Self-hosting
DIY OpenSource Cloud & SaaS
Othmane KINANE
CTO @ Morocco (formerly )
Passionate about Software Craft and Code quality
Maintainer of dotnet-subset
It all started when I discovered r/selfhosted in 2017
*arr stack
© David “DEVO” Harry
Network-attached storage (NAS)
2x 2 TB in RAID1 for personal data
1x 1 TB for stuff from the internet
802.11ac wifi, 4 GbE ports
Customizable linux firmware
USB ports*
Android TV Box
private IP (192.168.1.2)
ISP router in bridge mode�(ADSL/fiber to ethernet)
Router
Server
Storage
WWW
public IP given by ISP
Private IPs are not reachable from the internet !
private IP (192.168.1.2)
ISP router in bridge mode�(ADSL/fiber to ethernet)
Router
Server
Storage
WWW
👍 VPN is considered very secure
👍 One UDP port open on the router to access the whole home network
Not convenient, requires to install a VPN client on devices 👎
CPU/Bandwidth overhead 👎
public IP given by ISP
VPN to the rescue !
private IP
192.168.10.2
private IP
192.168.10.3
Router manages:�- home network (192.168.1.x)
- VPN network (192.168.10.x)
VPN clients need a fixed public address to connect to.
private IP (192.168.1.2)
Router
Server
Storage
WWW
public IP given by ISP
Not so fast, public IP in Morocco changes every 24h !
private IP
192.168.10.2
private IP
192.168.10.3
?
?
public IP given by ISP
When the IP changes, the router update a domain to point to the new IP.
You can use your own domain or one of the free DDNS services (noip.com, …)
private IP (192.168.1.2)
Just use a domain instead of an IP
Router
Server
Storage
WWW
private IP
192.168.10.2
private IP
192.168.10.3
Dynamic DNS
manzil.ddns.net
manzil.ddns.net
private IP (192.168.1.2)
Router
Server
Storage
WWW
What if I can’t install a VPN client on the device?�What if my router doesn’t have a VPN server feature?
port 1234
port 5678
https://manzil.ddns.net:1234
Source port | Destination IP | Destination port |
1234 | 192.168.1.2 | 5678 |
…. | …. | …. |
Port forwarding
Everything worked great
Docker?
No time 😭
February 2020 ….
Now I have 2 weeks just for myself 😁
Me
ESXi
bare metal hypervisor�(OS for VMs)
ESXi
Linux VM
VM2 ...
Docker
Container1
Container2
…
manzil.ddns.net
Router
Server
Storage
WWW
port 1234
port 5678
https://manzil.ddns.net:1234
Everything worked great
Security ?
Rogue/compromised container
Unrestricted network access
Single network
manzil.ddns.net
Router
Server
Storage
WWW
manzil.ddns.net resolves to my home IP
IP is a Personally Identifiable Information (PII)
manzil.ddns.net
Router
Server
Storage
WWW
https://pics.manzil.ma
TUNNELS
Pros:�- Easy to setup
- Free DDoS protection
- Other cloudflare goodies
Hide your IP behind another server
Con:�Free tier only support HTTP(S) tunneling
=> TLS termination at cloudflare servers
=> they can see all your traffic
always-on connection
(tunnel)
(DNS handled by cloudflare)
resolves to VM IP
OCI free VM
frp server�(OSS tunnel)
manzil.ddns.net
Router
Server
Storage
WWW
https://pics.manzil.ma
Pros:�- TCP tunneling
=> TLS termination at home
Hide your IP behind another server
Cons:�- Needs time to setup and maintain
- DDoS protection?
always-on connection
(tunnel)
frp client
Rogue/compromised container
Unrestricted network access
Single network
manzil.ddns.net
Router
Server
Storage
Solution:
Implementation:
So I choose one of the popular OSS firewalls
network 2
network 1
network 3
home network
Other stuff I’ve done:
Stuff I want to do:
Thank you !
Slides available here: