What's actually being done here is buried in a mass of analogies. AFAICT it's:
* Exposing a server running on the home network (behind NAT on a dynamic IP) to the internet.
* Doing so by renting a cheap VPS and using wireguard to forward traffic to the server at home.
I love wireguard and use it continuously. My phone has always on wireguard to my home network so all my phone traffic goes through my home router/dns, I can access the various private servers I have at home, get dns based ad blocking etc. I use an ISP that give me a static IP so it was easy to set up. It works like a dream.
That said when I want to run a public server I just rent a VPS and run it on that. I don't want anything I don't own initiating connections to anything on my home network in any way.
> That said when I want to run a public server I just rent a VPS and run it on that
I have a setup similar to the OP and there's a really good reason for it: cost. For $2k in hardware (one time) and a VPS + electricity at $20/mo, I can run a 64 core, 192Gb, 24TB server. Let's call that $4400 over the course of 10 years. You would burn through that budget in roughly 1 month to get the same specs on AWS.
Obviously I'm neglecting the impact and cost of network, if it's a hobby you can just reuse your existing connection but you can always buy a dedicated line (and adjust the cost calculation accordingly)
In terms of security, you can mitigate the surface area by running a reverse proxy on the VPS. I've got nginx on the front line which does TLS then proxy_passes to my basement server at its wireguard IP address. So it's strictly limited to http, no direct database or ssh access.
I don't know if I'd ever run a "real" website this way but it's great for hobbies and side projects.
Would be surprised if you would still be using that server actively after 10 years.
I wonder how you build such a hardware with just $2k (3990x alone seems to cost $3.5k), but with €94/mon you can get 16C32T, 128Gb, 8TB server from Hetzner[1]. It has Zen 3 5950X which has better single core performance than your 64 core assuming that you refer to 3990X, and often single core perf is more important than total perf because you don't use all cores all the time.
I estimate such a configuration to be $2.5k. With $2.5k you can keep the server for 2 years, with network and electricity provided by Hetzner. Also you can terminate it and rent another, better server at any time.
> Would be surprised if you would still be using that server actively after 10 years.
I thank the death of Moore's Law. Compute power obsoletes very slowly these days. Back in the 90s I was buying new equipment every year or two.
My primary hobby server is now 12 years old and going strong. My youngest server is 8 years old.
Every now and then I start shopping for an upgrade but eventually decide I'll spend the money later. It's still good enough for my needs and works well.
Most things don't need that much power. My homelab, NextCloud and family Plex server is a 10 year old i7 with 32gb ram. The only upgrade in 10 years was a PCIe NVME adapter so I could boot from faster storage.
My search engine is self-hosted off hardware with those rough storage specs (well, sans ECC).
I do not regret one bit going for this set-up, although my next step toward scaling this up is indeed going to be some sort of hosted solution, the primary reason being the BTUs and decibels involved in running an actual server from my apartment.
Running a search engine or not, anyone with a serious interest in programming should have a server. I really can't recommend it enough. The ability to run large jobs that chew through hundreds of gigabytes of data for weeks if need be, without considering the cost, that dramatically increases the level of ambition you can have in your projects.
* I had an idea for a re-skinned wikipedia. So I processed all 40 gigabytes of wikipedia articles from an OpenZIM file. Took a week. No big deal. Later I used the same corpus to calculate language data models. That's another several days.
* I had an idea a while back. It required me to screengrab 500,000 websites. So I wrote a python script. Takes anywhere between 0.5-120 seconds per site. It's still not finished by any stretch, but I'm up to about 322,000 screenshots now.
I wouldn’t necessarily argue that the cloud is cheaper as a rule, but I would say that this comparison misrepresents how you’re supposed to use cloud computing and what its strengths are.
That 64 core server is probably sitting nearly idle most of the time. You don’t just spin up big systems on AWS and leave them idle. The whole point of cloud computing is the on-demand scalability.
You can basically spend nothing until a request comes in, and most hobby projects are low traffic.
When you’re not encoding anything, you’re not running much compute.
I think I’ve heard of game servers that wait for players to attempt to connect before starting the instance. If all you’re doing is playing a multiplayer game with friends that instance is going to be off 20+ hours a day.
Still, I haven’t done any napkin math on what applications represent cost savings.
> The whole point of cloud computing is the on-demand scalability.
