The network configuration is divided into two different parts: the home network and the remote access. The most complex part is being capable to remotely login to your home network because that requires the capability to actually reach your home network from outside some how. Back in the good days when you connected to the internet you where granted a public IP address that you could use to access your home network from outside. After some time, Internet Service Providers (ISPs) started giving you, more and more frequently, only a private ip address due to the well known scarcity of IPv4 address pool. This is much more common outside the U.S.A. and mostly common outside the western world. With mobile connections nowadays becoming quite common for the home connections (it's much cheaper to place a few 5G towers than to cable fiber everywhere) things are even worse than than. Luckily, at the same time, renting a VPS or a dedicated server with a public IP address is getting cheaper and easier. So there are always hopes for you.

Home networks are usually flat. This means you have no VLANs or managed Layer3 switches at home. You might have a guest network in addition to your main network (for the more advanced or privacy concerned of you) but that doesn't change the gist of it. Your server will be sitting connected to your home network and it will be reachable by all your devices (smart TVs, phones, tablets and PCs).

I will assume your home network is on 192.168.0.0/255, and i will make the follow assumptions:

• You should have a Pi Hole on your network, but it's not mandatory.
• You are connected to the internet using a router provided by your ISP at 192.168.0.254
• Your server will have a static IP address set up as 192.168.0.1
• The rest of your devices are on DHCP

Why static IP for your server? So that you can always reach it and you can easily set it's address to your devices without resorting to weird DNS setups or modifying your ISP (or Pi Hole) provided DHCP settings.

You should have already configured your network during the Gentoo installation, but in case you didn't, you should do it now. There are many ways to do so with Gentoo: you can go fully manual or use NetworkManager, for example. Please refer to the great Gentoo Full Networking Handbook page for more details.

I strongly suggest you use some better DNS settings than your own provider, since in many countries torrent sites and such might be filtered by laws. Edit your /etc/resolv.conf:

nameserver 8.8.8.8
nameserver 8.8.8.4

(Note: be aware that if you use NetworkManager you need to set DNS within it's interface. The resolv.conf file will be overwritten)

to use Google's own DNS. No i don't like Google in particular, but their DNS servers works just fine and don't censor any interesting site (so far).

Remote accessing your home network can be an hassle. Let's see the most common options:

• Public IP address. Easiest: go get a DynDNS account of any kind and set it up in your ISP router, enable port-forwarding for your server or DMZ it, and you are all set. There are plenty of guides for this case, i will not get into more details.
• Private IP address, but with port-forwarding supported by your ISP: still easy, enable the relevant settings in your ISP router and go to a website like this one and find out your IP address. It might change over time, but you can still use the DynDNS trick by installing the DynDNS client on your server. Again, i will not get into more details for this option.
• Private IP address and no port-forwarding. Please note that your ISP router will still have port-forwarding options, but they will be totally useless as they will only forward your ports to your ISP private network, and NOT the real internet. A clear example of this is when your supposedly external ip (you can usually see this in your ISP router page) is in fact on a private subnet (ex: 10.x.y.z). I will cover this case.

Well, you are in the worst possible condition and, let's be honest, there is NO way out unless you go down two different paths:

• Buy a VPN that provides port-forwarding. Avoid any VPN without port-forwarding. This is, again, easy but it's pricey and doesn't really gives you any more advantages, so this is not my preferred solution and i will let you explore this one yourself.
• Rent (or access somehow) a server on the internet with a public static IP address. This is the best solution in my view (albeit probably more expensive than a VPN) because it opens a world of opportunities for you.

I choose to rent a remote real (not a virtual machine) for a fairly little amount of money each month (just a few bucks/quids/greens more than the monthly cost of a port-forwarding VPN to be honest, shop around!). It has a somewhat slow CPU, only 8gb of RAM and very little storage space (100gb range), but it gives me a public and static IP address without any limitation in open ports nor filtering. Also, remember that you don't need to rent it near you, nor in your home country. You can find very good deals in cheaper countries…

Once you have rented your server, go ahead and install Gentoo on it (of course!) again, you will need a text-only installation, because you will only use socat to forward public connections over an SSH tunnel to your home. I will from now on assume that you have a Gentoo installed on your remote server and that server can be reached at the IP 99.99.99.99 (this is a fictional IP, just for future reference).

You want your remote server to be as secure as possible. So, do not install ANY service on it except for SSH (installed by default on Gentoo, just remember to enable it). Some points to follow during or after installation:

• Create one non-privileged user (let's call it tunnel, you will see why)
• Move SSH from port 22 to port 622 (edit /etc/ssh/sshd_config)
• Disable root login for SSH (by default in Gentoo)
• For added security, you might want to disable password authentication via SSH and force RSA public/private keys authentication. But be careful! Or you risk to lose remote access to your server which might prove difficult to recover from.

I might add more details in the future TODO.

SSH is a great tool which lots of advanced features. You can, for example, perform port-forwarding and reverse-port-forwarding with it without the need to install any additional tools, and you will be taking advantage of this feature to allow remote access to your home network from your remote server.

You need to setup an SSH connection from your home server to your remote server, and adding a few port-forwards to it. The syntax you need is:

 > ssh -R0.0.0.0:6022:127.0.0.1:22 -p 622 -l tunnel -i /path_to/id_rsa.tunnel 99.99.99.99 -nNT

and i will explain it here:

• -R0.0.0.0:5022:127.0.0.1:22: on remote server, listen on port 522 and fotward all traffic to local server port 22. This will create a reverse-port-forward to access home server by doing an SSH session to remote server, on port 6022.
• -p 622: remember that you moved remote server SSH port from 22 to 622 for security?
• -l tunnel: you connect with the unpriviledged user tunnel on remote server
• -i path-to-rsa-key: if you enabled only RSA key authentication, specify the path here
• 99.99.99.99: remote server IP address (you can buy a domain name too if you like of course)
• -nNT: do not create an interactive session on remote server, do not require a real pipe on home server, and perform SSH keepalive pings to avoid the connection from closing due to inactivity.

