Hello everyone, I would need some advice on my setup.
I had an ISP with basic DSL 60/20Mbps and I was hosting my services at home with SWAG as a main proxy, opening the ports. I ordered 2 days ago a plan with a new ISP for a 1Gbps line, that offered port forwarding as well. The installation was done today and it turns out they retired the port forwarding on my offer yesterday.
I can see potentially 3 choices:
- stay with the old ISP and the slow-ish line. My main issue was the uplink speed that made off-site backup a pain
- go with the new ISP but order the higher speed plan that is £25/month more expensive, and without a proper guarantee that they will keep offering the port forwarding
- use the non-port forwarding option, but rent a small VPS that would act as a front-end (through zerotier/tailscale/direct wireguard), paying a small latency cost when accessing remotely.
I am not fully sure about the pros and cons of the different ways on the last option. I would be kin on keeping my home server fully capable, the point of me self-hosting being to cope with temporary disconnection at home. But then you can either have an IP table routing in the VPS to forward everything on the used port, or have another nginx proxy there to redirect everything. And I am not fully sure VPS providers are generally OK with this kind of use.
Has anyone got a similar setup to option 3 and would have some advices?
Edit 1: Thanks a lot for your comments everyone!
I got a small VPS (not the cheapest one yet) and setup a wireguard tunnel following this principle and it seems to be working so far. I’ll monitor a bit the situation as I have 14 days to cancel my plan. I’ll also see how it works for gitea running in docker in the NAT and ssh forwarding, I suspect this will be a fun endeavour.
I decided to avoid using cloudflare tunnel. And I am avoiding using a nginx proxy at the moment as I would need to ensure the certificates are properly synced between the two (or maybe letsencrypt allows you to have two certificates for the same domain?)
If your self-served stuff is just for you or family, I use tailscale for that. Nothing publicly enabled, have to be in the tailscale net to access.
A couple thoughts for you. I have a wonderful local fiber ISP and when I got hooked up, I discovered they were doing CG-NAT on residential connections. I called up and asked if I could have a public IP to host services and they just immediately gave me one. Definitely not the stereotypical ISP interaction, but if you haven’t already tried asking politely, it might be worth a shot.
On the last item, yes, letsencrypt lets you get certs for the same domain from multiple hosts, but I’ll often use a self-signed cert on the host and then get the public-facing cert at the reverse proxy level. No need to coordinate copying certs over in most cases.
I have about 25 letsencrypt certificates on the same domain, so that is definitely not an issue.
With Lemmy, it will depend more on the amount of media that your users upload than anything. With Mastodon, you also will have to consider the amount of data in the cache.
With Mastodon, I have (small) instances running for about an year or so which are using less than 100GB, and I have instances from power users that went on to take ~250GB in less than a month.
You can set up Mastodon to delete posts after a certain age and to clear the remote cache periodically. This would help mitigate both things.
Slap CloudFlare tunnel in front of your web services and call it a quits?
