Hi,

I an currently trying to add remote access to 2 of my servers but didn’t manage to get a working setup as is.

Right now I want to access 2 servers:

  • one is for media stuff (navidrome, jellyfin, managing the arr stack)
  • one is for my data syncing with rsync and after set a backup from borg to another server not on my domain

I was trying at some point to add stuff such as tailscale, but somehow I always had issues with having both servers reachable within the IP range I use on my local network, so everything would work as is with the current config at home being away. I have also heard of cloudflare tunnels as well, but that I didn’t try yet. At some point I tried to do just a regular wireguard from my opnsense, but I would prefer not to have open ports to worry about (and also had issues with internal IP not being assigned from wireguard as well).

Does anyone here has experience with this? If so, what was your solution and/or caviats to it?

EDIT: I got some very good responses but I think I failed to understand that what I would need is probably a hop in server of sorts for the VPN. Meaning:

  • I login to the hop server
  • I get an internal IP for my network, meaning, 192.168.1.xxx
  • I do whatever I need to do
  • log out

Does anyone has experience with such solution? My point would be able to have full access to everything on the network without having to do a VPN on every machine i need access to (although it can create a massive single point of failure/risk)

  • Atlas_@lemmy.worldEnglish
    1·
    4 hours ago

    If the servers have public IPs and you want the minimum possible ports open, just SSH? With passwords disabled and large keys, it’s quite secure.

    If that’s still not enough for you or you need a private gateway, then Wireguard. I can strongly recommend Tailscale - It’s really an orchestration layer on top of Wireguard. You can setup your own Derp relays and head scale if you are truly paranoid. But 99.9% you don’t need all that and Tailscale out of the box will work well.

    Also Tailscale isn’t a single point of failure the way you’re imagining. It’s certainly possible for Tailscale’s servers to go down, but that won’t drop existing connections.

  • spaghettiwestern@sh.itjust.worksEnglish
    3·
    6 hours ago

    I think you’re overthinking it. Wireguard is considered the “gold standard” and an excellent solution for what you’re trying to do. Open ports can be a concern, but an open Wireguard port is completely silent when not in use and does not respond unless it receives the correct access keys. That makes it invisible to port scanners.

    Wireguard on my OpenWRT router works flawlessly. If the router is working the WG endpoint is too, and there are no 3rd parties involved. Tailscale provides much the same thing, but as I understand it requires the involvement of multiple 3rd party services. I’ve been burned too many times by terms of service changes and security breaches so I wanted to avoid relying on any corporate entities wherever possible.

    Tasker brings up the tunnel on my phone automatically whenever I’m not connected to my home wifi and drops it when I get back home, so my home servers are always available. My biggest problem when not at home is Verizon’s crappy mobile network.

    IMO it’s worth the effort to properly configure Wireguard and get your servers working. Once you get it set up you probably won’t have to touch it for years.

    • ZeDoTelhado@lemmy.worldOPEnglish
      1·
      5 hours ago

      I get what you’re saying, but how exactly the whole IP rotation is done in your case? How did you manage to have it accessible at all times even when your home IP changes? In my home I actually have ipv6 which I am not sure if it does not make things more difficult

      • spaghettiwestern@sh.itjust.worksEnglish
        2·
        4 hours ago

        DDNS (Dynamic DNS), one 3rd party service I do use.

        My network is reached by URL, not IP (although IP still works). When my IP changes the router updates the DDNS service in minutes. Lots of providers out there and it’s easy to switch if needed. I like DuckDNS. It’s free or you can choose to donate a bit to cover their expenses.

  • GreenKnight23@lemmy.worldEnglish
    5·
    11 hours ago

    “how do I add remote access to my servers?”

    don’t.

    create a new server that’s accessible via VPN and then access your servers from there. then actively log all connections from that device and alert anytime someone or something connects to it.

    what is more secure? a house with twenty front doors or a house with one front door and an alarm on it.

    • ZeDoTelhado@lemmy.worldOPEnglish
      2·
      11 hours ago

      If you check my edit that is kind of what I was hoping to do from the start: have a hop server (or stepping stone, both terms apply), and from there I do what I need to do

  • Paragone@lemmy.worldEnglish
    02·
    7 hours ago

    Give it a robot that can read your handwriting, & write snail-mail lettres to it?

    d :

    _ /\ _

  • captcha_incorrect@lemmy.worldEnglish
    3·
    13 hours ago

    Do you want to expose port 80/443 and set up a reverse proxy or do you want to use a VPN tunnel? You could just use SSH to port 80 and 443 like so: ssh -L 80:<local-server-ip>:80 -L 443:<local-server-ip>:443 <username>@<domain>

    I expose port 80/443 and use Caddy as a reverse proxy together with Authelia to protect anything that I deem needs an extra layer of security. I followed this guide: https://caddy.community/t/securing-web-apps-with-caddy-and-authelia-in-docker-compose-an-opinionated-practical-and-minimal-production-ready-login-portal-guide/20465

    Once setup, it is easy to remove or add a backend to Caddy and Authelia. This way does mean that you sometimes need to log in twice, but that is a small price to pay if your backend app does not support SSO (like n8n community edition).

  • pHr34kY@lemmy.worldEnglish
    11·
    10 hours ago

    Just expose it on single-stack IPv6. Nobody ever knocks. The address space is not scannable.