this post was submitted on 01 Sep 2025
83 points (90.3% liked)

Selfhosted

51089 readers
680 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
83
How to selfhost with a VPN (95.181.238.114:49703)
submitted 1 day ago* (last edited 10 hours ago) by humanoidchaos@lemmy.cif.su to c/selfhosted@lemmy.world
68 comments fedilink hide all child comments
 

These are some quick n' dirty instructions so people can get up and running fast.

I wish I had known this was possible sooner.

Instructions:

Check that your VPN supports port forwarding and you have it enabled.

Grab your VPN's internal IP with ip a

Find the interface for your VPN. For me it's called tun0.

Open up /etc/nginx/nginx.conf

You can back it up, or comment everything out, or pick what's necessary. Here's what my file looks like.

	worker_processes  1;
	include modules.d/*.conf;

	events {
		worker_connections  1024;
	}
	http {
		server {
			listen [VPN INTERNAL IP]:[VPN FORWARDED PORT];
			server_name  localhost;
			location / {
				root '[ABSOLUTE PATH TO YOUR WEBSITE ROOT FOLDER]';
				index index.html; # Relative to your website root.
			}
		}
	}

Make sure your permissions are correct. For me, the 'other' group needs read permissions to the root folder, including where it's mounted.

Start nginx with systemctl start nginx

You can visit your website on your host machine in a browser at [VPN INTERNAL IP]:[VPN FORWADED PORT]. For me, using the internal IP is required to view the website on my host machine.

To view the website on other machines, you can use [VPN EXTERNAL IP]:[VPN FORWARDED PORT]. The only thing you need to change is the IP address.

I hope this works for you and you are inspired to selfhost and take back power from those who stole it from us.

top 50 comments
sorted by: hot top controversial new old
[–] Diurnambule@jlai.lu 2 points 11 hours ago* (last edited 11 hours ago)

I am using wireguard in docker to connect from anywhere to my locals network. https://github.com/linuxserver/docker-wireguard?tab=readme-ov-file#usage Set the variable INTERNAL_SUBNET to your local IP range. For me it was 192.168.178.0 And set a folder you can reach as it's working folder. And your done for setting the wireguard server.

Need yo allow your server to be reachable from the web to wire guard ports. I guess you know how to since you did for you website.

To add clients (I have android and Linux) you go fetch the config on you server. If you went for numbered peers it look like peer4.conf and you use these file to allow clients to connect.

Edit : I missread you don't ask for help.nice site by the way

[–] krnl386@lemmy.ca 5 points 19 hours ago (1 children)

Aaaaand it’s down?

[–] humanoidchaos@lemmy.cif.su 2 points 18 hours ago (1 children)

Sorry, it should be up again now.

I've updated the post with the instructions. I don't really plan on hosting this for a long period of time, at least not in this state.

I hope some people have gotten some use out of it.

[–] krnl386@lemmy.ca 2 points 2 hours ago

No worries! Reminds me of my early days of self-hosting. Got myself banned from my ISP for 48 hours for self-hosting. 😬

Thanks for sharing!

[–] drkt@scribe.disroot.org 72 points 1 day ago (3 children)

I absolutely respect rawdogging your website with just an IP

[–] Flax_vert@feddit.uk 12 points 1 day ago* (last edited 1 day ago)

It's all fun and games until you realise it's your IP...

[–] B0rax@feddit.org 6 points 21 hours ago

Who needs a domain anyway

[–] humanoidchaos@lemmy.cif.su 16 points 1 day ago

Thank you!

[–] Limonene@lemmy.world 11 points 1 day ago (2 children)

Not sure how much you're paying for your VPN, but a virtual private server can be had for about $5 per month. You'll get a real IPv4 address just for you, so you won't have to use non-standard port numbers. (You can also use the VPS as a self-hosted VPN or proxy.)

$5 per month doesn't get you much processing power, but it gets you plenty of bandwidth. You could self-host your server on your home computer, and reverse-proxy through your NAT using the VPS.

[–] interdimensionalmeme@lemmy.ml 7 points 1 day ago

I think you can find 1x vCPU VPS with 1gb ram for 1$/month on lowendbox / lowendtalk

load more comments (1 replies)
[–] possiblylinux127@lemmy.zip 8 points 1 day ago* (last edited 1 day ago) (6 children)

You you setup a proper domain and https for your website instead of having a random IP address and port. Don't visit http pages in 2025. It is a major security risk.

Edit: If you need help setting up https let me know. You will need a domain but they are fairly inexpensive. If it is a matter of technical knowledge let me know as I can help.

[–] Typewar@infosec.pub 2 points 18 hours ago* (last edited 18 hours ago) (2 children)

Is it not possible to set up https for just an ip address with no domain?

[–] mic_check_one_two@lemmy.dbzer0.com 2 points 1 hour ago

I think it’s technically possible, but your IP likely isn’t static, especially if you’re using a VPN. You’d need a new cert every time your IP changed.

[–] possiblylinux127@lemmy.zip -1 points 14 hours ago

Buy a domain

They are pretty cheap especially compared to hardware

[–] null_dot@lemmy.dbzer0.com 29 points 1 day ago (2 children)

LOL. On the scale of risky things I've done today, visiting this guy's http website barely rates a mention.

Someone posts about something they've learned and the best you can do is dump on them about whatever thing in order to demonstrate to everyone your superior knowledge.

Everyone starts somewhere.

[–] possiblylinux127@lemmy.zip 2 points 1 day ago

I'm down to help people get https set up. I'm not trying to dunk but rather I'm trying to make the internet a safer place by reducing attacks and mass surveillance.

[–] EncryptKeeper@lemmy.world 3 points 1 day ago

Let’s be real, this guy has no knowledge. He’s just yet another security parrot who doesn’t even understand the why behind the things they’re regurgitating.

