Networking is super simple - or at least it started out like that. Then we ran out of numbers, and had to invent nat. Then we invented ipv6, which has lots of numbers, but is unfathomably complicated.
I recommend learning about NAT / network address translation. NAT is not a stateful firewall, but acts kinda like one.
You can understand a stateful firewall by understanding the tcp handshake. TCP is hugely important. Don’t worry about fin_wait_2 and that nonsense, just get syn/synack/ack down.
People will brush off udp because it’s easier, but it’s also important.
Once you get NAT/stateful firewalls, I would look into wireguard. That’s the protocol underneath tailscale. Know that it wraps your tcp packets in an encrypted udp datagram. Then find out how tailscale sets up your wireguard connections without port forwarding - or don’t, as webrtc-style signaling is famously impossibly complicated.
Here’s what you should do - spin up all the services you want, but put them behind an nginx reverse proxy. Then put that behind a WAF. Getting those layers aligned will teach you a huge amount of useful stuff.
In general, don’t worry about hackers unless exposing a port to the internet. Then worry. Your router’s stateful firewall will do a good job until you poke holes in it.
If you want a cool side project, listen on port 20 and dump the characters that the web scanners send to you. If they don’t send anything, send a username prompt after the tcp handshake - the robots will give you the login creds that they try against weak boxes :)
Hey! Best of luck, I’m actually going down the same road at the moment :)
I would build it yourself - it’s more fun, and is cheaper than renting over a shorter-than-you-would-think time period.
The first thing to know is whether or not you can port-forward / if your isp has you behind nat.
Exposing virtual disks is relatively straightforward, or even just storage quotas on a single disk. I’m about to jump into the wide world of zfs; I need to glue together 4+ disks into a single storage array.
If you want everyone to have a separate VM, you’ll need some kind of hypervisor underneath. Could you grant everyone a user account in a single system, and use docker for separation?
It sounds like the others will be connecting remotely - make sure you use ssh keys (not passwords) and disable root over ssh. Once ssh is exposed to the internet, you’ll see a lot of failed login attempts