The only externally accessible service is my wireguard vpn. For anything else, if you are not on my lan or VPN back into my lan, it’s not accessible.

Everything is accessible through VPN (Wireguard) only

Everything is behind a wireguard vpn for me. It's mostly because I don't understand how to set up Https and at this point I'm afraid to ask so everything is just http.

Nothing I host is internet-accessible. Everything is accessible to me via Tailscale though.

100% is lan only cause my isp is a cunt

There's a wid range of opinions on this. Some people only access their services via tunnel, some people open most of their services up to the internet, as long as they're authenticated. One useful option for https services is to put them behind a reverse proxy that require oauth authentication, which allows you to have services over the internet, without increasing your attack surface. But that breaks apps like Nextcloud and Lemmy, so it's not a universal option.

I had everything behind my LAN, but published things like Nextcloud to the outside after finally figuring out how to do that even without a public IPv4 (being behind DS-Lite by my provider).

I knew about Cloudflare Tunnels but I didn't want to route my stuff through their service. And using Immich through their tunnel would be very slow.

I finally figured out how to publish my stuff using an external VPS that's doing several things:

• being a OpenVPN server
• being a cert server for OpenVPN certs
• being a reverse proxy using nginx with certbot

Then my servers at home just connect to the VPS as VPN clients so there's a direct tunnel between the VPS and the home servers.

Now when I have an app running on 8080 on my home server, I can set up nginx so that the domain points to the VPS public IPv4 and IPv6 and that one routes the traffic through the VPN tunnel to the home server and it's port using the IPv4 of the VPN tunnel. The clients are configured to have a static IPv4 inside the VPN tunnel when connecting to the VPN server.

Took me several years to figure out but resolved all my issues.

Available to the internet via reverse proxy:

• Jellyfin
• Navidrome
• Two websites
• matrix chat server
• audiobookshelf

LAN only:

• homepage
• NGINX Proxy Manager
• Portainer

There’s more in both categories but I can’t remember everything I have running.

I currently keep everything LAN-only because I haven't figured out how to properly set up outside access yet.

(I would like to have Home Assistant available either over the Internet or via VPN so that automations keyed off people's location outside the home would work.)

All of it is LAN only except Wireguard and some game servers.

Nearly all of them. Nextcloud, Jellyfin, Vaultwarden, Spacebar, and 2fAuth, all set behind an NGINX Reverse Proxy, SWAG. SWAG made it very easy to set up https and now I can throw anything behind a subfolder or subdomain.

The only acessible element is the webserver. Fileserver, home automation, octopi, proxmox, media, etc etc are all isolate.

Nothing outside the LAN. Just Tailscale installed on my Synology NAS, on HomeAssistant and on all my machines.

Unlike most here, I'm not as concerned with opening things up. The two general guidelines I use are 1. Is it built by a big organization with intent to be exposed, and 2. What's the risk if someone gets in.

All my stuff is in docker, so compartmentalized with little risk of breaking out of the container. Each is on it's own docker network to the reverse proxy, so no cross-container communication unless part of the same stack.

So following my rules, I expose things like Nextcloud and Mediawiki, and I would never expose Paperless which has identity documents (access remotely via Tailscale). I have many low-risk services I expose on demand. E.g. when going away for a weekend, I might expose FreshRSS so I can access the feed, but I'd remove it once I got home.

Everything exposed except NFS, CUPS and Samba. They absolutely cannot be exposed.

Like, even my DNS server is public because I use DoT for AdBlock on my phone.

Nextcloud, IMAP, SMTP, Plex, SSH, NTP, WordPress, ZoneMinder are all public facing (and mostly passworded).

A fun note: All of it is dual-stacked except SSH. Fail2Ban comparatively picks up almost zero activity on IPv6.

Everything is accessible, but only through n2n vpn.

I keep everything behind a VPN so I don't have to worry much about opening things up to the Internet. It's not necessary about the fact that you're probably fine but more so what the risk to you is if that device is compromised, ex: a NAS with important documents, or the idea that if that device is infected, what can that device access.

You could expose your media server and not worry too much about that device but having it in a "demilitarized zone", ensuring all your firewall rules are correct and that that service is always updated is more difficult than just one VPN that is designed to be secure from the ground up.

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

[Thread #549 for this sub, first seen 26th Feb 2024, 21:45] [FAQ] [Full list] [Contact] [Source code]

something like 95% stays local and is remote accessed via wireguard, The rest is stuff I need to host via a hostname with a trusted cert because apps I use require that or if I need to share links to files for work, school etc. For the external stuff I use Cloudflare tunnels just because I use DDNS and want to avoid/can't use port forwarding. works well for me.

Each time I've read into self-hosting it often sounds like opening stuff up to the internet adds a bunch of complexity and potential headaches, but I'm not sure how much of it is practicality vs being excessively cautious.

Only my Stremio add-ons, such as Knightcrawler, Annatar and Stremio-Jackett.

Only my emby and ombi containers has an open path in/out, everything else is local or VPN only

PII or anything that would demonstrate clear attribution is LAN, the rest of the "fun" stuff lives on a VPS. Wireguard between them.

Nothing is exposed. There are things I want exposed, but I don't want to keep security patches up to date, even if there is a zero day. I'm looking for someone trustworthy to hire for things that it would be useful to expose, but they are hard to find.

Most of my things are open to the web but thats kinda nessasary for them to be functional file shairing links, link shortening, mc server etc etc

Everything critical is on lan (docs, passwords, media), everything else is on vps (gameserver, fediverse, websites). I dont mix these as I absolutely dont want to deal with a breakin. I assume they will get in so I airgap them more or less.

I probably have more accessible from outside than not. Many are required: hosting a website, a media server I can access from anywhere outside the house, my phone system, etc. Some I used to use more than I do now: podcast service, that sort of thing. Then a bunch that are internal only. My phone connects home over Wireguard so that's pretty convenient when out and about for accessing internal only systems.