My current setup is that I have a home server running a number of services that are only accessible to myself on my local network (Jellyfin, Home Assistant, etc.) and a DigitalOcean droplet I rent that runs a number of public facing items (personal websites). I’ve been looking into running my own Matrix server for myself and some friends, but while it will be public facing, I would prefer to run it on my own hardware for cost and storage reasons.
I have gotten it up and running the “old fashioned way”, by pointing my domain at my home network, setting up port forwarding and a reverse proxy. Is this the recommended solution? I have heard vague references made to somehow using a VPS service to forward specific traffic to a home server via WireGuard. I’m not sure how this is done, or really what the benefits are, so I was curious if anyone had any advice.
One of the main reasons to do this is if you are behind CGNAT and cannot port-forward. However, giving out your home IP isn’t ideal regardless. If you decide to not use a VPS as a reverse proxy, then you might want to look into using cloudflares proxy, which hides your IP and also serves your content more efficiently. However, I’m not quite familiar on how matrix works so this might not be possible if you need ports other than 80 and 443 as all other ports are not forwarded by the cloudflare proxy.
I started to do it the VPS - Wireguard - Home way recently. The advantage is that you do not need to expose an inbound port at home.
I do the very thing that you are seeking to do. I have a free Oracle Cloud VM running nginx as a reverse proxy. Between the reverse proxy and my home server is a WireGuard tunnel. There are some benefits in that ports do not need to be opened on your home network’s firewall so you don’t have to do any port forwarding. If you want to go this route, the advice I have for you is to get a free Oracle cloud VPS, install NGINX Proxy Manager on it, and configure a WireGuard tunnel between it and the actual server that the service you want to provide resides on. NGINX Proxy Manager is actually not hard to get going and there are plenty of YouTube videos on it. In fact, for people new to self-hosting I really recommend NGINX Proxy Manager as I started out that way. NGINX Proxy Manager has a well designed GUI. In fact it is so well designed that most of the options are self-explanatory.
As I learned nginx and became better with it, I decided to decommission NPM in favor of a pure nginx environment because I am actually faster on the command line than a GUI. The hardest part for me was getting the WireGuard tunnel built between my home server and my cloud VM. That more pointed out to the fact that I didn’t have a good grasp of how firewalld works and firewalld is used in Alma Linux which is on my cloud VM. That was the real challenge.
I’m sure it’s also doable via your own vps, but I think most people are talking about managed systems like cloudflare tunnels https://www.makeuseof.com/use-cloudflare-tunnel-expose-local-servers-internet/
Just wanted to add this link explaining how to use tunnels in a more privacy respecting way
https://help.nextcloud.com/t/is-cloudflare-tunnel-safe-privacy-focused/150268/2
Problems with TLS (free option of routing on cloudlfare tunnels)
interception (or HTTPS interception if applied particularly to that protocol) is the practice of intercepting an encrypted data stream in order to decrypt it, read and possibly manipulate it, and then re-encrypt it and send the data on its way again. This is done by way of a “transparent proxy”: the interception software terminates the incoming TLS connection, inspects the HTTP plaintext, and then creates a new TLS connection to the destination.