|
(Tag: Redirect target changed) |
(15 intermediate revisions by the same user not shown) |
Line 1: |
Line 1: |
− | [[Category:Home Server]]
| + | #REDIRECT [[Home_server_v2]] |
− | [[File:clark_griswold_builds_a_server.png|500px|thumb|right|What a homelab inevitably devolves into...]]
| |
− | {{Tip|This page is still being written.}}
| |
− | {{TOCright|limit=2}}
| |
− | {{quote|Home servers are about learning and expanding your horizons. De-botnet your life. Learn something new. Serving applications to yourself, your family, and your frens feels good. Put your /g/ skills to good use for yourself and those close to you. Store their data with proper availability redundancy and backups and serve it back to them with a /comfy/ easy to use interface.<br/><br/>Most people get started with NAS. It’s nice to have a /comfy/ home for all your data. Streaming your movies/shows around the house and to friends. Know all about NAS? Learn virtualization. Spin up some VMs. Learn networking by setting up a pfSense box and configuring some VLANs. There's always more to learn and chances to grow. Think you’re god tier already? Setup openstack and report back to /hsg/.<br/><br/>Things that are online today might not be online forever. It's good to have a copy of something because you never know when it might get taken down due to copyright strikes.|Anon|Standard /hsg/ OP}}
| |
− | | |
− | Welcome to /g/'s comprehensive guide on home servers! This guide is designed to assist you in setting up and managing your own home server, effortlessly navigating through the complexities that come with running servers in your personal spaces such as your basement or closet.
| |
− | | |
− | '''"Homelab"''' is a term you may have encountered, but what does it signify? Essentially, it refers to a personal data center located within your own home. It serves as a platform for acquiring new skills and solving technical problems in your own life. Many are drawn to this hobby by the promises of freedom from the winds of the larger internet. Within this homelab are your ''home servers''. There can be as many, or as few, as you want.
| |
− | | |
− | Contrary to what some may suggest, there are no hard and fast rules in this hobby. However, there are certainly less effective ways of doing things. This guide aims to help you steer clear of common pitfalls that beginners often encounter.
| |
− | | |
− | All pages in the home server topic are categorized here: [https://wiki.installgentoo.com/wiki/Category:Home_Server Category:Home_Server]
| |
− | | |
− | {{Tip|This guide is intended to be a concise overview of the most important concepts involved in running a home server. It is recommended you at least skim each section.}}
| |
− | | |
− | ==What Can I do With a Home Server?==
| |
− | | |
− | There are two reasons a man will run a home server:
| |
− | | |
− | # Solve a problem. Maybe he was fed up with cloud storage or maybe he was tired of the constant service outages? Or maybe the solution to his problem doesn't exist yet? Either way, he knows he can do it better himself. | |
− | # Learn a new skill and get a new hobby. Home servers and homelabs can scale infinitely. There is always room to learn something new or do things slightly different.
| |
− | | |
− | <br>
| |
− | | |
− | If you're here and considering building a lab, you probably already have a purpose in mind. If not, check out [https://github.com/awesome-selfhosted/awesome-selfhosted awesome-selfhosted] for a gigantic list of applications you can host yourself. Some applications popular with /hsg/ anons include:
| |
− | * Media streaming
| |
− | ** [https://jellyfin.org/ Jellyfin]
| |
− | ** [https://www.plex.tv/ Plex]
| |
− | * File storage
| |
− | ** [https://nextcloud.com/ Nextcloud]
| |
− | * NAS servers
| |
− | ** [https://www.truenas.com/ TrueNAS]
| |
− | * Game servers
| |
− | * Personal websites
| |
− | | |
− | For sysadmin solutions and services see [https://github.com/n1trux/awesome-sysadmin awesome sysadmin software].
