything on a VM in your workstation first and take notes, before repeating it for a prod environment.
The mechanics of deployments onto any Linux are easy once you figure out what you want to deploy first.