True, my system is fairly static. But it scales when I need it. As mentioned, it's for my personal use. "on-demand scalability" is a bullshit buzzword in this context. My goal was to buy a machine capable of several specific tasks.
> That 64 core server is probably sitting nearly idle most of the time
> ... plex media server
> ... encoding
> ... game servers
> ... that instance is going to be off 20+ hours a day.
Not those tasks :-) I have no trouble maxxing out my disk IO and memory, slightly more challenging to keep my CPU busy but it's keeping an average load of 4-8.
If you can't keep a machine busy, just turn it off. Simple as that. I would not have bought such a beast if I didn't have a plan keep it busy!
Not OP, but I have an R620 running in my garage I use for self hosting. It has 12 cores (Intel Xeon E5-2665), 96GB of RAM, 10x2.5" drive bays (came empty). The SSDs I use I shuck out of old external USB drives.
Together with a full standing rack on wheels, I bought them for $600 cash (plus U-Haul rental to get it home).
My trick is craigslist in a city with datacenters (PHX). There are resellers here who buy used hardware from local datacenters and resell them to smaller businesses. I've had it running 24x7 for almost 3 years now and it is still going strong.
That makes sense. 2 x 6 core Xeons were cheap even back in the day. And it came without storage. Again, as someone who actually buys straight off FB and Google when they dispose servers (as the companies who you buy from off eBay), I'd really like to know where he got that specific 64 core (which would be a quad socket if it's older than 2015) 192 GB 24 TB server because I'd like to order more than a few. Your server is not even worth 1/20th of what his is worth.
The closest I can get a disposed server with those specs is at least 8k
Not ideal but you can go for used rack mounted servers. You can easily get even better specs for less than 2k with reasonably recent CPUs too (E5-xxxxv3 and up).
At least that was the case when I set up my home server rack ~2 years ago. (Though 24TB might be too much since server grade SAS storage is very expensive even when it's used. So what I did was to buy servers with as little storage as possible and then just put SATA HDDs that I can get for dirt cheap.)
It's a refurb supermicro 2U. DDR4 ECC Ram, 6 spinny disks in a zfs pool. It's older gen hardware and it's really loud. I put it on a makeshift rack and put it far away, heating the corner of my basement! I've got a consumer wifi router with DD-WRT, router has never been the bottleneck (that would be Comcast).
I would but my local colo offers max 25 Mbps (!) networking unless you get the enterprise plan. I'm guessing there's better colo options near a big city?
> I just rent a VPS and run it on that. I don't want anything I don't own initiating connections to anything on my home network in any way.
I do this for my personal web server, but also set up the network rule so that its SSH port is only reachable from my VPN.
IMO, this is super convenient. I can keep my public servers out of my home network (so clear separation of private/public networks), but still a VPN connection is required to log into any of my servers.
What do you do if your VPN goes down and you need access to your server to debug it? Is physical access required or do you have other contingency plans?
In short, you can use cloud providers' web interface as an escape hatch. This just works as long as you manage the firewall using your cloud provider's network filter, such as Security Group, rather than, say, iptables.
Some providers like digitalocean use a serial connection for the terminal, so it works even when the network configuration is completely broken somehow (totally not because you set the input policy to drop without making an accept rule first)
These days, your ISP would (hopefully) give you at least a whole (static) /56, so you can always reserve some prefixes for your not-really-home networks ?
It's a coin toss on if BT will properly allow ipv6 traffic each time the router reboots.
I've had to make provisions to force ipv4 on my machines because although composer et al. runs fine on my vps and elsewhere, if it tries to access it via ipv6 at home it more often than not hangs indefinitely.
"In Europe"? Europe is made of many countries and all ISPs have a national structure (even if they operate in several countries) and they all decide to roll out or not ipv6 independently.
My bad. I forgot that one of the many issues I have with the EU includes the fact that it is also Big Telco's little bitch, and they only institute block-level policies when it suits Deutsche Telekom/Vodafone/Telefonica.
I don't understand. Are you suggesting that the EU should mandate telcos to provide users with ipv6? Why? And who is going to pay for that? Telcos will just push the price to the end users. I don't need ipv6.
Well sure, if you already have your own IPv4 address(es) - but not everyone has !
You forget about the opportunity cost that comes from our broken Internet where you cannot assume end-to-end network connectivity because you might have to deal with NAT and especially CGNAT ! (How many protocols end up overcomplicated (=expensive) and dead in the water because of that ?)