| |
− | | |
− | ==Your First Server ==
| |
− | [[File:Anons_comfy_rack.png|350px|thumb|right|A good example of a rack using older enterprise equipment]]
| |
− | [[File:Why-is-there-a-server.jpeg|thumb|right]]
| |
− | The first step to setting up your homelab is to acquire your first server. You have a few options to choose from:
| |
− | | |
− | * [[Home_Server/Old_Desktop_Machines|Old desktop machines]]
| |
− | * [[Home_Server/Single_Board_Computers|Single board computers]] like the Raspberry Pi, Intel NUCs, or thin clients
| |
− | * [[Home_Server/Used_Servers|Used servers]]
| |
− | * [[Home_Server/Build_Your_Own|Build your own]]
| |
− | | |
− | Your old gaming PC, workstation, or laptop is a great option for a home server (provided it is not too old). Performance and capability will vary from machine to machine. When in doubt, post specs in /hsg/ and ask. Laptops are not really designed for 24/7 use but their battery does act as a built in UPS.
| |
− | | |
− | Hardware you already own is free, which is very appealing and a great way to get started. Keep in mind that older hardware can be less energy efficient and if power usage is a concern you may want to purchase newer hardware.
| |
− | | |
− | There is a lot of discussion about power efficiency in the homelab world. Part of that is because some people live in regions where electricity costs significantly more. But more often than not it's because our homelab has grown to the point where it eats a third to half of the power bill. This is a worthy investment for some but others aren't willing to spend that much. You need to decide how important power efficiency is to you.
| |
− | | |
− | ==Building a NAS==
| |
− | "uuuuuh guys, how do i build a nas?" is the most frequently asked question on /hsg/. Here's a dedicated section to point to when someone asks this question for the tenth time in a row.
| |
− | | |
− | Pro-tip: you will want a separate boot drive to install the OS onto. Your storage pool will be used exclusively for storing data.
| |
− | | |
− | If you are interested in a prebuilt system, check out Synology or QNAP. Many anons rag on Synology for being "underpowered" and "not worth the money" but what Synology does best is being a complete functional package that ''just works''. Sure, it may be more cost effective on paper to build your own NAS but if you want something that will run forever with no maintenance then a Synology device could be perfect for you.
| |
− | | |
− | {{stub}}
| |
− | | |
− | ==Building a Media Server==
| |
− | This is the ''second'' most asked question on /hsg/.
| |
− | | |
− | Basically, a media server can be as complex as something like Jellyfin and Plex or as simple as a network share that you play using VLC. The media server route is suited for serving multiple users at once (such as family and friends). It also works well when traveling or streaming on many different devices. On the other hand, the network share excels at simplicity.
| |
− | | |
− | The most common applications in the media server landscape is Plex, Jellyfin, Kodi and Emby.
| |
− | | |
− | If you want a feature comparison between these to find out which is right for you, check out [https://github.com/Protektor-Desura/Archon/wiki/Compare-Media-Servers THIS] handy table
| |
− | | |
− | Want to transcode multiple streams simultaneously? Check out [https://www.elpamsoft.com/?p=Plex-Hardware-Transcoding these hardware requirements]
| |
− | | |
− | Have an Intel iGPU and want to offload transcoding? Check out [https://en.wikipedia.org/wiki/Intel_Quick_Sync_Video#Hardware_decoding_and_encoding this resource]
| |
− | | |
− | {{stub}}
| |
− | | |
− | ==Operating Systems==
| |
− | Looking for a server operating system? Check out the [[Home_Server/Operating_Systems|full list of the popular server operating systems]] or [[Home_Server/SBC_Operating_Systems|SBC operating systems]].
| |
− | | |
− | ==Hypervisors==
| |
− | | |
− | A ''hypervisor'' is a system that creates and runs virtual machines. The machine the hypervisor runs on is called the ''host machine'', and each virtual machine (VM) is called a ''guest machine''. Virtualization is the process of running an operating system in a virtual machine and allows for a more efficient use of computing resources.
| |
− | | |
− | Instead of installing all your services and applications on a bare-metal server, instead run each in its own VM. This makes management much simpler (and contains any mistakes you make to only that VM).
