My Self-Host Architecture

High Level Architecture

Details on hardware and networking will be provided in later pages.

The basic idea is to have a home network perimeter that is considered safe. Within this safe zone you will be able to access all your home services without too much hassle or being encumbered by too much security. HTTPS will still be used of course, but authentication will be disabled unless user-identification is required (es: media profiles or private storage). I understand this might be considered a security issue, so you need to be careful not to let any stranger access your WiFi password at any time. In this case you should consider adding a guest WiFi network for them, with separate addresses and clearances.

For me, and my family, the convenience to access our services hassle free is the first priority, of course YMMV.

When you are traveling outside the home network, it will still be accessible easily and seamlessly (which means, by the way, using exactly the same domain and host names) from all your mobile devices, laptops included.

I choose to achieve this by leveraging SSH tunnels and an officially registered domain name, and subdomains, because having to sign-in a VPN can be a show stopper for some users. Moreover, for faster internet access and due to the typical asymmetric nature of home ISP connections, i do not like to use the home connection when traveling outside home.

So, devices when outside home will navigate normally using their cell/wifi connections and get home only to access home services but not for regular navigation.

I have an internal server (might also be called home server here and there) that hosts all services and all security measures for the home. To ensure proper access from outside, i have also an external server (actually i have two, for redundancy and resilience) that acts as a simple front-end for the internal server trough SSH tunnels. The external server can be a very cheap VPS because it will not run any service directly except the tunnels.

I am a big Gentoo fan since decades, so my choice specially for servers is always Gentoo. Both servers will be Gentoo servers.

The advantages of this solution are:

  • Secure setup (encrypted tunnel to home, all services exposed trough HTTPS over encrypted SSH channel)
  • Easy maintenance: only an SSH tunnel, the front end has nothing else installed except SSH
  • Low cost: grab the chapest VPS you can find and it will work just fine.

There are other approaches possible out there, like getting some proprietary tunnelling solution, using commercial VPNs with port-forwarding and such. I don't like those solutions because i do not want to depend on a third party specific technology or service. My approach do require a VPS (or similar) rented somewhere, but it really don't matter who the service provider is and can be switched over in matter or one hour.

One last note, you will need your own domain and DNS management for it. You will be hosting DNS management for your domain, but only internally-facing toward your home network, not outside. While you can also manage your DNS, i assume your domain provider offers this service and it's good enough for you.