Hi everyone

Thanks for all the advice on buying a domain. Its a big week for me. Getting on grapheneos, buying a domain, and I also recently started self hosting my contacts and calendar. I love this way of life.

My original plan was to one of the xyz 1.1111b domains for $1 a year but most of the feedback I got said just go with cloudflare. Its a lot more money than I had planned but all the security features are baked in and I feel that’s worth the extra money.

Here are my questions. I use the latest version of truenas community

  1. How do I connect my domain to my server apps? I’ve got a series of apps I’d love to he able to access without tailscale and solely use the domain.
  2. I have heard the term DNS a million times but don’t really understand it. What do.I need to know about DNS to keep security up and stay protected
  3. I’d like to let family access my media server, are there any considerations I need to make?
  4. How can I use one domain to access multiple services on my server? Do I need to pay extra for subdomains?

Thank you for any advice

  • frongt@lemmy.zip
    link
    fedilink
    English
    arrow-up
    8
    ·
    17 hours ago

    I would strongly encourage continuing to use tailscale or another VPN. The more you expose to the Internet, the more opportunities you present to an attacker. If you family also uses the VPN client, they can access the systems in the same way.

    Plenty of learning material out there on DNS. But no, you don’t have to pay extra for subdomains. You can put the records up on cloudflare or host them internally. Generally it’s considered bad practice to put local records in public DNS, but it doesn’t actually matter that much.

    You can set up a reverse proxy to route traffic to each service based on the domain name used. Most people use caddy, some use traefik, and some use nginx proxy manager.

    • someonesmall@lemmy.ml
      link
      fedilink
      English
      arrow-up
      5
      ·
      16 hours ago

      This. Do not expose any service to the internet or even LAN. All clients need to connect via VPN to your machine, no matter if from LAN/home or on the road (WAN/Internet). You can still use a reverse proxy and custom domain names so inside the VPN network everything is HTTPS and each service has a nice domain name.

      • valar@lemmy.ca
        link
        fedilink
        English
        arrow-up
        5
        ·
        16 hours ago

        This seems a bit extreme to me. I have services exposed to the Internet, with reverse proxy and auth.

        • queerlilhayseed@piefed.blahaj.zone
          link
          fedilink
          English
          arrow-up
          2
          ·
          14 hours ago

          I think it’s good advice for beginners. If you’re inside a VPN you get a little more breathing room to figure out how to properly provision and wire up your services without having do deal with all the security and scaling concerns that can come from public hosting. Also, new hosters are really likely to set up their reverse proxy and not patch it and leave it open to known vulnerabilities that get exploited months or years down the line… not that that ever happened to me…

          Anyway, I think inside a VPN is a good way to get your feet wet. Setting up a public website is fun but I wouldn’t advise it as a first step.

          • Jason2357@lemmy.ca
            link
            fedilink
            English
            arrow-up
            1
            ·
            9 hours ago

            For a personal website, just point the main domain or one subdomain at something like github pages or another static site hoster and start forwarding email to their regular email. Zero maintenance to start and cost. Grow from there.

        • Jason2357@lemmy.ca
          link
          fedilink
          English
          arrow-up
          1
          ·
          9 hours ago

          Sounds like you may be really starting from scratch on your learning. It would be best to work entirely inside a VPN like tailscale for complex apps like jellyfin if you want them. You can set up https, but there’s no harm either way. You might not use your own domain right away inside your VPN, but you will a little down the road. You will get annoyed with using IP addresses for your services and set up an internal DNS server eventually. You can safely experiment and make mistakes inside your tailnet.

          For learning to set up an open Internet exposed service, use a completely isolated, dedicated computer (maybe a raspberry pi on a demilitarised zone of your internet router or better yet a $5 VPS on someone else’s network). Then read up on hosting a “static website” with either ngnix or Caddy. I prefer the latter because one short config file can set everything up for https and take care of the certificates for you. This can eventually become the gateway into your other services from the open Internet, but do not do that from the start, just a simple personal website. This will require learning a little Linux system admin, SSH (read up on key based authentication so you can disable password authentication in SSH), remote file management, and configuring a webserver, DNS, and certificates. Lots to learn.

          Because it is just hosting static webpages, theres almost no risk of it being hacked and used maliciously if you misconfigrure something or forget to patch it. Static sites are awesome nowadays anyway, though, you don’t even really need a fancy site generator to get started, just some simple HTML files. A fun and easy project is a hand written list of your favourite web links and then set your browser’s new tab page to it. Instantly useful and fully under your control.