| |
− | | |
− | In order to run a hypervisor, your CPU must support virtualization. The tech is called VT-x on Intel and AMD-V for AMD. Directed I/O support is required if you wish to pass devices from the host machine to the VMs (VT-d on Intel, AMD-Vi for AMD). Nearly every CPU and motherboard made within the past 10 years supports these technologies, but older hardware may have compatibility issues and lack more modern virtualization tech.
| |
− | | |
− | ===Proxmox Virtual Environment===
| |
− | | |
− | [https://pve.proxmox.com/wiki/Main_Page Proxmox] is the premier open-source virtualization platform. If you're looking for a hypervisor, Proxmox is it.
| |
− | | |
− | '''Features:'''
| |
− | * Built on Debian.
| |
− | * Utilizes KVM, QEMU for virtual machines.
| |
− | * Runs containers using LXC.
| |
− | * Built in ZFS support and other advanced storage technologies.
| |
− | * Tight integration with [https://www.proxmox.com/en/proxmox-backup-server/overview Proxmox Backup Server].
| |
− | | |
− | ===VMware ESXi===
| |
− | Those who work in IT will almost certainly be familiar with [https://www.vmware.com/uk/products/esxi-and-esx.html VMware ESXi]. It's the most popular, feature rich hypervisor available. Unfortunately, it is a paid product and has a limited free tier with a limit of 8 cores per VM. No vSphere or most vStorage options like vMotion and distributed switching. These restrictions are probably fine for the non-professional homelab user but if you find yourself limited, try Proxmox.
| |
− | | |
− | If you use version 6.5 or 6.7 you can use this key to unlock all these features:
| |
− | *'''vCenter: 0A0FF-403EN-RZ848-ZH3QH-2A73P '''
| |
− | *'''vSphere: JV425-4h100-vzhh8-q23np-3a9pp '''
| |
− | | |
− | VMware 7.0 has dropped support form westmere-EP/gulftown (x5xxx) CPU's. If your system has these old CPU's you should consider upgrading to something later than Sandybridge if you want to use the latest version of ESXi.
| |
− | | |
− | ===SmartOS===
| |
− | If you are looking to get back to your roots, check out SmartOS. An open source spiritual successor to Oracle's Solaris.
| |
− | [[Home_Server/Operating_Systems#SmartOS]]
| |
− | | |
− | ==Storage-Focused (NAS) Operating Systems==
| |
− | These are operating systems that are designed to store and serve data over a network. While some of these have minor virtualization capabilities, if you are looking to run VMs and/or containers you should consider a true hypervisor like Proxmox. You could always virtualize your NAS.
| |
− | | |
− | ===TrueNAS===
| |
− | TrueNAS is a NAS appliance operating system that uses ZFS.
| |
− | | |
− | TrueNAS has two versions: '''[https://www.truenas.com/truenas-core/ CORE]''' and '''[https://www.truenas.com/truenas-scale/ SCALE]'''. Both accomplish the same task.
| |
− | | |
− | '''[https://www.truenas.com/truenas-core/ CORE]''' (formerly FreeNAS) is based on FreeBSD. This version is considered more stable.
| |
− | | |
− | '''[https://www.truenas.com/truenas-scale/ SCALE]''' is more recent than CORE and based on Linux. This version sports better hardware compatibility and stronger virtualization features. Can host Docker containers.
| |
− | | |
− | ===OpenMediaVault===
| |
− | https://www.openmediavault.org/
| |
− | | |
− | Based on Debian. A pure storage server without any virtualization capabilities. No gimmicks, just file storage.
| |
− | | |
− | ===unRAID===
| |
− | https://unraid.net
| |
− | | |
− | UnRAID advertises itself as the "NAS OS for gamers". Not free, you need to fork over some money to buy it. Supports differently sized physical disks and adding hard drives to expand as needed.
