NikStalwart

I am not sure I understand your requirements. What functionality of Filebrowser do you want to see? Read only or or read-write?

Firefox has (had?) FTP support, you could just run an FTP server and connect from your normal browser.

You could use autoindex built into your web server. That'll be the most lightweight option possible.

If these are not what you are looking for, we need details. Lots more details.

I think you are overcomplicating and undercomplicating things at once.

Proper VPNs will allow split tunneling  —  only the traffic that needs to go through the VPN will go through the VPN.

So, the solution would be:

• Set up a VPN capable of split tunneling — vanilla Wireguard and tailscale should work
• Set up split horizon DNS so that you get are pointed to the internal/VPN-facing IP address of your server while connected to the VPN *???
• Profit

I would submit that there is a distinction between not caring and not being aware of something. Therefore, 'legally blind' would indicate someone is not aware of something, and not not caring about that something.

If I said I'm legally apathetic, that would imply I don't care about law and piracy.

Depending on your existing monitoring stack, some options might be:

• Grafana Loki
• Sentry can be self-hosted for application logging
• Logstash is self-explanatory, use with other parts of Elastic's software like Kibana for visualization.

Never used it, don't trust random github repos with only 3 stars, and I don't feel comfortable using turnkey solutions or "configuration scripts". I am a firm believer in the maxim that configuration is a deeply personal thing. Therefore, I would not use someone's configuration scripts because they are configured as he wants it, not as I want it.

Running Docker Desktop on Windows is not exactly hard. And once you have docker desktop running, it is not exactly hard to run whatever other software / media server you might like.

Windows is my primary workstation OS because I am legally blind and Windows has the best on-screen magnifier on the market. No other product, whether commercial or free, whether standalone or baked into the WM, comes even remotely close. So I use Windows. But within Windows, I leverage both WSL and Docker to run linux tools properly. All of my remote servers are linux. My home server is linux. More than half of my virtual machines are linux.

Python has entered the chat.

I'm a smidge confused on what you are trying to achieve and how you think it will work.

As I understand you, you want to connect "embedded" devices where you do not control the software to a VPN network?

VPNs do need some kind of client (otherwise how does the network stack know to use the VPN protocol?) so how do you envisage this working without an app?

What is your desired topology like? Do you just want your smart TV/etc to connect to a remote media library over a VPN? If that's the case, then you are overthinking it with approvals etc.

You can achieve most of what you want with router configuration. Just define routes saying "Traffic from IP address 10.20.30.40 (TV) should go to 10.20.30.30 (gateway)" and then have the "gateway" handle the tunnel.

You can also look at tailscale's subnet routing (should work with headscale backend too).

Good luck.

A few things, in no particular order:

• Docker interferes with user-defined firewall rules on the host. You need to expend a lot of effort to make your rules persist above docker. This functionally means that, if you are running a public-facing VPS/dedicated server and bind services to 0.0.0.0, even if you set up a firewall on the same machine, it won't work and your services will be publicly accessible
• If you have access to a second firewall device  —  whether it is your router at home, or your hosting provider's firewall (Hetzner, OVH both like to provide firewall controls external to your server)  — this is not the biggest concern.
• There is no reason to bind your containers to 0.0.0.0. You will usually access most of your containers from a certain IP address, so just bind them to that IP address. My preference is to bind to any address in the 127.0.0.0/8 subnet (yes, that entire subnet is loopback) and then use a reverse proxy. Alternatively, look into the 'macvlan' and 'ipvlan' docker network drivers.

Good luck

Ergo, formerly oragono, supports LDAP and possibly SAML. This is not something I have set up, but I have hosted a public ergo server before.

Good luck.

cc /u/badass6  —  no need to wait a day.

Could I set up WireGuard between the home server and VPS then have that handle sending out the email?

Yes, you can.

What software stack would I need? Would this be something like postfix to postfix or..?

I don't think you need postfix-to-postfix. You just configure your VPS server's VPN-facing IP address in your dovecot or mail client (instead of the conventual localhost address).

In no particular order:

• Price (if looking to host something low value)
• Price/performance (if longer-term)
• Details of Fair Usage Policy
• Bandwidth limits
• Overlimit pricing
• Location - proximity
• Location - creepiness of government / jurisdiction
• Reputation of the company - are they scummy? Do they oversell? Is their datacenter about to get yeeted? (cough Dedipath cough)
• Are they bullshitting me with RAID 100000 PURE SSD STORAGE!!!!!

In fact, I actually prefer HDD storage for most of my servers: for most websites, your bandwidth will be a bigger limitation than your data access speed.

This is a case of RTFM. Specifically, TFM says:

Please note that we do not support nor encourage the use of reverse proxies and container to run Headscale.

Notwithstanding the above, there is community documentation to run headscale behind conventional reverse proxies.

However, per the headscale discord, cloudflare does not work because tailscale/headscale utilize a non-standard websocket negotiation.

If you want an alternative to headscale without publicly exposing your home IP too much, I highly recommend trying something like innernet.

What I like about innernet is that the control interface is only exposed within the VPN network, so there is no big deal that your IP is internet-facing — all non-WG connections to the open WG port are dropped, and WG connections require authentication.