Dark Arc

I’m surprised, I was pretty sure anything with Battleye flat out rejected virtualization.

I thought Destiny used Battleye but I must be mistaken on one of these points.

Something with 1-click installs like TrueNAS can help quite a bit. It’s still something that requires active involvement from the operator to do well though. If you’re self hosting, it’s like DIY construction, if something falls down … you can’t sue your contractor/nobody’s going to make you whole again except yourself.

There’s also the networking side of things. I just wrote up some thoughts on that as well… https://alexandrite.app/social.packetloss.gg/comment/1821545

Things like ZeroTier/TailScale/Nebula can make this monumentally more approachable and safer. It’s still far from for everyone though.

Yes, WireGuard was designed to fix a lot of these issues. It does change the equation quite a bit. I agree with you on that (I kind of hinted at it but didn’t spell that out I suppose).

That said, WireGuard AFAIK still only works well with static IPs/becomes a PITA once dynamic IPs are in play. I think some of that is mitigated if the device being connected to has a static IP (even if the device being connected from doesn’t). However, that doesn’t cover a lot of self hosting use cases.

Tailscale/ZeroTier/Nebula etc do transfer some control (Nebula can actually be used with fully internal control and ZeroTier can also be used that way as well though you’re going to have to put more work in with ZeroTier … I don’t know about TailScale’s offering here).

Though doing things yourself also (in most cases) means transferring some level of control to a cloud/traditional server hosting provider anyways (e.g, AWS, DigitalOcean, NFO, etc).

Using something like ZeroTier can cutout a cloud provider/VPS entirely in favor of a professionally managed SAS for a lot of folks.

A lot of this just depends on who you trust – yourself or the team running the service(s) you’re relying on – more and how much time you have to practically devote to maintenance. There’s not a “one size fits all answer” but … I think most people are better off doing SAS to form an internal mesh network and running whatever services they’re interested in running inside of that network. It’s a nice tradeoff.

You can still setup device firewalls, SSH key-only authorization, fail2ban, and things of that ilk as a precaution in case their networks do get compromised. These are all things you should do if you’re self hosting … but hobbyist/novices will probably stumble through them/get it wrong, which IMO is more okay in the SAS case because you’ve got a professional security team keeping an eye on things.

The company Tailscale is a giant target and has a much higher risk in getting compromised than my VPN or even accessible services.

One must be careful about this mindset. A bunch of smart lightbulbs that are individually operated aren’t a particularly appealing target either. However, in aggregate… If someone can write a script that abuses security flaws in them or their default configuration … even though you’re not part of a big centralized target, you are part of a class that can be targeted automatically at scale.

Self hosting only yields better security when you are willing to take steps to adequately secure your self hosted services and implement a disaster recovery strategy.

The thing about something like TailScale or ZeroTier or Nebula is that it’s dynamic. These all behave similar to a multiplayer game … a use case every residential firewall should “just get.”

The ports that are “opened” can change regularly, they’re not some standard port that can just be checked to see if it’s open (typically).

Compare that to the average novice opening port 51822 for wireguard or 22 for SSH and you start to see the difference. With those ports, you’ve got a pretty good idea what’s on the other side and it might even be willing to talk to you and give you error messages or TCP ACK packets to confirm it’s there (e.g. SSH).

This advice is as you can probably imagine more relevant to things like OpenVPN that are notoriously hard to correctly configure or application protocols like SSH or HTTP.

With these mesh VPNs you also don’t have to worry about your home dynamic IP changing and breaking your connection at inopportune times… And that’s a huge benefit (IMO). It’s also very easy to tie in new devices to the network.

A lot of it is about outsourcing labor to programs that know how to set up a VPN and make management of it easy. That ties into security because … a LOT of security issues boil down to misconfiguration.

Interesting; well it’s good info/good to know it exist … though, I’m probably going to stick to explicit listing. I like to be able to look at my DNS records and know what connects to what.

I’ve never used wildcard DNS, I’m not even sure that Namecheap DNS supports wildcard. But I’ve also never been in a situation where there’s a dominate single machine I want my DNS to resolve to.

