Non local Access to Self hosted Services - uthomelabs/guides GitHub Wiki

For some of the things you may be self-hosting you might want or need to expose them to the Internet so that you can access them remotely when you're not connected to your home network. Some examples of this might be services like Home Assistant and Bitwarden.

In order for your service to be accessible you need some form of public IP that can be reached over the Internet that ends up either terminating at your service or proxying access to your service.

Service access options

There are a number of ways you might go about exposing your services such as:

• Port forwarding: mapping a port on your router to an internal host/port on your network and either paying for a static IP from your ISP or maintaining a dynamic DNS updater so that you can at least map a domain to your IP
• Hosting on a cloud provider: This gets around the restrictions you typically run into with having services hosted on your own internal network and usually gives you a static IP but means that you have to maintain a server that needs to be properly firewalled, needs to be more rigorously updated/managed since it is exposed to the public, and has a cost associated with it
• Reverse proxy: You could run either an internal reverse proxy (and forward ports on your router to it) or some routers may have a more convenient way to expose services through a reverse proxy that is hosted on the router so that you can combine a domain mapped to dynamic DNS or static IP for your connection
• Self-managed tunnel: This might include something such as a Wireguard tunnel that you manage connecting an internal server running your services to a public server (possibly cloud hosted) in order to try and limit what can be accessed and solve for the need for a public static IP
• Hosted tunnels: There are a number of providers that can essentially configure a tunnel that exposes your service to the public Internet with varying degrees of functionality, security, etc.
• VPN access only: Whether it be your own configured VPN or using something like Twingate you can have the ability to access your internal services in a much more secure way with the main trade-off being that it won't work for anyone that doesn't have the ability to use your VPN or things that might need to integrate via public URL's (e.g. external Home Assistant integrations)

Security

There are a lot of pros and cons we could discuss about each of the above options but one of the largest concerns revolves around security and avoiding the possibility of your service(s) being exploited and a potential attacker gaining access to either sensitive data within the service itself or pivoting and gaining access to additional systems, services, etc. on your internal network.

In order to secure access to your service(s) while allowing public access you may want to restrict network access as much as possible, make sure you have some form of decent authentication, if possible use some form of WAF to guard against common attack patterns, put something in place to handle automated detection and response, audit logging, etc. That can be a pretty tall order for any beginning homelabber or people who just don't have the time to set all of that up. Lucky for us, there are some options to simplify this whole process!

Applicable guides

Some of the easiest ways to get started will be documented in this wiki. Here are a couple links to some good options:

• Cloudflare Zero Trust
• Twingate