User Tools

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
selfhost:external_server [2025/02/19 09:54] willyselfhost:external_server [2025/03/13 09:29] (current) – external edit 127.0.0.1
Line 1: Line 1:
-====== External Server ======+====== D) External Server ======
  
 The external server is used for a few different tasks: The external server is used for a few different tasks:
Line 46: Line 46:
 ===== External server Setup ===== ===== External server Setup =====
  
-I assume you can install your own OS, so let's install Gentoo. Follow the [[gentoo:installation|Quick & Dirty Gentoo Installation]] but on your external server.+I assume you can install your own OS, so let's install Gentoo. Follow the [[gentoo:installation|Quick & Dirty Gentoo Installation]] but on your external server instead of your home server.
  
-You don't need to install **anything** beside the bare minimum of the basic text-only installation.+You don't need to install **anything** beside the bare minimum of the basic text-only installation, except the specific packages described below.
  
-Do not create any additional users except one unprivileged user, because you don't want to login as root remotely. 
  
 ==== Required packages ==== ==== Required packages ====
  
-PHP, NGINX, wireguard-tools, logrotate, nfs-utils +Do not forget to install the following minimum stuffrequired for any reasonable server: 
- +  * //app-admin/logrotate//: configure it to rotate all the logs for the various services 
-==== Filesystem sharing with internal server ====+  * //app-admin/sysklogd//: syslog daemon 
 +  * //app-backup/restic//: backup solution 
 +  * //net-firewall/nftables//: upgraded iptables solution 
 +  * //net-vpn/wireguard-tools//: needed to create the VPN tunnel between the home server and the external server 
 +  * //www-servers/nginx//: which will act as reverse proxy for the home server servicesand will allow access to services on the external server 
 +  * //net-misc/chrony//: NTP client  
 +  * //sys-process/cronie//: Cron daemon 
 +  * //app-crypt/certbot-nginx//: Let's Encrypt ACME client for SSL certificates renewal 
 +  * //dev-lang/php// (optional): if needed for some serviceslike webmail 
 +  * //net-fs/nfs-utils// (optional): if you want to share filesystem between home server an external server
  
 +As a quick reminder, with suggested USE flags:
 <code bash> <code bash>
-emerge -vp nfs-utils+# to use only nftables and not iptables: 
 +echo "sys-apps/iproute2 -iptables nfs" >> /etc/portage/package.use/iproute2 
 +# nginx and PHP cross support 
 +echo "app-misc/mime-types nginx" >> /etc/portage/package.use/nginx 
 +echo "app-eselect/eselect-php fpm" >> /etc/portage/package.use/php 
 +echo "dev-lang/php fpm sqlite zip spell intl pdo curl exif gd xmlreader xmlwriter soap" >>  >> /etc/portage/package.use/php 
 +emerge -vp app-admin/logrotate app-backup/restic app-admin/sysklogd app-crypt/certbot-nginx dev-lang/php net-fs/nfs-utils www-servers/nginx net-vpn/wireguard-tools net-misc/chrony sys-process/cronie net-firewall/nftables
 </code> </code>
 +
 +
 +==== Unpriviledged users & SSH access ====
 +
 +SSH access for user root must be disabled. Also, password login sohuld be disabled as well, limiting SSH access to using public/private keypair **only**. This is very important, because extensive port scanning and brute force attacks toward the SSH daemon happens every day and your password will be cracked, sooner or later. Using keys solve that issue.
 +
 +The SSH server should also be moved to a port other than 22. This will **not** prevent brute force attacks, but greatly reduce them.
 +
 +To allow remote access, add the **public** key of the users from the home server to the **/home/user/.ssh/authorized_keys** file.
 +
 +Given that the //root// user must never be used for remote login, you need the following unproviledged users:
 +  * //user//: this one will be used by you for remote SSH access.
 +  * //backup//: this will be used by the home server to upload the offsite backups
 +  * //tunnel//: this will be used by the home server to setup SSH tunnels (alternative to using WireGuard)
 +
 +
 +==== Filesystem sharing with internal server ====
 +
 +In case you want to share a filesystem between your home server and the external server, you can do that with NFS v4.2 over the Wireguard tunnel. Do not use NFS without the wireguard tunnel: it will be unencrypted.
  
 Create **/etc/conf.d/nfs**: Create **/etc/conf.d/nfs**:
Line 66: Line 100:
 OPTS_RPC_NFSD="8 -H 10.70.0.2 -N 3 -N 4.0 -N 4.1 -V 4.2" OPTS_RPC_NFSD="8 -H 10.70.0.2 -N 3 -N 4.0 -N 4.1 -V 4.2"
 </file> </file>
-to bind NFS to the wireguard interface and disable all legacy NFS versions+to bind NFS to the wireguard interface and disable all legacy NFS versions
 + 
 +For wireguard tunneling, see [[gentoo:wireguard|here]] and [[networking:wireguard_redirects|here]].
  
  
-===== Networking =====+===== Connecting home server and external server =====
  
 +There are two ways to achieve this, which preserve security:
 +  * Create a wireguard tunnel
 +  * Create an SSH tunnel
  
 +Both solutions have pros and cons, and both require the home server to initiate the connection to the external server and this will let you escape any kind of CG-NAT and let you do port-forwarding as well. 
  
-Having an external server, like a VPS (Virtual Private Server) let you bypass CG-NAT (carrier-grade NAT) and give you the access to a real public, static IP address. This is mandatory, in my opinion, for many reasons.+This topic is covered [[networking:external_access|here]].
  
-I will detail more on this topic in the future, for the moment refer to the following pages: 
-  * [[networking:external_access|Remote Access to your Home Server]] 
-  * [[router:external-server|External server]] 

This website uses technical cookies only. No information is shared with anybody or used in any way but provide the website in your browser.

More information