Hi All, I know it was asked multiple times but I’m a noob.
What is the best way to access my server from external network? I know I can open a port on router (not recommended), Tailscales, Wireguard or Direct VPN. I will access from android phone and maybe from other devices.
What I want to try to access (mainly docker on NAS)
- bitwarden
- calibre
- setup home assistant
- possibly RSS server
- nextcloud
- plex server (already remote access)
- maybe docker apps too
Thanks
I know I can open a port on router (not recommended)
This is basically the only option you have if you want to provide access from external to selfhosted applications. Just forward the desired ports to the machine where the services are running on.
The less entry points you have, the better. You could “bundle” all web-based applications on port 443 and use a reverse proxy to route the traffic to the actual port based on the hostname the access was done on.
So in your router you define that all https traffic (port 443) is forwarded to your server, and on your server there is running a reverse proxy listening on port 443. All of your applications are listening on different ports that are not accessible from external. The reverse proxy then takes the hostname used for access and proxies the traffic to the actual host based on that hostname.
With this you have only one port open on your router and this one port is only forwarded to one single machine. Everything else is handled by that machine.
You could use Cloudflare Tunnels. If you want to be the only one with access to them, you could set it in your private networks, which are only accessible to you on any device with the WARP client installed.
I use tailscale for this with no issues. It traverses my CGnat without significant speed reduction. Just install tailscale on the hosts with the services on them and use magic dns or install tailscale on a vm/container and have it advertise your home subnet as a subnet router.
An option is to set up WireGuard vpn as well couple it with your internal DNS for all those services, and nginx proxy manager to grab certs which you’ll need for hosting Bitwarden/vaultwarden.
443/80 get opened and pointed to nginx which has acl only allowing internal access, then whatever port you choose for WireGuard. On your phone setup the WireGuard app for on demand access once you’re not on your home wifi and job done.