An excerpt from the Wireguard Whitepaper:

One design goal of WireGuard is to avoid storing any state prior to authentication and to not send any responses to unauthenticated packets. With no state stored for unauthenticated packets, and with no response generated, WireGuard is invisible to illegitimate peers and network scanners. Several classes of attacks are avoided by not allowing unauthenticated packets to influence any state.

After opening an SSH port and watching the number of attacks I understand the concern about opening any port on a router, but it seems the worry about opening a port for WG is way overblown.

As of now I can find zero reports of a properly configured open WG port ever being successfully used by attackers to access a network.

Anyone have better/more recent info?

Technology websites should just add a top level menu - “Google Abandoned”

Avoid Roku devices. Roku had an OK remote and decent UI, but the company has thoroughly enshittified it and turned it into an “advertising everywhere all the time” platform. There is a Jellyfin app that works well though.

DDNS (Dynamic DNS), one 3rd party service I do use.

My network is reached by URL, not IP (although IP still works). When my IP changes the router updates the DDNS service in minutes. Lots of providers out there and it’s easy to switch if needed. I like DuckDNS. It’s free or you can choose to donate a bit to cover their expenses.

I think you’re overthinking it. Wireguard is considered the “gold standard” and an excellent solution for what you’re trying to do. Open ports can be a concern, but an open Wireguard port is completely silent when not in use and does not respond unless it receives the correct access keys. That makes it invisible to port scanners.

Wireguard on my OpenWRT router works flawlessly. If the router is working the WG endpoint is too, and there are no 3rd parties involved. Tailscale provides much the same thing, but as I understand it requires the involvement of multiple 3rd party services. I’ve been burned too many times by terms of service changes and security breaches so I wanted to avoid relying on any corporate entities wherever possible.

Tasker brings up the tunnel on my phone automatically whenever I’m not connected to my home wifi and drops it when I get back home, so my home servers are always available. My biggest problem when not at home is Verizon’s crappy mobile network.

IMO it’s worth the effort to properly configure Wireguard and get your servers working. Once you get it set up you probably won’t have to touch it for years.

Nomachine with local & Wireguard access only.

I think Anydesk can be trusted as much as any company. They did notify users when a breach occurred a couple of years ago. By contrast Teamviewer was hacked and blamed their customer’s “password reuse” for years before finally admitting they had a breach. The company cannot be trusted.

I use Anydesk occasionally to help friends but never leave it running if it’s not actively in use.

I’m no security expert and my biggest concern with self-hosting is making a configuration error in the OS or some app, or missing a critical update that allows someone access to my personal data. In order to reduce the attack surface and management requirements my network can only be accessed through Wireguard. The random open WG ports do not respond to unauthenticated packets, so someone would have to have access to my configurations to be able to get past my firewall, at least in the absence of some yet unknown vulnerability. Of course that won’t prevent mistakes being made on PCs (especially Windows) but it’s one less thing to worry about.

Wireguard clients on our PCs and phones make connecting and accessing media and files a breeze. There are no third parties involved so enshittification by some company’s security breach or sudden monthly fee isn’t going to happen.

I have a Bosgame mini-PC that is completely inaudible unless you get close to it. Power draw is <15 watts under light load meaning that even with the high electricity rates where I live it costs less than $3.50 a month to operate. I’ve avoided hard drives because I don’t want to listen to them whine, so no comment there. Two simultaneous 1080p Jellyfin streams increase CPU utilization by less than a percent and it still is under 5% with a couple of other Docker containers running.

Good luck setting everything up to your liking.

Reddit has paid shills, vigilante company employees, and customers who believe their chosen corporation is a gift from god. The mobile carrier and phone subs are the worst.

TMO has had IPV6 implemented for mobile devices for years. There’s no way they only implemented IPV4 on a home/business service that uses the same network and the same towers.

Does their current equipment (and yours) support IPV6? If so CGNAT won’t be involved.

Google Safe Browsing looks to be have been built without consideration for open-source or self-hosted software.

IMO Google Save Browsing was built with consideration for open-source and self-hosted software, but it has nothing to do with user safety, just like blocking Android apps from 3rd party sites has nothing to do with user safety. The harder they make it to move away from their products by making using alternatives difficult, the more money they make and money is now the only objective. Even if this only adds a fraction of a fraction of a percent to their profit it’s something Google will implement.

The old social contract of businesses being of benefit to the community as a whole in addition to making a profit is long gone.

I had something similar happen with Google a few years ago. Even though I had my password and access to my email they decided I was trying to hack my own account and locked me out. Like you I immediately started to look for other solutions.

Syncthing file sharing is really easy to install and use. There are no ports to configure on your router and everything is encrypted in transit. I have my phone’s DCIM directory set up to sync to my home server and PC so new photos are backed up and available everywhere in a few seconds. I installed Syncthing intending to move to another solution eventually, but it works so well (aside from one or two files that occasionally don’t sync) that I’ve just stuck with it.

For passwords Keepass & KeepassXC work really well on just about every platform. I share the password file using Syncthing and in years of doing this I’ve never had a problem that I didn’t cause myself and those were minor.

You can get both of these up and running with very little effort and quickly limit your reliance on Google, then move to other solutions if you find they’d work better for you.

Sounds like my laptop will be plenty fast for some time to come.

This platform doesn’t use much power to begin with, but I do run TLP using a battery profile despite the fact it’s always plugged in. My intent is to lower the power consumption a bit further and extend battery run time if the power fails. There’s no noticeable impact on application performance. If you’re running Linux maybe it will work on your hardware.

Tangential question: What kind of server apps require that kind of processing power? I run a server on an Intel N200 laptop with multiple apps and services and it rarely uses more than 12% CPU and 15 watts. I’m wondering if I’m going to eventually run into something that needs a more powerful platform.

Debian 12, Mint, Pi OS, Windows 11, Android. Works perfectly on all of them.

Also check out Syncthing. I have it running on my Pi5, PCs and my Android phone. The phone’s photos directory and lots of other files are automatically synced to my server and computers. No open firewall port is needed, everything is encrypted in transit and it supports trusted and untrusted hosts. Syncthing supports pretty much any topology, but I’ve found using star topology is easiest to manage.

I self-host various applications and have been really happy with Wireguard. After watching just how hard my firewall gets hammered when I have any detectable open ports I finally shut down everything else. The WG protocol is designed to be as silent as possible and doesn’t respond to remote traffic unless it receives the correct key, and the open WG port is difficult to detect when the firewall is configured correctly.

Everything - SSH, HTTP, VNC and any other protocol it must first go through my WG tunnel and running it on an OpenWRT router instead of a server means if the router is working, WG is working. Using Tasker on Android automatically brings the tunnel up whenever I leave my house and makes everything in my home instantly accessible no matter what I’m doing.

Another thing to consider is there’s no corporation involved with WG use. So many companies have suddenly decided to start charging for “free for personal use” products and services, IMO it has made anything requiring an account worth avoiding.

How about making your murderous, evil company ‘function better’ first.

Good. The idiot flying a drone in an active fire zone could well be responsible for millions in damage that could have otherwise been avoided. Lock him up.

I have a couple of these: https://www.zigbee2mqtt.io/devices/LKWSZ211.html

They’re just OK. Single clicks work just fine, but double clicks have to be done very quickly or they register as single clicks. The button hold function is ridiculous and takes a full 4 seconds before transmitting. I’ve found no way of changing any of the button timings.

These work really well, but they’re single button:

https://www.zigbee2mqtt.io/devices/WXKG13LM.html