What us the best way to add remote access to my servers?

Submitted ⁨⁨1⁩ ⁨day⁩ ago⁩ by ⁨ZeDoTelhado@lemmy.world⁩ to ⁨selfhosted@lemmy.world⁩

Hi,

I an currently trying to add remote access to 2 of my servers but didn’t manage to get a working setup as is.

Right now I want to access 2 servers:

one is for media stuff (navidrome, jellyfin, managing the arr stack)
one is for my data syncing with rsync and after set a backup from borg to another server not on my domain

I was trying at some point to add stuff such as tailscale, but somehow I always had issues with having both servers reachable within the IP range I use on my local network, so everything would work as is with the current config at home being away. I have also heard of cloudflare tunnels as well, but that I didn’t try yet. At some point I tried to do just a regular wireguard from my opnsense, but I would prefer not to have open ports to worry about (and also had issues with internal IP not being assigned from wireguard as well).

Does anyone here has experience with this? If so, what was your solution and/or caviats to it?

source

Comments

Sort:hotnew top

clifmo@programming.dev ⁨6⁩ ⁨hours⁩ ago
All you need is Wireguard with IP forwarding allowed on the host, maybe some firewall rules if you have one. You configure your wire guard client to only route traffic for your network IPs. I leave my wire guard client connected 100% of the time.

source
- kalpol@lemmy.ca ⁨53⁩ ⁨minutes⁩ ago
  This is the way. Quite secure and private. It is not complicated to set up, just have to get the keys and copy them in the right places (and protect the private keys) and do the forwarding to a VPN endpoint on your network.
  
  source
  - clifmo@programming.dev ⁨3⁩ ⁨minutes⁩ ago
    Yup. It gets more involved once you start adding DNS and SSL. But if you’re ok typing IPs and you’re not opening your firewall to the public, it’s all you really need.
    
    source
spaghettiwestern@sh.itjust.works ⁨1⁩ ⁨day⁩ ago
[deleted]
source
- ZeDoTelhado@lemmy.world ⁨1⁩ ⁨day⁩ ago
  I get what you’re saying, but how exactly the whole IP rotation is done in your case? How did you manage to have it accessible at all times even when your home IP changes? In my I actually have ipv6 which I am not sure if it does not make things more difficult
  
  source
  - spaghettiwestern@sh.itjust.works ⁨1⁩ ⁨day⁩ ago
    DDNS (Dynamic DNS), one 3rd party service I do use.
    
    My network is reached by URL, not IP (although IP still works). When my IP changes the router updates the DDNS service in minutes. Lots of providers out there and it’s easy to switch if needed. I like DuckDNS. It’s free or you can choose to donate a bit to cover their expenses.
    
    source
    -> View More Comments
Dojan@pawb.social ⁨1⁩ ⁨day⁩ ago
I recently switched from tailscale to NetBird. Similar solution but FOSS and self-hostable.

Have you exposed the subnet the services are on, onto the Tailscale network?

source
- 0x0@lemmy.zip ⁨1⁩ ⁨day⁩ ago
  Did you consider Headscale? What made you chose NetBird?
  
  source
  - Dojan@pawb.social ⁨1⁩ ⁨day⁩ ago
    Nope.
    
    NetBird is European. The stack itself is FOSS and self-hostable instead of relying on third party projects, like Headscale. It has a reverse-proxy feature in beta that was also appealing.
    
    NetBird also utilises Coturn for STUN and TURN, and I’ve other software that depends on Coturn, so that kind of went hand-in-hand.
    
    source
    -> View More Comments
- ZeDoTelhado@lemmy.world ⁨1⁩ ⁨day⁩ ago
  I think I did set this option, but still no internal IP. Can try again later to be sure
  
  source
hendrik@palaver.p3x.de ⁨1⁩ ⁨day⁩ ago
I just enable SSH, configure it to run on some non-standard port and enable Fail2ban… Make sure if use a certificate or secure password and also check if fail2ban is actually doing its job. Never had any issues with that setup.

source
- ergonomic_importer@piefed.ca ⁨1⁩ ⁨day⁩ ago
  
  For remote management, I just enable SSH, configure it to run on some non-standard port and enable Fail2ban… Make sure I use certificates or secure passwords and also check if fail2ban is actually doing its job. Never had any issues with that setup.
  
