Mastodawn

And how would I best get a domain to point to my own stuff safely so that I might have jellyfin.my.domain and matrix.my.domain, etc. for anything I want to host? Tailscale is frequently recommended, but it would be too big of a hurdle for my friend group to get on a server for a Discord replacement, and I understand services like Cloudflare don't want me to use their services to access Jellyfin.

2/2

@ampersandrew For convenient subdomains there are a couple good options that aren't terribly difficult.
A VPS + tunnel is probably best - you get a cheap VPS, point your DNS at it, and connect the VPS back to your home server via a tunnel - tailscale is an easy one. Your home IP is never public and friends just get a nice URL, no tailscale on their end

@ampersandrew
Or alternatively, a Tailscale FUNNEL is even easier, though less flexible. You put tailscale on your PC, then open a funnel to the tailnet that looks like pcname.mynet.ts.net. (Friend don't need tailscale.) You're relying on Tailscale's servers as the relay, but you're no longer discoverable on the open web at least!

@Andrew Excellent. Thanks! In what way is a Tailscale funnel less flexible? And I'm guessing that there are a number of VPS providers I should look into? Will any of them come with bandwidth limits or other gotchas to look out for?

@ampersandrew nah, the bandwidth limits are generally huge. I use Contabo, though I hear Hetzner recommended a lot. I think a Tailscale funnel only gives you like 3 specific ports and it can be harder to pair with s personal domain if you wanted that

@Andrew Thanks! I've got some homework to do, for sure, but this shrinks the possibility space down to something considerably more manageable.

DJ Majumdar Mar 8

@ampersandrew @Andrew This is exactly what I run — have for ~10 years now.

Cheap VPS running a reverse tunnel, home server runs Traefik + Docker. No open ports on the home box, it connects out to the VPS, VPS forwards traffic back. Subdomains are just DNS records + Traefik routing rules.

On port forwarding: Exposing Jellyfin/NextCloud means auth endpoints, databases, file systems. One CVE and your whole home network is reachable. With a tunnel, your home IP is never exposed and the attack surface is just the VPS.

For the tunnel piece, rathole and frp are both solid lightweight options — just a binary on each end, config file, done. I'd avoid jumping straight to something like ngrok — it's great software but way more complexity than you need for this, and the free tier has limitations that'll frustrate you for self-hosting.

It's a bit of upfront work but once it's running it's very low maintenance. Happy to answer questions if you go this route.

@ampersandrew Port forwarding puts your computer directly on the open internet for everyone to see. With Jellyfin or Matrix, a vulnerability or weak password could mean someone gets your media, credentials, or even into your network. In my experience, anything on the open web gets RELENTLESSLY probed for openings. There's always someone somewhere in the world scanning huge ranges of IPs in search of something vulnerable they can exploit.

@Andrew Aren't I always on the open internet for everyone to see? Isn't my IP address logged in countless places every day? I'm not trying to be argumentative, since everyone seems pretty unified in this being a bad idea, but it still hasn't clicked yet as to why.

@ampersandrew
Sure, but websites passively logging you as a passerby is very different than setting up shop with a billboard on top inviting everyone to look for openings or vulnerabilities

@Andrew Fair enough. I guess self hosting video game servers is far less common these days, but does this same problem exist in that space too? Is a forwarded port only a problem if the server it's pointed to is running? In other words, if I forwarded port 12345 to a computer hosting Shoot Stuff 3, but the server binary isn't currently running, is that a security problem at that moment? What if the port is forwarded but the computer itself isn't on, and only my router is?