I’m in the process of setting up homelab stuff and i’ve been doing some reading. It seems the consensus is to put everything behind a reverse proxy and use a vpn or cloudflare tunnel.

I plan to use a VPN for accessing my internal network from outside and to protect less battle tested foss software. But I feel like if I cant open a port to the internet to host a webserver then the internet is no longer a free place and we’re cooked.

So my question is, Can I expose webserver, SSH, WireGuard to the internet with reasonable safety? What precautions and common mistakes do I need to watchout for.

  • slackness@lemmy.ml
    0·
    24 hours ago

    Can someone clarify this for me: is the below true?

    Even if a port is exposed on a regular residential network (no public IP address), due to NAT, nothing will be able to reach that port unless the application running on that port is trying to reach outside at the same time (for the purpose of NAT traversal)?

    • MangoPenguin@lemmy.blahaj.zoneEnglish
      0·
      19 hours ago

      If a port is forwarded in NAT and an application is listening, outside traffic can reach it directly without the application needing to initiate a connection first.

    • Björn Tantau@swg-empire.de
      0·
      21 hours ago

      The application doesn’t have to actively reach outside, just to listen at that port. If there is no application listening an open port does nothing. Though a port can really only be called open if an application is listening.

      • slackness@lemmy.ml
        0·
        20 hours ago

        I don’t think that applies if you’re NATted? Since you don’t even have a port at the outer layer unless you reach out first.

        • Björn Tantau@swg-empire.de
          0·
          19 hours ago

          That’s the point of port forwarding. Yes, normally applications aren’t reachable and have to reach out first. That’s how your browser can receive answers. With port forwarding you instruct your router to always forward incoming traffic for a specific port to a specific computer in your LAN.

          • slackness@lemmy.ml
            0·
            18 hours ago

            Aah so “opening a port” refers to port forwarding? I’d assumed it only meant allowing traffic through with firewall config.

            • Björn Tantau@swg-empire.de
              0·
              18 hours ago

              In this case it probably means both. Plus the application listening on the other end. In its purest sense opening a port means having an application listen on that port.

    • thecoffeehobbit@sopuli.xyzEnglish
      0·
      23 hours ago

      This post considers the situation where you expose your ports to the internet, on the edge of your residential network, for example by setting your router to forward requests with port 443 to a certain host in your network. In this case you do have a public ip address and the configured port on your home server is now reachable from the internet. This is different from just exposing a port on a machine inside a residential network for local use.