A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
No low-effort posts. This is subjective and will largely be determined by the community member reports.
Resources:
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
I agree with the other folks recommending Pangolin on a VPS for this. It's great. It combines a reverse proxy and a wireguard tunnel together for you. You don't have to open any ports on your home network, and Pangolin allows you to set access levels for each individual service.
So you can have some fully open for those who aren't going to mess with VPNs and tunneling, and you can put other things behind Pangolin auth to add additional protection.
I do this currently. I have a Hetzner VPS with Pangolin, giving access to family services like Immich etc, and my own nerdy services I keep locked to my home IP, and if I'm away from home, I tunnel in with Wireguard and hence then the home IP kicks in and they work.
You can issue traefik IP rules with Pangolin as well to limit what IPs can access services.
I have Pangolin and all family services behind Pocket ID with passkey only auth.
The VPS I protect with Hetzner's firewall, so only SSH is allowed from my home IP.
The whole setup is as secure as I can make it. My family would just roll their eyes at any VPN I asked them to use, so it has to be publicly accessible for some things annoyingly.
I also have private services coming direct to my home firewall away from the VPS (for speed efficiency), and for truly public services (websites), I have those tunneled through a Cloudflare tunnel that can handle Google Auth for WordPress login pages etc.
It made me uncomfortable to start with using the VPS, but in time, confidence grows.
Are you able to ssh in with Pangolin? I'm also using Pangolin on a VPS, and though a little while ago (last year somteime?) they demoed a tool for ssh over the pangolin tunnel, I could not get it to work.
Is they're a reason you don't want to just use tailscale for this? it's incredibly easy to set up and does exactly what you're trying to do.
Look into Pangolin with crowdsec. It's basically the all in one tested solution for your plans.
This. I just moved from Nginx Proxy Manager + Headscale/Tailscale to Pangolin and it's incredibly easy.
I would say if you need to ask this, you might not be ready to expose your home sever to the internet. Please be VERY careful about this.
With that being said, setting up reverse proxy (nginx) on the VPS should not affect the reverse proxy on your home server in any way.
In the proposed setup, the VPS will be directly exposed to the internet - it's the "gateway" to your network. If someone gains access to the VPS, they have access to your home server and probably other devices in your network. So yes, you need to secure the VPS as much as you can. Fail2ban or Crowdsec are a good idea. Setting them up on the home server wouldn't really do anything against an attacker with access to the VPS.
When I looked into this configuration a few years ago the security improvements seemed minimal. Adding yet another provider to the mix plus the additional risk of a server misconfiguration didn't seem to be worth the trouble unless I was dealing with CGNAT.
Besides hiding endpoints from your ISP and exposing them to the VPS, how much security does this really add?
It's not about security for me. I just don't want to have the hassle for other people to have to install and configure VPN to my server and I can't and don't want to expose ports 80 and 443 (I can only open like ports 21000-22000 in my router and I don't have a IPv4 address)
Configure the VPN route for only that one address, not the whole subnet.
If you only have the VPN, nothing exposed directly, you don't need fail2ban at all. I suppose you could configure it for the VPN service, but that seems unnecessary to me.
Fail2ban, crowdsec, or similar is still nice to have on the VPS side to reduce the load on your internet connection from abusive bots and LLM scrapers and such.
Personally, I've been having good luck with Pangolin, but I have several services that I expose via different subdomains.
Well, that's good and all, but if you want to reach some services like Jellyfin without a VPN, then you need to go this route. Because if you have some folks like your parents or friends who you want to give access to these services but they don't want to have a VPN Then I can only think of two routes to go. The one is opening ports on your router or the second is VPN to an VPS. Or maybe have a cloudflaredtunnel setup.
Sure, but OP doesn't want to do that.
or the second is VPN to an VPS
is what I want to do
I had a similar setup for years with traefik instead of nginx and I would recommend you to not over engineer your setup. If you only want to expose some specific services and for the others you only allow access in your LAN you can create an ACL for the restricted services based on a whitelist with your IP-Range. With that way your setup will be much easier, not so many SSL specific stuff (Which certificate do you need on which machine? Do you pass through the TCP connect or open the SSL connection and use insecure connection over your VPN?...), not so much DNS stuff, because you can redirect every subdomain to your server. You only need one fail2ban setup.
And you can access any device from your VPN in your LAN.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
| Fewer Letters | More Letters |
|---|---|
| CGNAT | Carrier-Grade NAT |
| DNS | Domain Name Service/System |
| HTTP | Hypertext Transfer Protocol, the Web |
| IP | Internet Protocol |
| NAT | Network Address Translation |
| SSH | Secure Shell for remote terminal access |
| SSL | Secure Sockets Layer, for transparent encryption |
| TCP | Transmission Control Protocol, most often over IP |
| VPN | Virtual Private Network |
| VPS | Virtual Private Server (opposed to shared hosting) |
| nginx | Popular HTTP server |
9 acronyms in this thread; the most compressed thread commented on today has 9 acronyms.
[Thread #130 for this comm, first seen 2nd Mar 2026, 21:10] [FAQ] [Full list] [Contact] [Source code]