I want to start with self hosting something available from internet. Currently I have jellyfin, nas etc but everything is available in local network.
My biggest concern is securing local network. I thought i will run application on separate server, I will use small vps as proxy, but Im not sure if it will be enough
You must log in or # to comment.
Don’t do this
Right now you know enough to be dangerous and because of that you should not expose thing to the internet.
Idk how to understand your post?
I read some comments here and I think that the most important is to separate lan in proper way.
But still I feel more comfortable if everything is in tailscale network…
Separating LANs doesn’t really do much in terms of the wider internet. An adversary would likely be more interested in your internet connection than anything else.
I personally would stick to using a VPN
OP, if you ever decide to go the Cloudflare Tunnels/Zero Trust route, I’ve got a set of instructions/notes that have helped a handful of people deploy Cloudflare Tunnels/Zero Trust. I’d be more than happy to share them.
Have you considered Cloudflare Tunnels/Zero Trust. When you use Cloudflare Tunnels/Zero Trust, you don’t need to fiddle with NAT, open any ports, in fact you don’t need any open ports. You just install Cloudflare Tunnels/Zero Trust on your server, connect to your Cloudflare Tunnels/Zero Trust account, and Cloudflare does the rest. To deploy Cloudflare Tunnels/Zero Trust you will need a domain name. Cloudflare will sell you a domain name but I think most get something cheap from NamesCheap or Pork Bun. When you have secured a domain name, switch the nameservers to the ones that Cloudflare assigns you. Jacks a doughnut, Bob’s your uncle.
ETA: Obviously you’ll need port 22 for administration.
sudo ufw default deny incoming
sudo ufw default allow outgoing
I think this is an excellent suggestion. I used Cloudflare tunnels until recently, and it was very effective. However, I stopped because of a minor issue, which I’ll mention in case its a deal breaker for anyone.
Technically, using Cloudflare tunnels for Jellyfin is a ToS violation. You’re only allowed to do so if you have an enterprise account, which is quite expensive.
I heard from a “friend of a friend” that everyday users don’t need to worry about this. Cloudflare are aware of people using tunnels with Jellyfin and they aren’t fussed. The rule is supposedly there to combat large scale piracy.
However, I have heard that cloudflare does decide to start caring if they can use jellyfin use as an extra excuse to kick anybody involved in other ToS violations.
In all likelihood, this won’t be a problem for you. While I used tunnels, they worked perfectly. However, given that you are going to go to the effort of sorting out some level of infrastructure for yourself, its something to keep in mind.
Technically, using Cloudflare tunnels for Jellyfin is a ToS violation. You’re only allowed to do so if you have an enterprise account, which is quite expensive.
I’ve heard people say this, and I’ve heard people say you can’t stream music. Tho I do not run the 'arr stack or Jellyfin, I do run Navidrome almost 24/7/365. But it’s something to keep in mind.
ETA: I am the sole user
Yeah, but if my server is in the local network, I have potential threat that someone will access my lan through public server
Well, you could do network segmentation:
- Put the server in a DMZ or separate VLAN if your router supports it. This isolates it from your main devices (computers, phones, IoT). I’m not sure what router you have buy many consumer routers have a “guest network” that can serve this purpose.
Utilize UFW rules. Mine are:
-
sudo ufw default deny incoming
-
sudo ufw default allow outgoing
-
Anywhere ALLOW IN 192.168.1.0/24
-
22 ALLOW IN 192.168.1.0/24
-
22 on tailscale0 ALLOW IN Anywhere
-
22 (v6) on tailscale0 ALLOW IN Anywhere (v6)
Also:
- sudo ufw allow out to 1.0.0.1 port 53 # DNS only
- sudo ufw allow out to 1.1.1.1 port 53
- sudo ufw deny out to 192.168.1.0/24 # Block LAN access except admin
So now I have SSH capability locally and through Tailscale installed on the server and this prevents the server from initiating connections to other LAN devices. You can do alot with UFW and Fail2Ban in conjunction with Cloudflare Tunnels/Zero Trust.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters DNS Domain Name Service/System IoT Internet of Things for device controllers NAS Network-Attached Storage NAT Network Address Translation SSH Secure Shell for remote terminal access VPN Virtual Private Network
6 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.
[Thread #323 for this comm, first seen 31st May 2026, 19:10] [FAQ] [Full list] [Contact] [Source code]
To mitigate the risks you could put the local server into its own network where it cannot reach anything else in your home.
The absolute easiest way to securely access your server from over the internet would be to use tailscale or similar, but then you’d have to connect to the vpn service whenever you wanted to access those servers from outside your local network.
There is also this feature in tailscale, but I haven’t used it myself because I don’t know enough about the security implications to use it: https://tailscale.com/docs/features/tailscale-funnel
I was pondering the same for last couple of days and had some thoughts on how to make it feasible. My research led me so far to 2 prerequisites:
- must have Anubis in front
- must have a WAF solution in place that covers at least OWASP Top 10
I found pretty good Caddy documentation that covers both, so I think I’ll deploy a secondary Caddy reverse proxy that’ll perform such ops for public facing services.
Of course, I currently have only 1 Caddy instance reverse proxy ing my internal services, haven’t reached the part on traffic handling when my devices are connected to the “safe network” (aka my home LAN)
I run my server on the internet, and my security is crowdsec + geo ip block (well, white-list my country’s ip but same idea) and authelia.
Using this setup, I barely ever have even bots randomly pingig me, let alone anyone trying to access my NAS.
@Kkk2237pl What are you using for a router? A good uptodate version of something like ooenwrt, a separate subnet running on a different vnet and firewall zone.
Why the vps?
Deco
@Kkk2237pl Im no expert so you know take everything with a grain of salt but for me i flash all my routers with #openwrt including #tplink stuff… Butnthat gives me everything i need.
You probably do.everything with stock firmware though
Get you a vps and start! Or if you don’t want to pay extra money host a tor service. You don’t have to open ports for that.
@Kkk2237pl Can I suggest that you start with something simple where as much as possible is templated - im like a broken record on this but i use #yunohost simply because heaps of people are using the same config.
