As I’m learning more and more about self hosting, I’ve read repeatedly that the safest option for internally hosted services is to use a VPN from your mobile device (laptop, cell) and connect to your server(s) as needed when outside of your network. That brings me to a predicament of sorts.
Tools like Seafile, Nextcloud, Pydio, and CryptPad offer great collaborative features as well as easy sharing from these services. But if you’re not exposing any of these services to the web, how would you share documents or files easily with those outside your network? The share functions will generate a link with your IP:Port, or in my case, a domain name that is only internal. I know you can download a copy and email it separately, but that is a bit clunky. Is there a service or another FOSS app I’m overlooking that allow you to ‘publish’ items to an external friend or team member in a safe manner?
I’ve not yet decided on which solution I’m going with. But in the case of CryptPad it seems secure that I would be comfortable hosting externally making this question moot. But I’d likely host it on a VPS instead of my home server just for another layer of separation.
I use runtipi.com (posted here already) with cloudfare as tunnel.
If I wanted to use my own wireguard tunnels, like you, I might have used https://gitlab.com/cyber5k/mistborn#what-is-mistborn
Ooh that Mistborn is clever! Thanks. I am currently using Wireguard from my phone to the server. But obviously that’s just me.
I did try to spin Tipi up on both home server (unRAID) and my VPS (Ubuntu 20.04) and could not get it to play nice. Looks like a great solution though.
wow, never heard of this before. looks amazing
Put them on a VPS at a place like Linode. I frankly would not want to run internet facing services on my personal connection. Nor would I want the server on my lan unless I put it on a separate subnet that was firewalls from other stuff.
Good idea, definitely leaning that way. Thanks!
The other thing is that you can favor end to end encyped stuff. Send for example which is the follow on to Firefox send. I actually use Bitwarden send to send files for example which comes with the Bitwarden paid plan.
I am on the Bitwarden paid plan and didn’t realize there was a send function. That’s awesome!
Actually send was why I joined. Loved Firefox send. There are still random people that host send instances but to be secure you have to trust the server delivering the upload and download page including the server not being cracked. I think I trust Bitwarden not to screw that up at least as much as anyone else. Probably more then I would trust the security of my own VPS.
That’s fair. I signed up for the premium sub so I could have emergency contacts in the event I either forget my master password or something happens to me. So until you said something I was completely unaware that it was a service they offered!
Hetzner is cheaper
I have one with Rack nerd at the moment that I can mess with. Not impressed with their customer service but it was a $12/yr VPS so I’m not complaining too much.
What spec does that get you? I’ve tried cheap 512mb 1 vCore before and it wasn’t adequate.
They still have their New Year’s deal going here and I bought the middle tier for $12.98/yr
* 1 vCPU Core * 25 GB Pure SSD Storage * 1 GB RAM * 4000 GB Monthly Transfer * 1Gbps Network Port * Full Root Admin Access * 1 Dedicated IPv4 Address
Its been working very well but I’m currently only running Miniflux and Wallabag on it. I tried Nextcloud but found it too much for my needs and was unhappy with the performance. I’m going to try Cryptpad as well as Tipi on it soon. Bear in mind this is my first VPS ever. So I’m far from an expert but this has been a great/inexpensive entry point. And to be fair to their customer service, they replied very quickly. But there was a fairly significant language barrier I think over email. But I was able to get it worked out after a half dozen emails.
I’m considering 1.5GB for $16.88 per year, comes with a little less monthly transfer but I don’t think I will need the difference.
Hetzner might be cheaper, but it might be more susceptible to performance issues. I used to use Netcup, which is also cheap, but isn’t VPS would get very slow from time to time, even though my usage was minimal.
I thought a reverse proxy was meant to kinda help mitigate some of the threats of having exposed services….
Idk, I’ve got a domain and a reverse proxy with minimal services exposed to the internet. And those services require a login.
On another thread someone brought up the point that if running multiple services on a server that touches the Internet and one is compromised, the server could be as well. I only started selfhosting early this year, so I am by no means an expert though.
Risk vs Ease of use. You need to decide if one is worth the other.
I have all my stuff exposed but is hidden behind 2FA.Also, consider resources - costs ratio. Self host (+routing through vps) allows you tu have lots of power with low costs.
Very true. I didn’t know if there was some sort of “secure share” that could be leveraged without exposing the main app. Say Seafile, for example. Where a secure link is created and can be sent. I envisioned hosting something like that on my VPS and Seafile (or other) on the home server without exposing it. But reading more about CryptPad, that may be the ticket. Seems plenty secure to host on the web so I may go that way if no other options exist.