So, I have a rpi4b that’s currently running a VPN for family abroad. I’m just finishing setting up Ubuntu server 24.04LTS(I have limited number of USB sticks, and the largest is only 8gb, so this choice was one of size, I can go into ones I had considered before) on an old laptop. For my small business I’ve also bought a domain for a work email, and eventually a website both are/will be hosted externally as I don’t want to faff about with securing those aspects on my home network. The VPN though, that is currently pointing to no-ip dns service, and I want to migrate that to both the laptop and my own registered domain. What’s best practices here? I do need the VPN to exit through to my network, so that my MiL can watch UK streaming from abroad(TV licence shenanigans).

  • themachine@lemmy.world
    link
    fedilink
    English
    arrow-up
    12
    ·
    2 months ago

    I’m not entirely sure what the actual question is. Can you rephrase what exactly you are trying to accomplish?

    • SturgiesYrFaseOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 months ago

      VPN needs to come in from my domain IP, but exit from my network. What network security best practices should I be implementing?

      • themachine@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        2 months ago

        Best practices comes down to what you do or do not want the VPN clients to access. This mostly comes down to routing and firewall rules.

        So, what should your users have access to?

        Also what is the vpn?

        • SturgiesYrFaseOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 months ago

          Some users just need to be able to exit my home network.
          I would like to, maybe, in the future have a file server/jellyfin, have access to other devices on my network and if I’m somewhere with low enough latency stream games off steam.

          Just wanted to say, thanks for asking me for further details. You could have been a dick about my unclear initial post, and I appreciate your just picking away at it until I was a bit more specific about what I was actually asking for.
          If this was reddit the whole thing would’ve been a fair bit more hostile.

          • themachine@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            1
            ·
            2 months ago

            You did not answer what VPN tech you are using.

            Without that knowledge i would recommend setting up tailscale and having your users use that. If you want to be fully self hosted you can also run Headscale as the control plane instead of relying on Tailscales own service.

            I recommend tailscale as it is very easy to grant a user privileges to ONLY use an endpoint as an exit node but also grant access to any other endpoints as needed (such as your future jellyfin server) via theor ACLs.

            • SturgiesYrFaseOP
              link
              fedilink
              English
              arrow-up
              1
              ·
              2 months ago

              Ah, yeah, sorry. Currently I’m using WireGuard, but I’m open to using something else.

              I’ll have a look at Tail/Headscale, this was very informative, thank you very much.

              • themachine@lemmy.world
                link
                fedilink
                English
                arrow-up
                2
                ·
                2 months ago

                In the scope of wireguard it’ll just be a matter of you building appropriate firewall rules.

                Since you want their internet traffic to go through you then i assime you’re effectively pushing a 0.0.0.0/0 route to your clients. You then need to add firewall rules on your server to block traffic to its local subnet and in the future allow traffic to only your jellyfin server.

                This is also pretty simple and nothing wrong with that setup.

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    2 months ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    DNS Domain Name Service/System
    HTTP Hypertext Transfer Protocol, the Web
    IP Internet Protocol
    VPN Virtual Private Network
    nginx Popular HTTP server

    4 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.

    [Thread #960 for this sub, first seen 9th Sep 2024, 11:55] [FAQ] [Full list] [Contact] [Source code]

  • Swarfega@lemm.ee
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    edit-2
    2 months ago

    I have a couple of services, including nginx (a website) that run though a Cloudflare Tunnel. No need to open up ports and certificates are automatically managed.

    https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/

    I also use ddclient to update my own personal domain with my internets dynamic IP (no need for a dynamic DNS provider). I have to do this as I host Jellyfin and Cloudflare don’t support streaming through their tunnels. So yes this is exposed to the internet. It does sit behind a caddy reverse proxy though.

    I also run a wireguard VPN so that I can dial in when out the home. Im in Spain next week so can use that to get BBC iPlayer etc. The wireguard uses an address that is dynamically updated by ddclient (domain is hosted by Cloudflare)

    Emails I don’t bother self hosting. I actually pay for simplelogin and send emails there via aliases. They then route to a single Proton email address.

    • SturgiesYrFaseOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      Email is going through my domain to ProtonMail, was really easy to set up, and works like a charm.

      This is all good info, thanks! Gives me a bit of reading to do before I start shifting everything over.