The external server is used for a few different tasks:
First of all, the scope of the external server is to provide a static and public IP address for you to use. This IP should also not be in a residential IP block, so you need to rent something from an official hoster.
The best choice would be a physical hardware with unlimited bandwidth and data cap, and with free network attached console.
Now stop dreaming and get real.
There are different tiers of servers, and i assume they are all hosted on some networking provider premises (= outside your home):
The first option is probably stupid, as it brings on you the burden of hardware failures and maintenance. It make sense only when you can host it very close to you, where you can phisically go when needed, and if you can do it for free. Renting rack space can quickly cost as much as renting the entire server hardware itself.
The second option is the best for privacy, since you actually are the only user on the hardware itself, but it is slightly more expensive. And you can usually install the OS you like.
The last option is usually the cheapest option, the only drawback is that the underlying hardware is shared between many VPSes. Also often you cannot choose your OS.
Whatever option you choose, depending on budget and whatever preference you have, these are the minimum requirements you want to focus on:
Things you might want to consider (price for value):
Things that don't need money spent on:;
Of course, pump up storage if you plan to use the server also for offsite-backup storage.
I assume you can install your own OS, so let's install Gentoo. Follow the Quick & Dirty Gentoo Installation but on your external server instead of your home server.
You don't need to install anything beside the bare minimum of the basic text-only installation, except the specific packages described below.
Do not forget to install the following minimum stuff, required for any reasonable server:
As a quick reminder, with suggested USE flags:
# to use only nftables and not iptables: echo "sys-apps/iproute2 -iptables nfs" >> /etc/portage/package.use/iproute2 # nginx and PHP cross support echo "app-misc/mime-types nginx" >> /etc/portage/package.use/nginx echo "app-eselect/eselect-php fpm" >> /etc/portage/package.use/php echo "dev-lang/php fpm sqlite zip spell intl pdo curl exif gd xmlreader xmlwriter soap" >> >> /etc/portage/package.use/php emerge -vp app-admin/logrotate app-backup/restic app-admin/sysklogd app-crypt/certbot-nginx dev-lang/php net-fs/nfs-utils www-servers/nginx net-vpn/wireguard-tools net-misc/chrony sys-process/cronie net-firewall/nftables
SSH access for user root must be disabled. Also, password login sohuld be disabled as well, limiting SSH access to using public/private keypair only. This is very important, because extensive port scanning and brute force attacks toward the SSH daemon happens every day and your password will be cracked, sooner or later. Using keys solve that issue.
The SSH server should also be moved to a port other than 22. This will not prevent brute force attacks, but greatly reduce them.
To allow remote access, add the public key of the users from the home server to the /home/user/.ssh/authorized_keys file.
Given that the root user must never be used for remote login, you need the following unproviledged users:
In case you want to share a filesystem between your home server and the external server, you can do that with NFS v4.2 over the Wireguard tunnel. Do not use NFS without the wireguard tunnel: it will be unencrypted.
Create /etc/conf.d/nfs:
OPTS_RPC_NFSD="8 -H 10.70.0.2 -N 3 -N 4.0 -N 4.1 -V 4.2"
to bind NFS to the wireguard interface and disable all legacy NFS versions.
There are two ways to achieve this, which preserve security:
Both solutions have pros and cons, and both require the home server to initiate the connection to the external server and this will let you escape any kind of CG-NAT and let you do port-forwarding as well.
This topic is covered here.