Hello peoples,

I am looking for tips on how to make my self-hosted setup as safe as possible.

Some background: I started self-hosting some services about a year ago, using an old lenovo thin client. It’s plenty powerful for what I’m asking it to do, and it’s not too loud. Hardware wise I am not expecting to change things up any time soon.

I am not expecting anyone to take the time to baby me through the process, I will be more than happy with some links to good articles and the like. My main problem is that there’s so much information out there, I just don’t know where to start or what to trust.

Anyways, thank you for reading.

N

  • @TCB13
    link
    English
    110 months ago

    With Wireguard or OpenVPN you may ask: “How do I do that without opening a port? You just said that was a bad idea!”

    There’s a BIG difference here. Don’t be afraid to expose the Wireguard port because if someone tried to connect and they don’t authenticate with the right key the server will silently drop the packets.

    We require authentication in the first handshake message sent because it does not require allocating any state on the server for potentially unauthentic messages. In fact, the server does not even respond at all to an unauthorized client; it is silent and invisible. The handshake avoids a denial of service vulnerability created by allowing any state to be created in response to packets that have not yet been authenticated. https://www.wireguard.com/protocol/

    OpenVPN is very noisy and you’ll know if someone is running it on a specific port while Wireguard you’ll have no way to tell it’s running.