this post was submitted on 13 Oct 2025
209 points (98.2% liked)

Selfhosted

52461 readers
1401 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Take control of your data, join the tech chat. Host an XMPP server and leverage end-to-end encryption for your personal data

you are viewing a single comment's thread
view the rest of the comments
[–] warmaster@lemmy.world 1 points 1 week ago* (last edited 1 week ago) (2 children)

STUN/TURN is literally designed to bypass network boundaries. Its necessity comes from the evil of NAT and allowing RFC1918 IP addresses behind firewalls to poke holes so that direct P2P connections can be established for VOIP.

By virtue of being technology designed to step around boundaries, you should be weary of controls around this. STUN can be used to relay from the external STUN record to other servers within the same broadcast domain. We’ll add some controls here to limit this, but it would behoove you to place this server in an isolated DMZ without connectivity to other, potentially privileged, internal hosts. Never forget network segmentation.```



Would a VLAN be enough? 
[–] starkzarn@infosec.pub 5 points 1 week ago (1 children)

Yes, absolutely. It all depends on implementation. I am using VLANs for L2 isolation. I have a specific DMZ VLAN that has my XMPP server and only my XMPP server on it. My network core applies ACLs that prevent any inter-VLAN traffic from there, so even if STUN/TURN pokes holes, the most that is accessible is that single VLAN, which happens to contain only the single host that I want to be accessible.

Great question.

[–] qwexfle@lemmy.ml 1 points 1 week ago

I'm interested, although I'm not sure I understand. Isn't the point of poking holes to enable clients to connect when obscured by NAT? Does voip still work with this?