User Tools

This is an old revision of the document!

My Self-Host Architecture

Network Architecture

You have three different network zones:

  • The external zone, which is internet or in general anywhere outside your home. This will be on the other side of your ISP gateway/router/access point. It's considered dangerous and hic sunt leones.
  • The internal zone, which is your home network, it's considered safe and comfy. Do not let unknown strangers have the WiFi password!
  • The gray zone: between your server and the ISP gateway/router/access point. There is nothing here except all your NAT-ed traffic.

The internal network will be described in details later on. I assume you will choose a subnet like 10.0.0.0/24 for it. I suggest you don't use a subnet in the 192.168.x.y range as many of these ranges are already used by ISP routers and devices and in case of a clash you might end up having to replace addresses on all your internal hosts, and this can be a mess. A good idea is to use the 10.a.b.c ranges and choose something meaningful like, if you live at Via Roma 68, zip 4012, yo could choose 10.40.68.c as subnet.

The gray zone is dependent on your ISP, i will assume your ISP uses 192.168.1.0/24 subnet for it.

The external network is assumed to be behind CG-NAT (Carrier Grade NAT) and thus you do not have, and cannot have, a static IP visible from outside in any possible way. This is the commnon truth for mostly everybody nowadays.

For you lucky from the USA, where sometimes you can (maybe paying, or even for free) get a static IP, this might not apply, but since the world is big and 99% of people cannot access a static IP anymore…

Your home server will require two different network interfaces, either wired or WiFi doesn't matter.

Your remote server must be reachable using your domain name (i will assume mydomain.com) whatever that means for you, as far it's reachable with that domain, it's good. You should reserve a dedicated additional sub-domain like remote.mydomain.com because i will show you how to reflect the DNS setup on the internal network to point to your home server, so accessing your remote server from internal network will require the remote.mydomain.com name.

Hardware Architecture

Your home server should be beefy enough to host and support all your services. Once you figure that out, the added overhead to manage the NAT, the tunnels and the reverse-proxy will be negligible.

You want something low-power tough and you might want something battery-protected to prevent strain on hard drives due to loss of power. You might also want something not too loud unless you plan to place everything in a secluded place (but watch out for heat buildup!)

My choice is an oldish powerful workstation-type laptop:

  • it has at least one wired Ethernet plug (the second one can be a USB-C gigabit Ethernet adapter)
  • it has keyboard and monitor, for those local access needs, without requiring a dedicated monitor wasting space
  • doesn't reboot when there is a power loss at home
  • Usually laptops are both less power-hungry and less noisy.

Of course, the drawback is that laptops have limited storage space. For this reason, i added a RAID JBOD solution connected via USB-3/USB-C with a conspicuously sized SSDs RAID array, and i plugged it to a cheapo low-wattage battery backup to keep the RAID array running in case of power-loss.

Are power loss frequent? No they aren't, but i do not want to run risks with my data.

The remote server can be a virtual server or a physical one, doesn't matter, it will run nothing except tunnels back to the internal server.

Software Architecture

I am a big Gentoo fan since decades, so my choice specially for servers is always Gentoo. More on this later on. Both servers will be Gentoo servers.

The internal server will host all the services.

Remote, external, server is hosted somewhere on the network. It acts as a thin client redirecting connections to the internal server.

The advantages of this solution are:

  • Secure setup (encrypted tunnel to home, all services exposed trough https)
  • Easy maintenance: only an SSH tunnel, the front end has nothing else installed except SSH.
  • Low cost: grab the chapest VPS you can find and it will work just fine.

Main services

The goal will be to host one or more of the following services for yourself and your family in a secure and remotely accessible way:

  • webcam / DVR access
  • Photo backup and storage
  • Private files sharing
  • Sailing access
  • Home Automation services
  • GIT and such
  • Printer and scanner
  • Mobile devices synchronization
  • more…

This website uses technical cookies only. No information is shared with anybody or used in any way but provide the website in your browser.

More information