| |
− | | |
− | Unraid 6.8.3-6.9.2
| |
− | *SHA256: 18F75CA34A39632DC07270510E453243753CFF302F3D5ADD4FA8813D4ADB304D
| |
− | *magnet:?xt=urn:btih:180782e4ff3e00b7efc8a0529239b896e0557f72&dn=unraid692.7z
| |
− | | |
− | ==Containers==
| |
− | | |
− | ''Containers'' are a method of isolating running processes from the host OS and other processes. BSD calls them "Jails".
| |
− | | |
− | There are a number of reasons why containers are neat:
| |
− | * Less overhead than standard virtual machines because you aren't virtualizing the entire kernel.
| |
− | * Process isolation.
| |
− | * Containers are portable (even more so than VMs). You can create a container, configure it however you want, and deploy it again somewhere else.
| |
− | * Like VMs, removing containers, rebuilding from scratch, or restoring a backup is easy.
| |
− | * Containers are incredibly easy to deploy and you can find pre-built container images online.
| |
− | | |
− | There are two types of containers: application and system. Application containers, such as Docker, are designed to package and run a single service. Once the application is packaged, it can be tested and deployed to different environments without any changes. This makes it easy to scale and manage the application.
| |
− | | |
− | System containers, on the other hand, are designed to simulate a full system. They are more like lightweight virtual machines. They can run full-featured environments, system services, and even contain their own process space, users, network stacks, and file systems. Examples of system containers include LXC.
| |
− | | |
− | Regardless of the route you decide to go, the best practice is to keep the host OS as clean as possible and install each individual application (such as PLEX, Samba, etc) in their own container.
| |
− | | |
− | ===Docker===
| |
− | Instead of simulating an entire Linux OS (like LXC), Docker virtualizes a single application. This makes management easy and safe since your applications never touch the base file system.
| |
− | | |
− | While popular and easy to learn, [https://catern.com/docker.html Docker has some downsides.] Some people go overboard with Docker containerization and make things more complicated than they need to be. But Docker can excel when used in the right situations.
| |
− | | |
− | | |
− | There are a number of platforms that make managing your numerous Docker containers easy:
| |
− | | |
− | '''[https://github.com/portainer/portainer Portainer]''': provides a GUI to "manage all your orchestrator resources (containers, images, volumes, networks and more)".
| |
− | | |
− | '''[https://podman.io Podman]''': not strictly Docker. A platform to run all sorts of containers.
| |
− | | |
− | ===LXC/LXD===
| |
− | | |
− | If you are considering LXC, take a look at Proxmox and its built-in LXC support. It offers a very convenient platform that makes container management a breeze.
| |
− | | |
− | LXD is built on top of LXC and offers a more user friendly way to manage your containers. LXC is a low-level tool for running containers, while LXD is a high-level tool for managing them.
| |
− | | |
− | [[Home_Server/LXC_vs_Docker|What differentiates LXC from Docker?]]
| |
− | | |
− | LXC containers have two privilege levels: privileged and unprivileged. '''According to the LXC documentation, privileged containers are "not safe at all and should only be used in environments where unprivileged containers aren't available and where you would trust your container's user with root access to the host."''' If you need a privileged container, chances are you aren't configuring LXC correctly (LXC provides many ways to give specific permissions to containers) or should just use a VM.
| |
− | | |
− | ===BSD Jails===
| |
− | Jails are BSD's version of containers. Since TrueNAS CORE is FreeBSD based you will be using these instead of LXC and Docker.
| |
− | | |
− | * [https://www.truenas.com/docs/hub/tasks/advanced/jails/ TrueNas Jail documentation]
| |
− | * [https://www.ixsystems.com/documentation/freenas/11.3-U5/jails.html#additional-storage Give Jails access to host storage] - Jail version of Bind mounting
| |
− | * [https://www.freebsd.org/doc/handbook/jails-build.html FreeBSD Jail documentation]
| |
− | | |
− | ==Hard Drives & Storage==
| |
− | | |
− | The slang for the spinning type of hard drives is ''spinning rust'' and its abbreviation is ''HDD''.
| |
− | | |
− | [[Home_Server/Shingled_Magnetic_Recording|Ever come across anons arguing over SMR vs. CMR?]]