They don't know it by name, but if you tell them that with IPv6 they could ditch their mobile phone service (their home router can run a SIP trunk just fine, so all they need is a non-NATed connection), or that you could create a FON-style mesh network where you could make money by becoming a hotspot provider, they would be more interested.
I'm in Europe, I have yet to have used a residential (or even corporate!) network which has any form of IPv6 support. Of all the networks I've interacted with over the years, only my cell carrier supports IPv6.
Many years old routers had a single external ipv4 and behind the NAT each computer got an internal ipv4 as a way to never end up exhausting the pool of IPs that each ISP has. But it’s been a long while since it has changed:
Most of the home networks I use are still behind a NAT use a single ipv6 to interface the world and within the network each computer has an internally assigned ipv4 just in case some operating system may not be compatible with ipv4.
Still are many old routers using ipv4 only out there as not many people care to renew their hardware as long as their WhatsApp and Netflix works.
Well, if governments really care about IPv6 (and the previous campaigns to push it were not just about "look how progressive we are"), they'll do something similar to what they've done with digital TV broadcasting :
they would first ban the selling of new devices not compatible with IPv6, then forbid ISPs to advertise IPv4-only connections as "Internet", then ban the selling of new IPv4-compatible devices.
(In a few years we're going to reach anyway the point when IPv6-only connections (mostly in Asia) outnumber IPv4-only devices (mostly in Africa, which sucks because they're the least able to afford an upgrade, but then being forced behind CGNAT sucks too).)
Ok, at least in Germany I noticed since I moved here that all residential routers were dual-stack. I even ended up disabling v6 because I wanted to run some things in my home network and I wasn't too sure about the firewall configuration.
Something that I find incredible, but have seen no one contradicting yet, is how when ISPs have started to roll residential IPv6 by default some years ago, they first had no firewall on IPv6 and/or later it was disabled by default (so only few % of users would enable it at best). (Not sure if the situation has changed ?)
Now, IPv6 (when properly implemented, which is another failure mode) comes with much better safety out of the box (like not being able to scan all the suffixes in a reasonable amount of time to find computers on the local network to target), but I'm still impressed that now we seemingly have hundreds of millions of personal computers "directly" connected to the Internet with at best only the OS firewall as protection (when one exists), and it hasn't resulted in major hacking issues ! (yet.)
The difference is a direct IPv6 conmected Windows 7-11 is actually prepared to be on the internet in a way that Windows 95 never was.
There never really was any such thing as a safe network, but it used to be acceptable to assume LAN traffic was safe. Now we know you might be on airport wifi or a large corporate network with compromised systems and the OS and systems software needs to handle that.
Right - and pre-Windows Vista, you would have to install IPv6 support yourself ?
I guess the hackpocalypse will have to wait for when low-end computers (like those in tvs, cameras, personal assistants, connected doorbells, home automation, refrigerators) - you know, "Internet of Shit" that you can't really expect to feature its own firewall (?) finally get upgraded to IPv6 ? (How does it look like today ?)
Comcast in the US does (if you use your own router and configure it correctly.)
There's this goofy band of people that know just enough to bring their own router but don't understand why a misconfigured AAAA record can mess up the happy eyeballs algorithm and are convinced Comcast is "censoring" small business. It's funny and kind of sad to read comments from people who are certain their misconfigured networks are the result of some "international conspiracy" against them. That's probably why Comcast has it turned off on the routers they loan to customers.
Comcast Business requires customers to use a gateway provided by Comcast to support static IP addresses. I was thrilled to finally get IPv6 support, but it seemed impossible to prevent Comcast from inserting their own nameserver in IPv6 leases, which broke my network. I tried running my own dhcpdv6 and radvd servers to no avail. This took me way out of my comfort zone and much deeper into the weeds of IPv6 than I ever expected to go. I finally disabled IPv6 (and I can't even tell you how I did it) to get things working properly again. Maybe I don't have the required skillset to implement IPv6 properly, but I really got the feeling that Comcast introduces unnecessary obstacles for business customers with slightly advanced needs in order to serve the lowest common denominator (aside from my special requirements, IPv6 mostly worked out of the box, which is probably their goal).
