Wireguard. Wireguard is fairly easy to configure and keeping your setup behind the firewall is much less headache in the long run.
First rule of hosting publicly available services is “Don’t. Unless you absolutely have to.” Second rule is: “If you have to, do it very carefully.”
The benefit of splitting services between VM’s is the same as it always has been: I can break one service without breaking ALL of them. Containers are an improvement over native installs but they do not solve this problem completely.
Not nearly good enough to make me give up Quicken but it is nice to see some more self hosted options popping up.
I use a combination of both. SSD’s to store read/write intensive data. In my case, I run multiple VM’s and store the primary VHD’s on SSD’s. HDD’s for stuff where space matters more than speed, like digital media and local backups.
Every time I think about hosting my own mail server, I think back to the many, many, many times I’ve had to troubleshoot corporate email systems over the years. From small ones that ran on duct tape and prayers to big ones that were robust, high dollar systems.
98% of the time, the reason the messages aren’t coming or going is something either really obscure or really stupid. Email itself isn’t that complicated and it’s a legacy communications medium at this point. But it’s had so much stuff piled on top of it for spam and fraud prevention, out of necessity, and that’s where the major headaches come from. Honestly, it’s one service that to me it’s worth paying someone else to deal with.
deleted by creator
If you’re not hosting any publicly available services, then no. A reverse proxy would be unnecessary. You can just just set static records in your DNS server that tell it which internal hostname goes with what IP and it will relay that info to any device on your local network that requests it. Even with a Wireguard connection, you can tell it to use the DNS server from your local network.
They do maintain an x86 build. I haven’t used pfSense but I have used OpnSense so that’s that closest thing I have to compare it to. I think the upside and downside to RouterOS/Mikrotik is the same thing: it allows very granular control over almost everything. Maybe to a fault. It’s probably overkill for most home networks.
Set up a VPS. Create a VPN tunnel from you local network to the VPS. Use the VPS as the edge router by opening ports on the VPS firewall and routing incoming traffic on those ports through the VPN tunnel to servers on your local network.
I used to do this to get around CGNAT. I ran RouterOS in a Digital Ocean droplet and setting up a wire guard tunnel between it and my local Mikrotik router.
It will obscure your local WAN IP and give you a static IP but that’s about the only benefit. And you have to be pretty network savvy to configure it correctly.
It does not make you immune to DDoS attacks and is honestly more headache to maintain (albeit just a small headache).
Mail servers are the one thing I refuse to self host. Years of managing enterprise email taught me that I don’t need that kind of negativity in my life
Oh, I wouldn’t if I could avoid it. The “fun” of tinkering with IT stuff in my very limited spare time vaporized many years ago. If I could pay for services that did exactly what I wanted, respected my privacy, and valued my business while charging a fair price, I would stop self-hosting tomorrow. But that’s not usually how it works.
Self hosting isn’t super high maintenance once you get everything set up but it still takes up probably 10-12 hours per month on average and I would not mind having that time back.
This is a pretty good summary. In enterprise networking, it’s common to have the ‘DMZ’, the network for servers exposed to the internet, firewalled off from the rest of the system.
If you have a webserver, you would need two sets of ports open, often on two separate firewalls. On the WAN firewall, you would open ports 80/443 pointing to the webserver. On the system firewall, between the DMZ and LAN, you would open specific ports between the webserver and whatever internal resources it needs; a database server for example.
This helps limit the damage if a malicious actor hacks into your webserver by making sure they don’t also have unrestricted access to other parts of your system. It’s called a layered security approach.
However, someone self hosting may not have the expertise or even the hardware to set up their system like this. A VPS for public facing services, as long as it’s configured properly, can be a good alternative. It also helps if you have a dynamic WAN IP address and/or are behind CG-NAT.
Edit: maybe good to mention that securing your local network behind a VPN, even one hosted on your local network, is more secure than allowing public facing services. Yes, it means you still have to open a port. But that’s useless to a malicious actor without the encryption keys. Whereas, if you have a webserver exposed publicly, malicious actors already have some level of access to your system. More than they would if that service didn’t exist anyway. That’s not inherently bad. It comes with the territory when you’re hosting public services. It is more more risky though. And, if the exposed server is compromised, it can potentially open up the rest of your system to compromise as well. Like the original commenter said, it’s about managing risk and different network configurations have different levels of risk.
Interested to see what you come up with. I manage our personal finances along with my wife’s consulting business. I switched to Quicken about a year ago. I don’t regret switching because it’s does the job better than anything else I’ve used. But I’m not 100% satisfied either and if I found a better solution, I would seriously consider it.
If you want a really good, capable firewall that’s easy to configure, go with OpnSense.
If you want granular control and [near] enterprise grade features for a low price, go with Mikrotik.
Windows Hyper-V Server on the host with most of the VM’s split between Ubuntu and Debian. I also have two Windows VM’s that I keep out of necessity.
It’s a song that’s been played so many times the record is starting to get worn out.
Big manufacturer buys software company.
Big manufacturer does not understand software business, software company, or software company’s customers.
Big manufacturer makes a bunch of cost reductions based on incorrect assumptions.
Big shot at big corp customer calls peon (like me) at budget time to ask why we spend so much money on this “VMWare”.
Peon explains that "VMWare is very important software which used to be “Best in Class” but has become “Overpriced, second rate, yada yada…” And suggests we switch to Hyper-V.
Big shot asks (a little suspiciously) if we would save money without any negative impact to operations.
Peon says, “Yes.”
Big shot writes big check to Microsoft.
Other big shot at big manufacturer is stuck trying to figure out where all the customers went; not realizing that big manufacturer pissed all over the peons who actually have to use their [now] shitty software.
Big manufacturer decides the acquisition was a failure, learns nothing from it, and sells the shell of the once popular software company for a fraction of what they paid for it.
deleted by creator
Thank you! I think that actuator is exactly what I need.
I use Veeam Backup & Recovery Community Edition. If you’re runing VM’s you have to be on VMWare or Hyper-V. You can also use agents on the individual VM/Server. It also requires a pretty hefty Windows host, at least if you want your backups to complete fairly quickly.
Those are understandably downsides for some people. But, Veeam is in a class by itself. It has no serious competitors and as far as ease of use and reliability, it’s top tier.
I’m lazy. I don’t want to spend a bunch of time configuring finicky backups only to find out I needed one and it failed. I honestly wish there were a comparable open source backup system. I have yet to find anything that works as well.
Yep. Split tunneling has been a standard option for a long time.