| |
− | | |
− | ===Hard Drive Recommendations===
| |
− | See [[Home_Server/Hard_Drive_Recommendations]]
| |
− | | |
− | ===SSDs===
| |
− | While SSDs are very fast, they cost significantly more than HDDs. As such, the standard procedure is to store your data on HDDs and install the operating system on an SSD.
| |
− | | |
− | Check out the [https://ssd.borecraft.com/SSD_Buying_Guide_List.pdf SSD buying guide] for more on SSDs. If you skipped the HDDs and have a large SSD array, post the details in /hsg/ so we can all drool.
| |
− | | |
− | ===Shucking===
| |
− | Hard Drive Shucking is the process of purchasing an external hard drive enclosure (such as the WD Easystore) and splitting it open to extract the drive inside.
| |
− | | |
− | [[Home_Server/Shucking]]
| |
− | | |
− | ===Adding More SATA Ports===
| |
− | If you run out of SATA ports on your motherboard but require more storage there are a number of options for increasing the number of drives your server can support.
| |
− | | |
− | See [[Home_Server/Storage/Adding_More_SATA_Ports]]
| |
− | | |
− | ==RAID==
| |
− | {{Warning|RAID is '''NOT''' a backup. Not even RAID 1. RAID doesn't protect against accidental file deletion or the complete death of an array. See the [[Backups]] page for more on backups.}}
| |
− | | |
− | RAID (Redundant Array of Independent Disks) is a technique where multiple physical hard drives are combined into a single logical unit for the purposes of redundancy, speed, or both. Data is stored in different places on multiple hard disks to prevent loss in the case of a drive failure.
| |
− | | |
− | [[Home_Server/RAID|RAID is an expansive subject so it's gotten it's own page.]]
| |
− | | |
− | ==Backups==
| |
− | For more info on generic backups, see the [[Backups]] page.
| |
− | | |
− | ===Proxmox Backup Server===
| |
− | https://www.proxmox.com/en/proxmox-backup-server/overview
| |
− | | |
− | Proxmox developed a special server OS designed for one thing: storing backups. It has all sorts of very handy features that makes the backup and restore process effortless. It can be tightly integrated into the Proxmox Virtual Environment to enable one-click backup and restore. Proxmox also provides standalone Debian clients that bare-metal hosts can use to back up to the server.
| |
− | | |
− | One of the main advantages is its ability to perform incremental backups, which means it only backs up changes made since the last backup, significantly reducing the time and storage space required. The backup server can also automatically test backups to ensure they will restore successfully if needed.
| |
− | | |
− | Using the Proxmox Backup Server eliminates the hassle of backups. Even if you only have one server, running a Proxmox Backup Server is be a worthwhile investment.
| |
− | | |
− | ==Networking==
| |
− | ===Switches===
| |
− | Connecting your server to the internet requires a physical ethernet line. But what if you run out of jacks on your router? Get a switch!
| |
− | | |
− | There are two types of switches: ''managed'' and ''unmanaged''. Managed switches can be configured and support advanced networking concepts while unmanaged switches are plug and play with no configuration capabilities. Unmanaged switches are cheaper than managed ones.
| |
− | | |
− | Don't cheap out on switches or else you'll be wondering why your network is much slower than it should be. Expect to pay at least $20.
| |
− | | |
− | [[Home_Server/Networking/Switches|Switch comparison table]]
| |
− | | |
− | ===Ethernet===
| |
− | Ethernet cables come in different types, each designed for specific networking and data transfer needs.
| |
− | | |
− | Cat 5e supports up to 1 Gbps at 100 meters. This is the standard choice for most networks and building wiring. Higher categories such as 6, 6a, and 7 support faster speeds and reject electromagnetic interference better. Even if your LAN (your internal network) only supports 1 Gbps, using higher categories is beneficial. For more info, see the [[Home_Server/Networking/Ethernet#Ethernet CAT Specs|detailed Ethernet CAT Specs page]].
