Teleport is a good alternative
Self-Hosted Main
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
For Example
- Service: Dropbox - Alternative: Nextcloud
- Service: Google Reader - Alternative: Tiny Tiny RSS
- Service: Blogger - Alternative: WordPress
We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.
Useful Lists
- Awesome-Selfhosted List of Software
- Awesome-Sysadmin List of Software
Before this post gets blasted with "just use a VPN" Yes I already have wireguard up and running but trying to get family members setup with a vpn that are technology illiterate is a nightmare
I mean, the reasons to do this cannot be understated. A VPN literally accomplishes the security and exposure issues.
It's your network through. You can feel free to expose your ports and services to the entire internet and take the risk of zero day attacks, brute force, and credential leaks. Knowing that your family is illiterate, it sounds like they may not use best cyber security practices with your services...
So, that leaves it on you. You can either support it on the front end with a proper VPN like Wireguard, or support it on the back end with IDS, honeypots, advanced threat management, constant monitoring, mitigation, patch management, backup and restores, isolation, etc.
There are not shortcuts to proper security and exposure management. You can also pay someone, or a company to do this for you.
Yes the reason why I said that is because I know what a VPN is and I know why its secure but I am asking for a different solution to the same problem. I am looking for different options and I know one option is a VPN so it doesnt help to me to find a solution when the only answers are "just use a VPN"
Thank you for the couple of keywords. I will start my research there.
You can either support it on the front end with a proper VPN like Wireguard, or support it on the back end with IDS, honeypots, advanced threat management, constant monitoring, mitigation, patch management, backup and restores, isolation, etc.
Isn’t there a middle ground with something like Cloudflare Tunnels or Tailscale Funnel? Those still expose your services to the internet outside of a VPN, but they require a lot less maintenance than you described.
I used to use Nginx Proxy Manager for exposing services but generally you end up exposing the login page for that particular app and you have a different login per app which is a pretty shitty solution for non-IT folk. I've tried to set up Authelia and other similar things and found them to be very annoying to set up / configure. Maybe I'm just an idiot though!
I would suggest having a think about what you want to expose and whether there's a better way (eg overseerr instead of exposing radarr/sonarr)
CloudFlare tunnels are also great - they obfuscate your public IP and can have a login form in front of them. You provide a list of email addresses that can log in to Cloudflare and only those users can access the website. I have mine set up to auth through Google accounts for example but you can use GitHub, office and I believe Discord. Not managing user accounts has been a life saver for me... You can also block access from outside of your country.
people are not getting the risks of exposing services correctly. think about it again. even you lock everything behind a password protection, if the password is weak, it is still not anything better than no protection. The chain is only as strong as the weakest link. Your tech illiterate family members may very likely setup something like 88888888, then they are effectively making the entire server naked. It is best to use device specific authentication apps like wireguard. If they can't even use such app, then only expose apps that support webauthn (or oidc, and setup an oidc provider that supports webauthn or nopass), where they can use fingerprint readers on their phone to login.