So, I have a rpi4b that’s currently running a VPN for family abroad. I’m just finishing setting up Ubuntu server 24.04LTS(I have limited number of USB sticks, and the largest is only 8gb, so this choice was one of size, I can go into ones I had considered before) on an old laptop. For my small business I’ve also bought a domain for a work email, and eventually a website both are/will be hosted externally as I don’t want to faff about with securing those aspects on my home network. The VPN though, that is currently pointing to no-ip dns service, and I want to migrate that to both the laptop and my own registered domain. What’s best practices here? I do need the VPN to exit through to my network, so that my MiL can watch UK streaming from abroad(TV licence shenanigans).

  • @themachine
    link
    English
    12 months ago

    You did not answer what VPN tech you are using.

    Without that knowledge i would recommend setting up tailscale and having your users use that. If you want to be fully self hosted you can also run Headscale as the control plane instead of relying on Tailscales own service.

    I recommend tailscale as it is very easy to grant a user privileges to ONLY use an endpoint as an exit node but also grant access to any other endpoints as needed (such as your future jellyfin server) via theor ACLs.

    • @[email protected]OP
      link
      fedilink
      English
      12 months ago

      Ah, yeah, sorry. Currently I’m using WireGuard, but I’m open to using something else.

      I’ll have a look at Tail/Headscale, this was very informative, thank you very much.

      • @themachine
        link
        English
        22 months ago

        In the scope of wireguard it’ll just be a matter of you building appropriate firewall rules.

        Since you want their internet traffic to go through you then i assime you’re effectively pushing a 0.0.0.0/0 route to your clients. You then need to add firewall rules on your server to block traffic to its local subnet and in the future allow traffic to only your jellyfin server.

        This is also pretty simple and nothing wrong with that setup.