this post was submitted on 13 Nov 2025
141 points (98.6% liked)

Selfhosted

53057 readers
649 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
141
Using Fail2ban to protect exposed services (arvind.io)
submitted 1 week ago by paequ2@lemmy.today to c/selfhosted@lemmy.world
32 comments fedilink hide all child comments
 

I'm wondering if I'm starting to outgrow Tailscale... my wife keeps having networking issues on Android due to Tailscale, the Nvidia Shield kills the Tailscale app randomly, and my parents' TV doesn't have a Tailscale app...

I feel like the time is approaching to publicly expose some of my services to the internet...

Any other tips?

you are viewing a single comment's thread
view the rest of the comments
[–] null_dot@lemmy.dbzer0.com 13 points 1 week ago (1 children)

I've never used tailscale but use wireguard extensively.

There's not much of a learning curve for you as the administrator. You have to discard some misconceptions you might bring from other VPNs but really after 30 minutes of looking at configs you'll get it.

I use wireguard for my small team of 5 people to access self hosted services. You install wireguard, load the config, and then it just works.

The trick, if it can be called that, is using public dns for private services.

On your server, suppose you have service-a service-b and service-c in containers with ip addresses in the 10.0.2.0/24 range. Then you'd have a reverse proxy like traefik at 10.0.2.1. You'd also create a wireguard container with an IP in that same 10.0.2.0/24 range, and configure it's wireguard adapter to be 10.0.12.1 or soomething so you have "2" for the containers and "12" for the wireguard clients.

Then in wireguard configurations you direct all traffic for 10.0.2.0/24 through the tunnel but everything else just uses their devices normal internet connection.

Finally create a public dns record pointing to the reverse proxy like *.mydomain.com > 10.0.12.1

now whatever.mydomain.com will resolve to your reverse proxy but is still only available to devices connected to the wireguard container on your server.

[–] watson387@sopuli.xyz 3 points 1 week ago

DuckDNS is great for this. Been using it for years.