[–] EncryptKeeper@lemmy.world 18 points 1 day ago* (last edited 1 day ago) (11 children)

There’s no security risk viewing this bit of html via http lmao

[–] possiblylinux127@lemmy.zip 4 points 1 day ago* (last edited 1 day ago) (1 children)

How so?

Data send back isn't validated so someone could tamper with the data. A bad actor could add some arbittary Javascript plus ISPs have been caught inserting marketing materials into pages.

From a privacy perspective it is also bad as not only does it include your user agent in plain text it doesn't have any encryption on page contents which allows your ISP to snoop on what you are doing.

All of these reasons are while we moved to https. X.509 certs are free and trivial to setup with Caddy or any other Reverse proxy/web server. If https was crazy had to setup I'd be more understanding but it is very easy to do in 2025.

[–] null_dot@lemmy.dbzer0.com 4 points 19 hours ago (1 children)

Do you really think someone is going to set up a MITM attack for the dozen people who visit this blog?

[–] possiblylinux127@lemmy.zip 2 points 14 hours ago (1 children)

No, but governments and ISPs can and have historically done so for all http traffic.

It doesn't matter the page. They just care about http.

[–] missfrizzle@discuss.tchncs.de 4 points 10 hours ago* (last edited 10 hours ago) (1 children)

specifically this is how QUANTUMINSERT worked (from the Snowden leaks.) also China used the same technique, injecting malicious JS through the GFW to get bystanders to DDoS github, in a much more obvious and indiscriminate way.

nobody here is remotely likely to be targeted by NSA, of course, but you can actually do such attacks on a budget if you compromise any router in the chain. combined with a BGP hijack it's not far out of reach for even a ransomware gang to pull something like that these days.

[–] possiblylinux127@lemmy.zip 1 points 4 hours ago

To add to this, a whole lot of places have been compromised in the salt typhoon attacks. China has compromised infrastructure all over the place including ISP hardware.

load more comments (10 replies)
[–] humanoidchaos@lemmy.cif.su 14 points 1 day ago (14 children)

Thanks.

It's my understanding that https provides encryption for the data sent between you and the server. If you're not sending any sensitive data, then the encryption shouldn't be necessary.

Don't get me wrong, encryption is great even when it isn't necessary. For my demonstration purposes though, I chose not to include it.

I also believe it's possible to set up HTTPS encryption without a domain name, but it might result in that "we can't verify the authenticity of this website" warning in web browsers due to using a self-signed certificate.

[–] stratself@lemdro.id 21 points 1 day ago* (last edited 1 day ago) (9 children)

Let's Encrypt are rolling out IP-based certs, you may wanna follow its development. I'm not sure if it could be used for your forwarded VPN port, but it'd be nice anyhow

Edit: I believe encryption helps prevent tampering the data between the server and user too. It should prevent for example, someone MITM the connection and injecting malicious content that tells the user to download malware

[–] humanoidchaos@lemmy.cif.su 4 points 1 day ago (1 children)

Thanks. This is new to me and I'm going to be looking into it.

load more comments (1 replies)
load more comments (8 replies)
[–] possiblylinux127@lemmy.zip 16 points 1 day ago (1 children)

That is a pretty bad take as all data is sensitive. Https also provides integrity to prevent man in the middle attacks.

[–] theshatterstone54@feddit.uk 8 points 1 day ago

And that's why even static sites like Hugo blogs or even simple pages like the one OP posted should have HTTPS. Source: Studied Distributed Systems at university.

[–] WhyJiffie@sh.itjust.works 2 points 1 day ago

but it is sensitive data. the webserver can send executable code to the web browser. if it does not that doesn't matter, what matters is that it can be inserted by a middleman. It's not like there's a dedicated person needed to do that, it can just happen automatically.

[–] possiblylinux127@lemmy.zip 2 points 1 day ago

You can pickup a cheap domain from gen.xyz. The cheapest domain is $0.99 which is pretty affordable especially since you probably are already paying for a internet connection.

Once you have the domain you can point it to your IP and then set port 443 on that address to point to Caddy. On Caddy you can either configure it as a server or use it as a reverse proxy to point to something else.

Security wise I would put all of this on its own vlan with ACLs to control access. If that sounds confusing start with https.

[–] fmstrat@lemmy.nowsci.com 1 points 1 day ago

Not that I think you need it for this, but a DynDNS implementation would give you a hostname you can dynamically change to your VPN ip, thus solving the SSL host issue.

[–] ComradeMiao@lemmy.world 5 points 1 day ago (1 children)

It takes two seconds to get https and 10 bucks a year for a domain. Come on

[–] possiblylinux127@lemmy.zip 2 points 1 day ago (1 children)

Honestly if one is wanting the lowest cost you can buy a 1.111B class domain from gen.xyz. it is $0.99 a year which is far cheaper than anything I've seen.

[–] ComradeMiao@lemmy.world 1 points 18 hours ago

Even more reason for no excuse

load more comments (8 replies)
load more comments (2 replies)
[–] sylvieslayer@lemmy.world 5 points 1 day ago (1 children)

I'm sorry if this is dumb, but do I need to run the vpn on a dedicated machine? If so can I use a raspberry pi?

[–] humanoidchaos@lemmy.cif.su 6 points 1 day ago

It's not dumb at all! Don't be afraid to ask. I'm not an expert and still learning myself.

The VPN is running on the same machine that I am hosting the website on. There may be some configuration you can do to perhaps have the connection routed through your raspberry pi with a VPN running on it to the machine that's hosting the website, but I'm not sure how.

Otherwise, you should be able to at the very least run the entire setup on a raspberry pi.

load more comments
view more: next ›