After searching … I’m not entirely sure I would use wildcard DNS https://serverfault.com/a/483625

My preferred strategy is actually alias records and then one primary address record the alias records point to so if I change IPs I can move the machine. I forgot about that last night.

Wow the responses here are really off at the moment. I’m going to try and help.

So, what you’re going to want to do is add all the subdomain A records you need to you DNS (sounds like you’re using cloudflare for that, not required, but that should be fine).

Those DNS records are all going to be the same IP record, that’s fine.

What you need to do after that, so that you don’t have to enter ports is a bit more complicated. For web servers, some kind of reverse proxy like nginx, haproxy, apache, etc is what you need. The term you’re looking for is “virtual host”.

A virtual host setup is basically one where a reverse proxy looks at the domain name that was used to access the server over HTTP and then uses that to decide what server running on the machine you actually talk to.

It’s HTTP that actually is passing along the domain name you used, so if the service isn’t HTTP you may or may not be able to do anything depending on the underlying protocol.

So to recap:

1. Set up your DNS records
2. Set up an HTTP reverse proxy
3. Add virtual hosts for each service you added a DNS record for to the reverse proxy (so that the reverse proxy can turn foo.example.com into example.com:xyz – localhost:xyz in practice, morally example.com:xyz though – behind the scenes)

ZeroTier is also an option in the same vein as TailScale.

You will share your IP with something like TailScale or ZeroTier.

Reverse proxies can be good but with gaming … there’s only so much you can do because of the custom protocols. Most of that stuff isn’t going to care about the DNS. You’re also introducing additional latency if you use a VPS as a “middle man.”

I think you need to consider who you’re going to be giving access to and what threats you’re trying to protect against.

My advice would be to set up ZeroTier on all the machines that are going to play together and set it up so it only allows connections between clients and the server (there’s a guide for this in their documentation). Then give the gaming machine a ZeroTier IP you put in your DNS.

Most games use different ports so there really isn’t a need for lots of DNS names. However, you could assign multiple ZeroTier IPs to the same machine and give each game server its own DNS and its own IP.

Remember that databases were designed to host multiple databases for multiple users… As long as you’re working with maintained software (and you are) it should be pretty trivial to run on the latest version of Postgres and have everything just work using one instance if you’re resource constrained.

Definitely a good point about being able to migrate as well. Postgres has excellent tools for this sort of thing.

It might help if you described what you’re actually trying to forward … and why the source IP matters.

ZeroTier would be my recommendation personally (it does what tailscale does but it’s been doing it longer and you can use whatever IP ranges you need vs some public IPv4 address space TailScale pools from).

https://www.amazon.com/gp/aw/d/B09227RQV2?psc=1&ref=ppx_pop_mob_b_asin_title

This is my favorite rack mount chassis I’ve worked with … and it coincidentally is in that ballpark.

I’ve preferred namecheap for years for their charity fundraising for the EFF and general no-nonsense takes on various Internet related political issues that have come up over the years.

It also helps that the service is also nice with a high quality UI, a generous number of DNS records (you have to watch this, I forget who but one place I used way back when only gave 5 records for free), and I’ve never had issues with their DNS servers.

Eh… TrueNAS UI basically takes care of any zfs learning curve. The main thing I’d note is that RAID 5 & 6 can’t currently be expanded incrementally. So you either need to use mirroring, configure the system upfront to be as big as you expect you’ll need for years to come, or use smaller RAID 5 sets of disk (e.g. create 2 raid 5 volumes with 3 disks each instead of 1 RAID 5 volume with 6 disks).

Not sure what you’re referring to as an easy backup option that zfs excludes, but maybe I’m just ignorant 🙂

TrueNAS Scale is a pretty easy to use option (based on Debian) backed by the excellent ZFS file system.

TrueNAS isn’t just BSD anymore. There’s Scale which is just TrueNAS’s UI and ZFS on top of Debian.

I’m shocked I haven’t seen mention of stranded notes!

https://standardnotes.com/help/47/can-i-self-host-standard-notes

The feeling I get from Belkin is that the hardware is decent, but their software is always atrocious

It’s still a crime. Taking the pictures is a crime. Sharing the pictures is also a crime.

Gotcha, thanks for the clarification