User Tools

External Server

The external server is used for a few different tasks:

  • To provide access to the home server from outside, using a mix of Wireguard tunnel and NGINX reverse proxy
  • To provide access to public services, like email server of public websites
  • To let you SSH'in to yout home server, using Wireguard and NFT rules

First of all, the scope of the external server is to provide a static and public IP address for you to use. This IP should also not be in a residential IP block, so you need to rent something from an official hoster.

Selecting an external server

The best choice would be a physical hardware with unlimited bandwidth and data cap, and with free network attached console.

Now stop dreaming and get real.

There are different tiers of servers, and i assume they are all hosted on some networking provider premises (= outside your home):

  1. Your own hardware
  2. You rent some real hardware
  3. You rent some virtual machine on shared hardware (VPS)

The first option is probably stupid, as it brings on you the burden of hardware failures and maintenance. It make sense only when you can host it very close to you, where you can phisically go when needed, and if you can do it for free. Renting rack space can quickly cost as much as renting the entire server hardware itself.

The second option is the best for privacy, since you actually are the only user on the hardware itself, but it is slightly more expensive. And you can usually install the OS you like.

The last option is usually the cheapest option, the only drawback is that the underlying hardware is shared between many VPSes. Also often you cannot choose your OS.

Whatever option you choose, depending on budget and whatever preference you have, these are the minimum requirements you want to focus on:

  • public IP address (owuld be meaningless utherwise!)
  • enough bandwidth (10Mbit/s or better)
  • possibly no data-cap, or a reasonable one (100Gbit/months should be fine for light usage)
  • Linux operating system
  • Remote SSH access to the server (or some kind of VDI access)

Things you might want to consider (price for value):

  • Access to network console, for when the server doesn't boot and you need good old keyboard&mouse
  • Freedom to install your own OS (which will be Gentoo of course!)

Things that don't need money spent on:;

  • Storage (no data will be stored locally, only enough to install OS is needed)
  • RAM (8Gb should be more than enough, no services will run on the machine)
  • CPU (the smallest one will be more than capable to route IP packets)

Of course, pump up storage if you plan to use the server also for offsite-backup storage.

External server Setup

I assume you can install your own OS, so let's install Gentoo. Follow the Quick & Dirty Gentoo Installation but on your external server instead of your home server.

You don't need to install anything beside the bare minimum of the basic text-only installation, except the specific packages described below.

Required packages

Do not forget to install the following minimum stuff, required for any reasonable server:

  • app-admin/logrotate: configure it to rotate all the logs for the various services
  • app-admin/sysklogd: syslog daemon
  • app-backup/restic: backup solution
  • net-firewall/nftables: upgraded iptables solution
  • net-vpn/wireguard-tools: needed to create the VPN tunnel between the home server and the external server
  • www-servers/nginx: which will act as reverse proxy for the home server services, and will allow access to services on the external server
  • net-misc/chrony: NTP client
  • sys-process/cronie: Cron daemon
  • app-crypt/certbot-nginx: Let's Encrypt ACME client for SSL certificates renewal
  • dev-lang/php (optional): if needed for some services, like webmail
  • net-fs/nfs-utils (optional): if you want to share filesystem between home server an external server

As a quick reminder, with suggested USE flags: 

# to use only nftables and not iptables:
echo "sys-apps/iproute2 -iptables nfs" >> /etc/portage/package.use/iproute2
# nginx and PHP cross support
echo "app-misc/mime-types nginx" >> /etc/portage/package.use/nginx
echo "app-eselect/eselect-php fpm" >> /etc/portage/package.use/php
echo "dev-lang/php fpm sqlite zip spell intl pdo curl exif gd xmlreader xmlwriter soap" >>  >> /etc/portage/package.use/php
emerge -vp app-admin/logrotate app-backup/restic app-admin/sysklogd app-crypt/certbot-nginx dev-lang/php net-fs/nfs-utils www-servers/nginx net-vpn/wireguard-tools net-misc/chrony sys-process/cronie net-firewall/nftables

Unpriviledged users & SSH access

SSH access for user root must be disabled. Also, password login sohuld be disabled as well, limiting SSH access to using public/private keypair only. This is very important, because extensive port scanning and brute force attacks toward the SSH daemon happens every day and your password will be cracked, sooner or later. Using keys solve that issue.

The SSH server should also be moved to a port other than 22. This will not prevent brute force attacks, but greatly reduce them.

To allow remote access, add the public key of the users from the home server to the /home/user/.ssh/authorized_keys file.

Given that the root user must never be used for remote login, you need the following unproviledged users:

  • user: this one will be used by you for remote SSH access.
  • backup: this will be used by the home server to upload the offsite backups
  • tunnel: this will be used by the home server to setup SSH tunnels (alternative to using WireGuard)

Filesystem sharing with internal server

In case you want to share a filesystem between your home server and the external server, you can do that with NFS v4.2 over the Wireguard tunnel. Do not use NFS without the wireguard tunnel: it will be unencrypted.

Create /etc/conf.d/nfs:

nfs
OPTS_RPC_NFSD="8 -H 10.70.0.2 -N 3 -N 4.0 -N 4.1 -V 4.2"

to bind NFS to the wireguard interface and disable all legacy NFS versions.

For wireguard tunneling, see here and here.

Connecting home server and external server

There are two ways to achieve this, which preserve security:

  • Create a wireguard tunnel
  • Create an SSH tunnel

Both solutions have pros and cons, and both require the home server to initiate the connection to the external server and this will let you escape any kind of CG-NAT and let you do port-forwarding as well.

This topic is covered here.

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also, you acknowledge that you have read and understand our Privacy Policy. If you do not agree, please leave the website.

More information