Seconding this. It's a very irritating implementation detail of Comcast Business service. It can be worked around of course, if you have a VPS somewhere close-ish with a static IP you can do the whole WireGuard tunnel thing at the cost of some extra moving parts and maybe a minor latency hit. And while overall their business offering is certainly vastly better than their consumer shit, if you're on their router they're still jerks. I've noticed their own pushed WiFi keeps switching itself back on for example. Overall it reinforced my desire to use absolutely anything but Comcast whenever possible, though when it's not I'd still pick business service of consumer service.
Yeah, that has been typically the case a few years ago around here - you could have more than a single /64 on a residential connection (and better than the bare minimum of other IPv6 functionality), but it required to get your own router (and sometimes even spend time with tech support because they wouldn't test that use case as much as their own router that you'd get by default).
You might be already in the minority here (even in the USA !), as it looks like that the cell carriers there now overwhelmingly run on IPv6, and tunneling IPv4, which doesn't always work well ?
If only there was one around here, but alas, they're all basically the same 2-3 ISPs - a couple of main ISPs, then smaller ones who are just using their network and renting bandwidth.
However, VPS and cloud providers generally have bad IP reputation or block ports. We created a service called Hoppy Network that addresses this. It provides a /32 IPv4 and /56 IPv6 over WireGuard, costs $8/month, and can be used to host anything from web servers to SMTP servers. Here's a link.
yes this is precisely how I connect all my computers. I use a VPS as a relay solely for its public static IP. Then every device I own uses that relay to connect via wireguard. It's been a magical experience having 16 bits of private address space populated with vms, r-pis, pcs, phones, etc.
I recently did a deep dive into network overlays (like zerotier); mostly because I have a few self hosted services, and overlays seem to be the hot topic in the self-hosting community. I've come away with the feeling that most people using overlay networks at home are doing it completely wrong and opening themselves up to a world of hurt.
First, network overlays are not easier to setup than VPNs. Installing and configuring a network overlay client on every device is much more work than setting up a single VPN tunnel for every network you want to access. Overlay networks are just easier to plan because there is no planning. But they're not easier to implement.
Second, and far more important, meshing all your devices into a single flat network is dangerous. There is a reason why networks are designed with isolation strategies. Introducing an overlay into your networks breaks down these barriers for you, but also for an attacker.
The only overlay network that has built in firewall capabilities is Nebula. When I started configuring its firewall rules I found myself just recreating my existing segmented networks, but in a much more obtuse way. Instead of configuring a central firewall, I was configuring firewall rules on each device.
After all my research, I'm still running the same segmented network I was running before my overlay experiments. But I would like to give some praise to both Nebula and Yggdrasil. IMHO, these are the two most existing projects coming out of this space right now.
> Second, and far more important, meshing all your devices into a single flat network is dangerous. There is a reason why networks are designed with isolation strategies. Introducing an overlay into your networks breaks down these barriers for you, but also for an attacker.
What prevents you from meshing the individual services on a per-need basis? The fact that they're overlays makes them even more convenient for such isolation.
> The only overlay network that has built in firewall capabilities is Nebula.
Are those built in firewall capabilities really missing from the other networks?
As far as I know, ZeroTier is more of a SDN that an simple overlay (That's what made me interested in ZeroTier in the first place).
If conventional "L4 transport-layer" firewall/routing capabilites are enough for real networks, then ZeroTier SDN capabilities are probably enough for it's virtual networks.
Granted, it doesn't have some nice built-in high-level generic "L7 application-level" firewall capabilities, but I don't trust those in the first place.
I'm not suggesting overlay networks are useless (Slack uses it to connect thousands of machines around the world!). My comment is aimed at the self-hosting community using them as a VPN replacement for remote management / access. I don't see how they are any better than VPNs for this. They're probably worse once you start connecting all the devices you aim to remotely manage into a flat network (mixing internet facing devices that should be DMZ'd with internal devices).
I have a business package but I can't get a static IP because the managed switch is unavailable for the foreseeable future due to components shortage. I was told I'd be lucky if I get one before my contract expires.
* Exposing a server running on the home network (behind NAT on a dynamic IP) to the internet.
* Doing so by renting a cheap VPS and using wireguard to forward traffic to the server at home.
I love wireguard and use it continuously. My phone has always on wireguard to my home network so all my phone traffic goes through my home router/dns, I can access the various private servers I have at home, get dns based ad blocking etc. I use an ISP that give me a static IP so it was easy to set up. It works like a dream.
That said when I want to run a public server I just rent a VPS and run it on that. I don't want anything I don't own initiating connections to anything on my home network in any way.