          I actually envy your spot on your learning journey. It was such a rewarding experience for me to do all the above.

    • Serinus@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      12 hours ago

      Alternatively, gather the IP addresses of family and use your reverse pretty to restrict some subdomains to that trusted list of IPs.

      The downside is that when someone’s IP changes you have to update. Make sure you track which IP belongs to which person.

    • philanthropicoctopus@thelemmy.clubOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      16 hours ago

      This is where I get really lost. I’m probably going to get this wrong so here goes

      My understanding was tailscale is to connect different machines across the internet, but that a traditional VPN hides your information

      I got a domain so I could use my traditional VPN and access my server. At the moment, every time I want to access my server, I have to turn off my VPN so I can turn on tailscale. That’s the exact scenario I’m trying to avoid by getting the domain.

      Again, I’m sure I’ve got some stuff wrong here but that’s my current understanding

      • Jason2357@lemmy.ca
        link
        fedilink
        English
        arrow-up
        1
        ·
        8 hours ago

        At the moment, every time I want to access my server, I have to turn off my VPN so I can turn on tailscale.

        Yes, mobile devices typically cannot run two VPNs at once. There are two issues here, when at home and when out on other networks.

        At home, the solution is not to round-trip out to your VPN provider and then back into your network via the public Internet using your domain. Unfortunately. That creates a huge latency and bandwidth penalty when you are physically at home and unnecessary complexity.

        Instead, if you must use your VPN service while at home, you need to find the split tunnel settings to allow your phone to access the local network while connected to the VPN service. They usually hide that setting because it opens up the security of said services and allows some leaks, but it should be there.

        When out on other networks, it gets harder. If you get creative with networking, you could connect a computer to your commercial VPN service and have all your tailnet devices use it as an exit node, which has the nice benefit of paying the VPN service for “one device” and using as many as you want, but is dependent on your home network speed and a PITA to set up.

        Tailscale does integrate with one VPN provider so you can use one app for both tasks, but it may not be the provider you want. I don’t know If their direct competitors do the same, maybe shop around a bit. One VPN app for both use cases is what you want, not two different VPN apps.

        Finally, if none of the above works for you, then yes, you are back to accessing your self-hosted services via the public internet and your domain name while travelling and using your commercial VPN. You will have to secure the service, and that will take some learning to do safely. That will be a journey and not something you want to just throw together quickly. You might be able to restrict incoming connections to just your commercial VPN IP address range (in addition to all of the other proper config required) to further reduce the attack surface. Sorry, that is a bit of bad news.

        Edit: I have been seeing mTLS (client certificates) come up in selfhosting discussion more and more lately. If the particular service you are running has a walkthrough for that, including support for whatever client apps, it gets you almost to VPN level security. But most do not, and if they do, its alpha stage. However, keep an eye out for that in the self-hosting world as it may solve your issue in the future.

      • Jason2357@lemmy.ca
        link
        fedilink
        English
        arrow-up
        1
        ·
        8 hours ago

        My understanding was tailscale is to connect different machines across the internet, but that a traditional VPN hides your information

        You got it! When you google VPN services, you get all these companies selling products for encrypting your internet traffic (90% snake oil IMHO). Main usecase nowadays seems to be making your browsing appear like you are in a different country. This is not what people are referring to in this thread by “VPN”, even though it is the exact same underlying technology.

        Tailscale is actually trying to simplify the original VPN idea, which is to create a secure private “network” over the internet, so your devices can securely talk to one another, no matter where they are physically (over the internet). When you are out on the road, your phone can see your home server just like they were on the same home network, and there’s no way for an attacker to see the traffic or get access to those machines. You might also read about Wireguard or Zerotier -same idea, the first is more rudimentary but is used by Tailscale for the actual encrypted traffic part, the second is their main compeditor (all three are legit good options depending on your priorities). Tailscale is pretty good at being easy to get going because it takes care of authentication, routing, and port forwarding for you. They even helpfully proxy your encrypted traffic if the machines fully cannot connect p2p with each other for whatever reason (slow, but can save your butt). The apps are pretty decent too. I used Tailscale for a long time then eventually self-hosted it once I knew what I was doing sufficiently. I still use their apps.

      • frongt@lemmy.zip
        link
        fedilink
        English
        arrow-up
        1
        ·
        10 hours ago

        If you really want to, you can use tailscale to home, then route your outbound traffic over the other VPN. But that’s a bit tricky to set up and it’ll probably be pretty slow.

        Using a VPN for privacy is overrated, unless you have a government or ISP that is actively snooping on your traffic. The majority of connections are already encrypted with https.