Well, that's the core of it. You will need to add a few more ports and a way to automate this when home server reboots, and maybe some robustness in case yout home internet connection gets disconnected: you want this tunnels to be restarted. I wrote the following small script that you need to drop into /etc/local.d/99-tunnel.start, Gentoo will start it at every boot:

#!/bin/bash
 
LOG=/var/log/tunnel 
 
(while [ true ]
do
        source /etc/conf.d/tunnel
        echo $(date) testing network connection... 2>&1 >$LOG
        ping -c 10 -W 5 $REMOTE_SERVER &> /dev/null
        if [ $? -eq 0 ] 
        then
                echo $(date) $REMOTE_SERVER pinged successfully. 2>&1 >$LOG
                (
                        echo $(date) Starting tunnel... 2>&1 >$LOG
                        source /etc/conf.d/tunnel
                        REMOTES="-R0.0.0.0:$HOME_SERVER_REMOTE_SSH_PORT:127.0.0.1:22" # SSH port we always export
                        for i in $REMOTE_TO_HOME
                        do
                                REMOTES="$REMOTES -R$i"
                        done
                        for i in $HOME_TO_REMOTE
                        do
                                LOCALS="$LOCALS -L$i"
                        done
                        echo $(date) Running: ssh $LOCALS $REMOTES -p $REMOTE_SERVER_SSH_PORT -l tunnel -i /root/.ssh/id_rsa.tunnel $REMOTE_SERVER -nNT 2>&1 >$LOG
                        ssh $LOCALS $REMOTES -p $REMOTE_SERVER_SSH_PORT -l tunnel -i /root/.ssh/id_rsa.tunnel $REMOTE_SERVER -nNT 2>&1 >$LOG
                        echo $(date) ssh disconnected, retrying... 2>&1 >$LOG
                        sleep 10 # after disconnection, wait a bit before retrying
                )
        else
                echo $(date) $REMOTE_SERVER pinged failed, retrying... 2>&1 >$LOG
                sleep 1 # wait a bit before retry ping
        fi
done)&

remember to make this file executable, it will be executed at every boot:

 > chmod +x /etc/local.d//99-tunnel.start

This script is written so that you need to actually write all the ports you want to forward and reverse-forward in the /etc/conf.d/tunnel file, like this:

REMOTE_TO_HOME=\
"127.0.0.1:8080:127.0.0.1:80 "\
"127.0.0.1:8443:127.0.0.1:8443 "
HOME_TO_REMOTE=
REMOTE_SERVER=99.99.99.99
REMOTE_SERVER_SSH_PORT=622
HOME_SERVER_REMOTE_SSH_PORT=6022

Here you are forwarding two ports:

• The home server HTTP port (8080, this is the port NGINX will create for you for remote access over HTTP)
• The home server HTTPS port (8443, this is the port NGINX will create for you for remote access over HTTPS)

Note: you will use port 80 on the home server for your local, home, access to all the services, so you need to use two different ports for the remote access. This will be explained better in the NGINX page later on.

You can now start the tunnel manually:

 > /etc/local.d//99-tunnel.start

Unfortunately SSH is not capable, by design choice, to perform forwards on some reserved ports, and in particular on port 80 and 443, which you will need for HTTP and HTTPS access to your home server from outside. At this point you have the SSH tunnel from the home server to the remote server that perform the port-forwarding for SSH, HTTP and HTTPS services (you will still need to setup NGINX later on of course, so the last two ports are not used for now), but you cannot directly forward your HTTP and HTTPS ports due to this SSH security limitation.

You will need a tool called SOCAT which is capable to perform a local forward between two ports on the remote server. You will then use socat to forward port 80 and port 443 on the remote server to the SSH tunnels on ports 8080 and 8443.

So let's clarify the chain of ports you are building here:

{your away from home} -> {remote server/99.99.99.99:443 --(socat)--> 127.0.0.1:8443} --(SSH tunnel)--> {home server/127.0.0.1:8443/NGINX}

So basically you will connect (using a browser or a specific client) to your remote server on port 443, socat will redirect to internal port 8443, ssh will redirect to your home server port 8443, NGINX will process and reverse-proxy the request to the tool (*Arr's, JellyFin etc). Security is provided by using HTTPS all the way encrypted from your browser/client to the tool on the home server. Actually the HTTP (80) port will just be a redirect to the HTTPS (443) service, there will not be any non-encrypted data stream toward your home server.

So, time to install socat on the remote server, so login to the remote server and type:

 > emerge socat

All you need to do now is create a very simple startup script, like you did for the tunnel before. Create the fine /etc/local.d/10-socat.start:

#!/bin/bash
(socat TCP-LISTEN:443,fork,reuseaddr TCP:127.0.0.1:8443)&
(socat TCP-LISTEN:80,fork,reuseaddr TCP:127.0.0.1:8080)&

make it executable and start it (it will automatically restart at every reboot):

 > chmod +x /etc/local.d/10-socat.start
 > /etc/local.d/10-socat.start

That's it! To test it you need to install and configure nginx on the home server first.

Now, it's time to head on to setting up the various tools, starting from the *Arr's, move on!

Next to: The *Arr's setup

Prev to: Storage Setup