| |
− | | |
− | ''The speed of your LAN is based on the network interfaces of your servers and the capabilities of your switches.''
| |
− | | |
− | You will see numbers like ''10/100/1000'' on networking hardware. This refers to the data transfer speed of network hardware and is measured in megabits per second (Mbps). Make sure your hardware supports 1000 Mbps (1 Gbps). If you only see ''10/100'' the hardware only supports a maximum of 100 Mbps. Trash it.
| |
− | | |
− | ===Routers===
| |
− | '''ISP Provided:''' these types of routers can be very locked down, but most have the capability to enable "bridge mode". This is where all router functionality is disabled and it only serves as a simple modem. You then plug your own router into it.
| |
− | | |
− | '''Consumer:''' Netgear, TP-Link, Linksys, Asus, etc. Base firmware is usually subpar but [https://openwrt.org/ OpenWRT] can turn them into a powerhouse.
| |
− | | |
− | '''Prosumer:''' Ubiquity, EnGenius, MikroTik. These should handle whatever you throw at them.
| |
− | | |
− | '''Enterprise:''' Usually overpowered for the homelab. [[Home_Server/Used_Servers|All the caveats of of used servers apply.]]
| |
− | | |
− | '''Custom:''' Custom hardware (ie. a thin client or desktop) running [https://opnsense.org/ OPNsense] or [https://www.pfsense.org/ PFsense]. Very powerful machines capable of performing all network tasks. Steep learning curve but ''extremely'' useful in any home network.
| |
− | | |
− | ===Network Interface Cards (NICs)===
| |
− | Intel network cards are considered one of the best for servers due to their high performance, reliability, and advanced features. They are designed to handle heavy network traffic efficiently, making them ideal for server environments. Intel cards usually start at $30 used on Ebay.
| |
− | | |
− | Cheaper network cards tend to use Realtek chips in them. The key difference is that Realtek network cards offload much of the network processing to the CPU. This means that the CPU has to do more work, which can reduce the overall performance of the server under heavy load.
| |
− | | |
− | If you build a OPNsense/PFsense router, make sure you use Intel network cards. In addition to the performance concerns, BSD and the router software has compatibility issues with Realtek.
| |
− | | |
− | ==Uninterruptible Power Supply==
| |
− | An Uninterruptible Power Supply (UPS) is a devices that provides emergency power when the main power. They ensure the continuous operation of connected devices and preventing data loss or damage that can be caused by sudden power outages. A UPS protects against outages a few seconds in duration and allows the servers adequate time to shutdown in the event of an extended outage. A UPS also provides power conditioning, protecting against power surges, voltage spikes, and frequency variations, which can harm the connected devices.
| |
− | | |
− | A basic UPS can be bought for $60 and powers a couple machines. A full-featured UPS is around $200 and includes advanced monitoring and signaling to connected machines via [https://wiki.archlinux.org/title/Network_UPS_Tools NUT] (you should set up the auto-shutdown feature if your UPS supports it).
| |
− | | |
− | It's highly recommended you purchase a UPS to protect your machines, even if you don't expect any outages.
| |
− | | |
− | A UPS's capacity is measured in Volt-Amperes (VA). A capacity of 400 VA is good for one or two desktops. A capacity of 1500 VA can run multiple large servers.
| |
− | | |
− | Popular brands are CyberPower and APC. Always by new UPSes, never used.
| |
− | | |
− | ==Security==
| |
− | Unlike a desktop, your server is always working. It accepts accepts connections from the internet and is easy to discover. This means special security measures must be taken to protect your network and services.
| |
− | | |
− | Refer to [[Security#Threat_analysis]] for an introduction on what kind of threats you may face and how to mitigate them.
| |
− | | |
− | Basic measures include:
| |
− | * Separate privileges. Only give users the exact permissions they require and nothing more.
| |
− | * Only forward specific ports required for your services.
| |
− | * Keep software updated.
| |
− | * '''Don't be lazy.'''
