I’m very new to home networking. I’m not new to computers (hardware or software) - but for whatever reason, anything network-related has always been an enigma to me.
That said - I just got a new (to me) server. It’s a beefy one (made a post about it in another community). And so I figured why not just start playing around with Proxmox, learning some new things and spinning up a bunch of random VMs and whatnot.
I figured the first step would be to set up something such that I can connect to my computers from anywhere - and I’ve already done so. For that, I used Tailscale. But my question, I suppose, is now that my computers are on the internet (as in, for real on the internet, through Tailscale) - are there security precautions I have to take now and things I need to be more concerned about? Do I have to set up my own special firewall to make sure I don’t get hacked or something? I am honestly pretty clueless in that whole domain. So… ELI5 what I have to do, security-wise. Any and all help is welcomed and appreciated.
Bonus question: beefy server is beefy (yes yes, lots of power consumption, I’ve already come to terms with it. About 200W idle and should run me ~$40/mo.). Dual 18-core E5-2699 v3s. 768GB of RAM. More SSD storage in both boot drives and storage drives than the average human would use in a thousand years (SAS, SATA, & NVMe). I asked this over on c/piracy - what should I do with it? I’ve put Proxmox on it, and as said above, plan on learning things about VM hosting and different operating systems and whatnot. I’m also planning on hosting my own Jellyfin server. But… what else? Does anyone have any good ideas for any (non-GPU-intensive) things I can do with the server? Anything and everything welcome, lol - I wanna have fun with this thing!
TIA for the responses :)
If I understand correctly if you are using Tailscale your VMS are not being exposed on the internet. You are connecting directly to your home network and that’s how you can access them remotely. As for your second question , just download and share a bunch of Linux ISO’s ;)
Disclaimer - I’m pretty new to all this too, so someone will probably describe this in better detail, but here’s my rough explanation:
So for the sake of security, being on talescale is akin to having your devices on the same (virtual) network, not to having publicly facing ports opened. As a result it doesn’t meaningfully increase your attack surface.
If you’re reaching a server via SSH over Tailscale, it’s not the same as if you were using SSH over the open Internet (opening port 22 on your router to the public). Tailscale basically tricks your devices into thinking they’re on the same network, then using TLS (secure tunnel, like other VPN products would use) it allows you to connect to ports that are open on the device.
You may need to open ports on a software firewall if you’re running it (e.g. I use UFW on my Ubuntu server). The only additional attack surface in this case are your Tailscale account credentials, though it’s way less likely someone tries to get in that way than if you had an open port facing the Internet.
This is accurate. Although there may also be a preauth vuln in tailscale, meaning there’s a possibility of attack without needing any creds at all, but those are relatively rare.
I’m never a fan of virtualizing network related items for the sake of redundancy, if your server goes down the rest of your network can keep doing it’s thing. That being said, with the hardware you have on your hands i don’t see any solid atonemen argument for bringing in more hardware.
Proxmox is a great base for you to really ramp things up and i’d recommend looking into pfsense as a routing/firewall solution. There’s a bunch of great youtube videos that can talk you through setting it up and using it as your vpn point, adblocking, reverse proxy, and so much more.
I found tteck’s Proxmox Helper Scripts great for getting my proxmox experience off the ground. I’m similar to you with just recently getting started while having limited network experience.
I also just set up Twingate for external access following a networkchuck video and love how easy it was. I was just going to do a vpn on my unifi router but this was a more streamlined solution.
As far as services, I’ve got:
- Plex
- Home Assistant (a huge but fantastic rabbit hole)
- pihole
- A docker LXC running Portainer, a transmission+OpenVPN container, SearXNG, and Twingate
- Trilium (notes app similar to Evernote or OneNote)
- Nextcloud (kind of frustrated with this one, mobile auto-upload doesn’t want to ever work properly)
- BlueIris NVR
- Heimdall dashboard
I don’t watch enough TV to justify setting up the *arr services and prefer to find my own Linux ISOs if I’m interested in a particular one. Otherwise I’m quite happy with my setup, all running on an old desktop PC.
Tailscale is more akin to a VPN than being open on the Internet so you would generally be able to treat it like a private network assuming nobody compromises your Tailscale account. That being said, there are a few good practices that you should follow:
- proxmox has good firewalling built into the UI, you can use that to ensure that VMs are unable to reach other VMs that they would never need to to prevent someone from hopping around your network if they comprised a single service.
- SSH keys on all your VMs
- don’t use simple passwords just because they’re private, treat it like any other account
- don’t give services more privilege than they require, e.g if you share a db server between services give each an individual account with it’s own restrictive permissions
Hmm, well that’s good to hear, about the whole Tailscale thing. I was a bit confused on how that’s actually interacting with the internet. I suppose that even though I can access the stuff from anywhere, I do need the account to actually do so.
To your point about SSH keys - could you elaborate a bit more? I am familiar with SSH in that it exists, but past that, the whole key thing is a bit of a black box (which is part of this whole thing… to learn more about it!)
I don’t know if this is a good analogy, but this is how it was explained to me: I want to send things to people, so I give anyone who asks a key. I keep a bunch of lockboxes that can be opened by that key. When I send them stuff, I lock it up in that box. They know it’s from me if the key works.
I also have a bunch of free boxes in a pile, anyone can grab one, but only I have the key to those. They want to send me stuff? Only I can get into it.
You’re probably not exposed to the big internet. But that’s no excuse for poor security. I’d look up a hardening guide for your operating system.
You should also look up hardening guides for any applications you plan to run, and follow simple security measures like not logging in as root/admin, strong passwords, 2FA.
Not to say you’re at risk, but its good practice to make secure your default. Doing this will help you understand the basics of system security and the risks that systems have.
I think the workings of Tailscale have been answered pretty well already.
As far as ideas for server usage go, I have a similar setup with the following excerpt of most used apps on my server:
- PiHole for DNS filtering and custom internal DNS entries for my devices/services
- Unbound DNS server to free myself from public DNS resolvers (Google, Cloudflare, Quad9 and the likes)
- Unifi Controller (for my Wifi APs)
- ResilioSync (for syncing important files between all my devices and server)
- Homeassistant + Mosquitto (MQTT Broker) + ESPHome for all home automation
- Huginn (scrapes the web for changed content or news and creates notifications for me on Telegram or Discord, maybe somewhat comparable to IFTTT but self-hosted)
- Homebox (home inventory management)
- ActualServer (budgeting app)
- Jellyfin (media streaming)
- an assorted collection of apps I refer to as the “High Seas”, which are Radarr, Sonarr, Lidarr, SABnzbd, etc.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters AP WiFi Access Point DNS Domain Name Service/System LXC Linux Containers MQTT Message Queue Telemetry Transport point-to-point networking NVR Network Video Recorder (generally for CCTV) PiHole Network-wide ad-blocker (DNS sinkhole) Plex Brand of media server package SSH Secure Shell for remote terminal access SSL Secure Sockets Layer, for transparent encryption TLS Transport Layer Security, supersedes SSL Unifi Ubiquiti WiFi hardware brand VPN Virtual Private Network
[Thread #206 for this sub, first seen 11th Oct 2023, 00:25] [FAQ] [Full list] [Contact] [Source code]