this post was submitted on 02 Mar 2026
7 points (88.9% liked)

Selfhosted

56957 readers
1044 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
7
Using VPS for remote access of my server - some questions (piefed.social)
submitted 2 hours ago by Tywele@piefed.social to c/selfhosted@lemmy.world
11 comments fedilink hide all child comments
 

Hi,

I want to make some of my services (like Nextcloud, Immich, Komga, Jellyfin and FreshRSS for example) on my home server easier accessible from remote. For that I want to use a VPS where I install Nginx and Wireguard on it and establish a VPN connection between it and my homeserver. So far so good.

My first question: For the services that I don't want to expose for remote access over that setup, can I just keep my Nginx instance that I have running now for these services. For example my budgeting service is available under finance.example.com as long as I'm in the same network as my home server right now. Would that still be possible when I have 2 Nginx instances running (one on the VPS and one on the home server directly) or would I need to configure it differently for that to work?

My second question:
Do I need to install Fail2Ban on my VPS or can I also install it on my homeserver?

top 11 comments
sorted by: hot top controversial new old
[–] NormDeplume@lemmy.world 4 points 48 minutes ago

Is they're a reason you don't want to just use tailscale for this? it's incredibly easy to set up and does exactly what you're trying to do.

[–] comrade_twisty@feddit.org 2 points 1 hour ago

Look into Pangolin with crowdsec. It's basically the all in one tested solution for your plans.

[–] QuizzaciousOtter@lemmy.dbzer0.com 3 points 1 hour ago

I would say if you need to ask this, you might not be ready to expose your home sever to the internet. Please be VERY careful about this.

With that being said, setting up reverse proxy (nginx) on the VPS should not affect the reverse proxy on your home server in any way.

In the proposed setup, the VPS will be directly exposed to the internet - it's the "gateway" to your network. If someone gains access to the VPS, they have access to your home server and probably other devices in your network. So yes, you need to secure the VPS as much as you can. Fail2ban or Crowdsec are a good idea. Setting them up on the home server wouldn't really do anything against an attacker with access to the VPS.

[–] spaghettiwestern@sh.itjust.works 2 points 1 hour ago (1 children)

When I looked into this configuration a few years ago the security improvements seemed minimal. Adding yet another provider to the mix plus the additional risk of a server misconfiguration didn't seem to be worth the trouble unless I was dealing with CGNAT.

Besides hiding endpoints from your ISP and exposing them to the VPS, how much security does this really add?

[–] Tywele@piefed.social 2 points 1 hour ago* (last edited 1 hour ago)

It's not about security for me. I just don't want to have the hassle for other people to have to install and configure VPN to my server and I can't and don't want to expose ports 80 and 443 (I can only open like ports 21000-22000 in my router and I don't have a IPv4 address)

[–] frongt@lemmy.zip 3 points 2 hours ago (1 children)

Configure the VPN route for only that one address, not the whole subnet.

If you only have the VPN, nothing exposed directly, you don't need fail2ban at all. I suppose you could configure it for the VPN service, but that seems unnecessary to me.

[–] MIXEDUNIVERS@discuss.tchncs.de 1 points 2 hours ago (1 children)

Well, that's good and all, but if you want to reach some services like Jellyfin without a VPN, then you need to go this route. Because if you have some folks like your parents or friends who you want to give access to these services but they don't want to have a VPN Then I can only think of two routes to go. The one is opening ports on your router or the second is VPN to an VPS. Or maybe have a cloudflaredtunnel setup.

[–] frongt@lemmy.zip 1 points 1 hour ago (1 children)

Sure, but OP doesn't want to do that.

[–] Tywele@piefed.social 1 points 1 hour ago

or the second is VPN to an VPS

is what I want to do

[–] blurry@feddit.org 1 points 2 hours ago

I had a similar setup for years with traefik instead of nginx and I would recommend you to not over engineer your setup. If you only want to expose some specific services and for the others you only allow access in your LAN you can create an ACL for the restricted services based on a whitelist with your IP-Range. With that way your setup will be much easier, not so many SSL specific stuff (Which certificate do you need on which machine? Do you pass through the TCP connect or open the SSL connection and use insecure connection over your VPN?...), not so much DNS stuff, because you can redirect every subdomain to your server. You only need one fail2ban setup.

And you can access any device from your VPN in your LAN.

[–] Decronym@lemmy.decronym.xyz 0 points 1 hour ago* (last edited 45 minutes ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
CGNAT Carrier-Grade NAT
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
IP Internet Protocol
NAT Network Address Translation
SSL Secure Sockets Layer, for transparent encryption
TCP Transmission Control Protocol, most often over IP
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)
nginx Popular HTTP server

8 acronyms in this thread; the most compressed thread commented on today has 9 acronyms.

[Thread #130 for this comm, first seen 2nd Mar 2026, 21:10] [FAQ] [Full list] [Contact] [Source code]