| |
− | | |
− | ===Opening to the Wider Internet===
| |
− | Just like how your home address is visible to anyone who walks by, your IP address is visible to anyone who knows how to look for it. This includes IP scanners, which are tools that can scan the internet. Don't expect anything you host to be secret if you let it out of your firewall.
| |
− | | |
− | This is fine for things like personal websites, but hypervisor dashboards and other admin panels should '''never''' be exposed.
| |
− | | |
− | Some people think that if you host something on a very high port number (like the port 55432), you'll be safe. That's not true and is a false sense of security. Security though obscurity is '''never''' safe.
| |
− | | |
− | The SSH port (port 22) is a very popular scanning target. If you allow SSH out of your firewall then you should disable password authentication and only use certificate-based authentication. Using fail2ban to block repeated authentication failures is also a good idea. Don't try changing the SSH port, that's a false sense of security. You should avoid exposing your SSH server and only have it accessible on your local network which you will use a VPN to connect to.
| |
− | | |
− | ===VPNs===
| |
− | As you probably already know, a Virtual Private Network (VPN) is a service that allows you to connect to the internet in a secure way by providing an encrypted connection.
| |
− | | |
− | This technology can be used to remote into your home network and access your servers. By connecting to a VPN server that is set up on your home network, you can access your home servers as if you were physically present in your home. This is neat because it means you don't have to expose your internal services (hypervisor dashboards, admin panels, SSH, private services only you use) to the outside world. You only have to port forward your VPN port and you can access your home network from anywhere.
| |
− | | |
− | Make sure you check out overlay networks, they're really cool.
| |
− | | |
− | ====WireGuard====
| |
− | | |
− | {{Quote|WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN.|WireGuard|WireGuard homepage}}
| |
− | | |
− | WireGuard also has Linux kernel modules, making it a very performant VPN. It's also designed to not respond if a peer fails to connect which keeps IP scanners from detecting what is running on that port.
| |
− | | |
− | ====OpenVPN====
| |
− | An older, classic, VPN server. Stick with WireGuard unless you need OpenVPN specifically.
| |
− | | |
− | ===Overlay Networks and Mesh VPNs===
| |
− | An overlay network is a network that is built on top of another network (such as the internet) and sends traffic through that infrastructure. The key benefit of overlay networks is that they can be deployed without changing the underlying physical network. Instead, they can be implemented through software in the nodes of the network.
| |
− | | |
− | Mesh VPNs use a peer-to-peer model to create a secure shared environment for their users. They consist of nodes that send traffic between themselves rather than through a central server.
| |
− | | |
− | How do these two technologies connect you to your home servers? It eliminates the need for a central server and allows your servers to communicate across any network boundary and without opening any ports. traffic is encrypted between nodes which is a convinient layer of extra security.
| |
− | | |
− | Despite their distributed nature, overlay networks and mesh VPNs always require some sort of cloud server with a static IP to help nodes cross NAT boundaries and discover each other.
| |
− | | |
− | '''Warning:''' If the addressing of your overlay network conflicts with the addressing of the physical network you are connected to, traffic won't be able to flow. Make sure you pick an IP range for your overlay network that won't conflict with other networks. 100.64.0.0/10 is a good choice and recommended by Tailscale.
| |
− | | |
− | The two leading overlay networks are Nebula and Tailscale. Both are excellent choices.
| |
− | | |
− | ====Nebula====
| |
− | [https://github.com/slackhq/nebula Nebula] is an open source overlay network developed by Slack to connect their many datacenters. It has a "focus on performance, simplicity and security". Simplicity is Nebula's main selling point and it is extremely easy to get a Nebula network up and running. Just generate certs and set up a "lighthouse" (what Nebula calls the discovery cloud server).
| |
− | | |
− | A lighthouse requires very few compute resouces and you can easily run a very large network off of the cheapest cloud VPS you can find (they suggest the $5/mo DigitalOcean server).
| |
− | | |
− | Nebula also features a per-node stateful that enables network segmentation, something other overlay networks lack.
