Oddbean new post about | logout
EpicBanner | 1 years ago (raw) | export | reply | flag +1 
 Hi. I Decided to build a low cost i3 on-premises pc to self-host few things for me: Email server, Nextcloud and few other things. I am currently hosting them on AWS. But to avoid Amazon's eyes on my data, I am deciding to take this step. The issue is that my ISP doesn't support PORT-FORWARDING. So in order to expose the server out to the internet, I have to use WireGuard. To host WireGuard, I am thinking of chosing same AWS as my VPS because I think over VPN my all data traffic will be encrypted, amazon can only see network logs which is fine. Am I missing something here? Is it gonna improve my privacy comparing with the setup (full aws hosting) I have now?
HonkMonster | 1 years ago (raw) | root | parent | reply | flag 
 AWS could see outbound traffic that isn't encrypted. But you would have full control over the data storage so it's an improvement.
d87c319c | 1 years ago (raw) | root | parent | reply | flag 
 I don't understand when you say your isp doesn't support port forwarding. You get an IP from your isp and you can open whatever ports you want, and if you use ddns you don't even need a public IP. Where would forwarding be involved? Am I missing something from your predicament?
d87c319c | 1 years ago (raw) | root | parent | reply | flag 
 I think wire guard is a good idea rather than open up the actual ports to your server to the internet, but even then I don't get why you mention aws. How come you can't just terminate wireguard on a pi or router at home and have that as the only port open on your fw?
EpicBanner | 1 years ago (raw) | root | parent | reply | flag 
 I am behind a Double-NAT. My ISP doesn't give me just 1 IP because it's dynamic. In order to expose my local machine to the internet, I am trying to host wireguard on aws and forward the ports there. Then I would connect my local machine to the wireguard.
d87c319c | 1 years ago (raw) | root | parent | reply | flag 
 I didn't even know this was a thing, but it makes sense. It's like someone setting up another router on your home network and putting you behind that. You can only make outbound connections. I'd prioritise a better ISP but in lieu of that the tunneling back in over the outbound connection makes sense.
Toof | 1 years ago (raw) | root | parent | reply | flag 
 https://jramtech.gitlab.io/post/getting-over-cgnat-wireguard-gce/



Good article I've used as guidance. If you want a more hidden/private access to your setup, you could use I2P.
Bradley | 1 years ago (raw) | root | parent | reply | flag 
 You'll save your sanity if you give Tailscale a shot. It uses Wireguard but it's incredibly simple and handles all Double NAT issues and it just works. No joke! It's next to Syncthing in my tools I install first on every device I own!

You can checkout Chapter 6 of the Self-Hosted podcast episode linked here where they talk about it: https://fountain.fm/episode/fffeP7pFcP9IA2jN8VCN
Low Information Voter | 1 years ago (raw) | root | parent | reply | flag 
 Yes Epic, it will be an improvement. External snoops will only be able to monitor your network traffic, whereas on AWS they can see /everything/.

Consider hooking up a Tor Hidden Service as well/instead of Wireguard - it avoids the need for port forwarding, completely, it does its own routing (no dramas with DNS) and it includes its own end to end encryption (so you don't need an SSLTLS certificate either). https://community.torproject.org/onion-services/setup/
kkratoch | 1 years ago (raw) | root | parent | reply | flag 
 Have you looked into using tailscale?
EpicBanner | 1 years ago (raw) | root | parent | reply | flag 
 Been very busy so haven't yet. My next trial is this only.