  This is what I’ve done for years, but I sometimes feel like it’s not a great solution from a security standpoint.
  Though I have switched from fail2ban to Crowdsec, which did end up banning my own connection attempts when I forgot to whitelist myself, so that seems secure enough.
  
  source
  - hendrik@palaver.p3x.de ⁨1⁩ ⁨day⁩ ago
    Hmmh. I’m not entirely satisfied with any of them. Crowdsec is a bit too complex and involved for my taste. And oftentimes there’s no good application config floating around on the internet. Whereas fail2ban is old and eats up way too much resources for what it’s doing. And all of it is a bit too error-prone(?) As far as I remember I had several instances when I thought I had set it up correctly, but it didn’t match anything. Or it was looking for some logfile per default but my program wrote to the SystemD journal. So nowadays, I’ll double-check everything.
    
    source
StrawberryPigtails@lemmy.sdf.org ⁨1⁩ ⁨day⁩ ago
The way Tailscale works, you don’t need to worry to much about your local IP address. You can just use the Tailscale IP address and it will connect as if you were local using the fastest route. That’s the beauty of a mesh VPN. Each device knows the fastest route to each other.

Without more information I can’t really tell what issue you are actually having, but if your system has internet, you have a local IP and if the system is showing as up on your tailscale dashboard than it will have a tailscale IP. Not being able to connect using one or the other would be a configuration issue. Whatever service you are having trouble with is probably only listening to one of the interfaces but not the other.

I’m assuming you are running a linux or unix box, but try running the command ip addr. Assuming you have the package installed, it will tell you all of your IP addresses for the system you run the command on. The list may be quite long if you have a lot of docker containers running. The command tailscale ip will do the same but limited to your tailscale IP addresses.

source
- mrnobody@reddthat.com ⁨1⁩ ⁨day⁩ ago
  How did you config tail scale though? Are you using some Apple or MS author account? I want to stay away with using one of their services to “authorize” connecting to my own server
  
  source
  - StrawberryPigtails@lemmy.sdf.org ⁨1⁩ ⁨day⁩ ago
    
    Are you using some Apple or MS author account?
    
    Google and Github SSO were the only options when I originally setup tailscale. There are a few more options now including what looks like every self-hosted OIDC provider I’ve ever heard of, and a few I hadn’t.
    
    How did you config tail scale though?
    
    There are a couple options depending on how you are using it. Most of the time I just use the tailscale command to configure each node.
    
    Most systems were just sudo tailscale up --ssh to get it up and running, although I have one system setup as a subnet router to give me outside-the-house access to systems that I can’t put tailscale on. That was a little more involved but it was still pretty straightforward and well documented. Their documentation is actually very well written and is worth the read.
    
    source
GreenKnight23@lemmy.world ⁨1⁩ ⁨day⁩ ago
“how do I add remote access to my servers?”

don’t.

create a new server that’s accessible via VPN and then access your servers from there. then actively log all connections from that device and alert anytime someone or something connects to it.

what is more secure? a house with twenty front doors or a house with one front door and an alarm on it.

source
- ZeDoTelhado@lemmy.world ⁨1⁩ ⁨day⁩ ago
  If you check my edit that is kind of what I was hoping to do from the start: have a hop server (or stepping stone, both terms apply), and from there I do what I need to do
  
  source
neon_nova@lemmy.dbzer0.com ⁨1⁩ ⁨day⁩ ago
I was going to say Tailscale. You will need to give more details about what didn’t work with Tailscale, but it has been pretty seamless for me.

source
- ZeDoTelhado@lemmy.world ⁨1⁩ ⁨day⁩ ago
  Basically when I connect to tailscale I just can’t get it to give an internal IP so I can access everything with my configs. Unless I am missing something obvious, I don’t understand what is going on here.
  
  source
  - neon_nova@lemmy.dbzer0.com ⁨1⁩ ⁨day⁩ ago
    When you connect to Tailscale, via cli it should give you a link to use to connect it to your account. You can get the ip address in various ways. One of which is just looking on your Tailscale dashboard. You need to have Tailscale installed on every machine you want to talk with.
    
    source
  - MaggiWuerze@feddit.org ⁨1⁩ ⁨day⁩ ago
    Sure, you’re not behind CGNAT?
    
    source
    -> View More Comments
- mrnobody@reddthat.com ⁨1⁩ ⁨day⁩ ago
  How did you config tail scale though? Are you using some Apple or MS author account? I want to stay away with using one of their services to “authorize” connecting to my own server
  
  source
  - neon_nova@lemmy.dbzer0.com ⁨1⁩ ⁨day⁩ ago
    As far as I know you need to authenticate through them.
    