| |
− | | |
− | Nebula does not support IPv6 inside the overlay network. [https://github.com/slackhq/nebula/issues/6 The GitHub issue tracking progress on implementing IPv6 in Nebula.]
| |
− | | |
− | * [https://www.defined.net/blog/nebula-is-not-the-fastest-mesh-vpn/ Nebula benchmark]
| |
− | * [https://www.defined.net/blog/nebula-vs-wireguard/ Nebula vs. Wireguard]
| |
− | | |
− | ====Tailscale====
| |
− | [https://github.com/tailscale/tailscale Tailscale] is built on Wireguard and similar to Nebula in its capabilties.
| |
− | | |
− | The biggest difference is that Tailscale has strong user-based SSO authentication. Nebula lacks this as its authentication is machine based. This introduces additional complexity that may not be nessesary for the home environment.
| |
− | | |
− | [https://tailscale.com/compare/nebula Comparison between Tailscale and Nebula.]
| |
− | | |
− | Tailscale's discovery server is called a "coordination server" and is not open source. [https://github.com/juanfont/headscale Headscale] is an open source drop-in replacement.
| |
− | | |
− | Tailscale supports IPv6 inside the overlay network, greatly reducing the likelyhood of an address conflict with the physical network.
| |
− | | |
− | ====Doing Cool Things With Overlay Networks====
| |
− | Tired of trying to remember what IP address is what? Run an internal DNS server only accessible through your overlay network and assign your hosts easy to remember domain names! Use .nb if you are on Nebula or maybe .ts if you use Tailscale. Then run [https://nginxproxymanager.com/ Nginx Proxy Manager] on your lighthouse or coordination server and enjoy free, unique domains only you can access!
| |
− | | |
− | ===UnattendedUpgrades===
| |
− | UnattendedUpgrades is a software package in Debian-based systems that automatically installs updates for security and other minor system upgrades. It is designed to keep the system secure and up-to-date without requiring manual intervention.
| |
− | | |
− | This is super useful for servers and saves time and effort, reduces the risk of security vulnerabilities, and helps to ensure that systems are always running the latest, most stable versions of their software.
| |
− | | |
− | Many vulnerabilities result from vulnerable, out of date software. UnattendedUpgrades prevents this.
| |
− | | |
− | ==Monitoring==
| |
− | | |
− | Monitoring allows you to detect and send alerts when things break rather than having months go by before discovering something is wrong. Even if you have only one machine, a monitoring platform can be helpful. Some good options include Icinga2, Zabbix, and Uptime Kuma.
| |
− | | |
− | ==Miscellaneous==
| |
− | [[Home_Server/hsg_OP_Pasta|/hsg/ OP Pasta]]
| |
− | | |
− | ==External Links==
| |
− | * [https://haydenjames.io/home-lab-beginners-guide-hardware/ Home server hardware] - Hayden James' home lab setup
| |
− | * [https://forums.servethehome.com/index.php STH Forums] - Good general resource for server questions
| |
− | * Learn Command line
| |
− | :# http://mywiki.wooledge.org/BashGuide
| |
− | :# http://wiki.bash-hackers.org/
| |
− | :# http://www.grymoire.com/Unix
| |
− | :# https://perfectmediaserver.com
| |
− | :# http://overthewire.org/wargames/bandit
| |
− | * [https://www.servethehome.com/hp-t620-plus-thin-client-and-firewall-vpn-appliance/ HP T620 plus] - Decent cheap computer. You can use it as a VPN, pfSense firewall, and more:
| |
− | ** [https://youtu.be/VCiIsDHIoU8 Overview]
| |
− | ** [https://youtu.be/cRSZ_pDO1SY Buyers guide]
| |
− | ** [https://youtu.be/pV1iPJ6vmhE Upgrade Ram]
| |
− | *[https://smallstep.com/blog/build-a-tiny-ca-with-raspberry-pi-yubikey/ Tiny Certificate Authority For Your Homelab]
| |