    Alternatively, you could setup your own vpn to do all this, but it is much more work and will likely have some cost.
    
    source
Atlas_@lemmy.world ⁨1⁩ ⁨day⁩ ago
If the servers have public IPs and you want the minimum possible ports open, just SSH? With passwords disabled and large keys, it’s quite secure.

If that’s still not enough for you or you need a private gateway, then Wireguard. I can strongly recommend Tailscale - It’s really an orchestration layer on top of Wireguard. You can setup your own Derp relays and head scale if you are truly paranoid. But 99.9% you don’t need all that and Tailscale out of the box will work well.

Also Tailscale isn’t a single point of failure the way you’re imagining. It’s certainly possible for Tailscale’s servers to go down, but that won’t drop existing connections.

source
captcha_incorrect@lemmy.world ⁨1⁩ ⁨day⁩ ago
Do you want to expose port 80/443 and set up a reverse proxy or do you want to use a VPN tunnel? You could just use SSH to port 80 and 443 like so: ssh -L 80:<local-server-ip>:80 -L 443:<local-server-ip>:443 <username>@<domain>

I expose port 80/443 and use Caddy as a reverse proxy together with Authelia to protect anything that I deem needs an extra layer of security. I followed this guide: caddy.community/t/…/20465

Once setup, it is easy to remove or add a backend to Caddy and Authelia. This way does mean that you sometimes need to log in twice, but that is a small price to pay if your backend app does not support SSO (like n8n community edition).

source
Paragone@lemmy.world ⁨1⁩ ⁨day⁩ ago
Give it a robot that can read your handwriting, & write snail-mail lettres to it?

d :

_ /\ _

source
sj_zero ⁨1⁩ ⁨day⁩ ago
Apache guacamole is something I wish I had when I started. Let's you connect with telnet, ssh, RDP, or VNC using html5
- ZeDoTelhado@lemmy.world ⁨1⁩ ⁨day⁩ ago
  Never heard of this one, will check once I can
  
  source
h_ramus@piefed.social ⁨1⁩ ⁨day⁩ ago
I’m behind CGNAT. My OpenWrt router is a Netbird server that can be connected externally. Having the Netbird server in the router allows me to ssh devices or use services as if I was connected via WiFi.

There’s documentation for Opnsense as well -(https://docs.opnsense.org/manual/how-tos/netbird.html)

source
- ZeDoTelhado@lemmy.world ⁨1⁩ ⁨day⁩ ago
  I will check if this can work for me, but sounds like it is the kind of solution I am looking for
  
  source
  - h_ramus@piefed.social ⁨1⁩ ⁨day⁩ ago
    After everything is setup, create a network route to distribute an ip to machines connected to you lan. I can’t recall exactly but setting up Netbird was pretty straightforward when following the documentation. They also have their own for Opnsense - (https://docs.netbird.io/get-started/install/opnsense)
    
    Managed Networks documentation
    
    source
nykula@piefed.social ⁨1⁩ ⁨day⁩ ago
Have you tried adding Tor hidden services? It was the easiest solution for me to expose ports from behind the provider’s NAT to my phone when not at home.

source
- ZeDoTelhado@lemmy.world ⁨1⁩ ⁨day⁩ ago
  Never tried hidden services from tor. Can check how that works but not sure if it is the solution I am looking for. Thanks for the info anyways!
  
  source
Decronym@lemmy.decronym.xyz ⁨1⁩ ⁨day⁩ ago
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters More Letters

CGNAT Carrier-Grade NAT

IP Internet Protocol

NAT Network Address Translation

[Thread #127 for this comm, first seen 2nd Mar 2026, 10:00] [FAQ] [Full list] [Contact] [Source code]

source
pHr34kY@lemmy.world ⁨1⁩ ⁨day⁩ ago
Just expose it on single-stack IPv6. Nobody ever knocks. The address space is not scannable.

source
- forestbeasts@pawb.social ⁨6⁩ ⁨hours⁩ ago
  The moment you get a TLS cert, it’ll show up in Certificate Transparency logs and apparently the attack bots scan that for targets.
  
  source
  - pHr34kY@lemmy.world ⁨6⁩ ⁨hours⁩ ago
    Make it a subdomain on a wildcard cert if you’re concerned about that.
    
    source
prenatal_confusion@feddit.org ⁨1⁩ ⁨day⁩ ago
I switched from tail scale to pangolin for reverse proxy. Does everything. Auth, VPN, hidden services, public services. Fantastic piece of software

source

Fewer Letters	More Letters
CGNAT	Carrier-Grade NAT
IP	Internet Protocol
NAT	Network Address Translation