nginx
Plex
Radarr / Sonarr / SABnzbd / qBittorrent / ZeroTier -> online.net server
FreeNAS x2
Active Directory
At home:
nginx
vCenter
urbackup
UniFi SDN, Protect
Portainer / unms / Bitwarden
Wordpress (isolated)
Guacamole
PiHole
InfluxDB / grafana
Active Directory
Windows 10 VM for Java things
L2TP on my router
Everything I expose to the world goes through CloudFlare and nginx with Authenticated Origin Pulls [0], firewalled to CF's IPs [1], and forced SSL using CF's self-signed certs. I'm invisible to Shodan / port scans.
Have been meaning to move more to colo, especially my Wordpress install and some Wordpress.com-hosted sites, but inertia.
I've done similar. You firewall your home network to all IP's other than Cloudflare's. You can use a Cloudflare provided certificate for HTTPS - they will MITM and use a trusted cert for outward connections. You can update Cloudflare DNS records via their API - the typical dynamic DNS tools work fine. It works well.
I've always been unable to pull this off completely as I always want a way to SSH into my home network - but maybe there is a better way I can pull off this sort of 'break glass' functionality.
Guacamole (sorta) gives me that. If CloudFlare or nginx or Guacamole have problems then I'm hosed... but I work from home so remote access isn't a huge concern.
And I've got nothing terribly "household critical" at home, just the PiHole needs to be running to keep everyone happy. I do wish that PiHole had an HA solution. I've been tempted to set up a pfSense / pfBlockerNG HA pair but that's a lot of overhead just for DNS.
You could run 2 Pi’s or a Pi and a container in another always on machine for example. Then just point your router‘s primary to the Pi and secondary to the other instance.
That's not a terrible solution. I've just been looking at possibly forwarding SSH over WebSocket - then I can put that behind CloudFlare. Latency would however suffer.
aren't jitter and latency still major problems with this approach? plus connection resets, though maybe long-lived flows are more reliable than I remember, and I suppose you could do multipath (if Tor doesn't handle that already, not sure.)
have you made it work? my Tor career ended in college after running an exit node - no visits from the FBI, just got auto-klined from every IRC server since I was on the list of proxies.
It's most likely client-side stuff. Probably some crappy banking client, or an authentication client for some government websites, or something like that.
I use one for the sites below. It is written in Java/Kotlin, but barely works anywhere except Windows.
Colo: Three Hyper-V hosts on R620s. Goofball Quanta and Foxconn hardware for FreeNAS bare metal. All 2xE5v2 w/ 160-256GB RAM.
Home: Two VMware hosts on Hyve Zeus (Supermicro, 2xE5 64GB), one on an HP Microserver Gen8 (E3-1240v2 16GB). PiHole bare metal on a recycled Datto Alto w/ SSD (some old AMD APU, boots faster than a Pi and like 4w). Cloud Key G2 Plus for UniFi / Protect.
VMware because it's what I'm used to. Hyper-V because it's not. Used to have some stuff on KVM but :shrug:
Have been meaning to move more to colo, especially my Wordpress install and some Wordpress.com-hosted sites, but inertia.
[0] https://support.cloudflare.com/hc/en-us/articles/204899617-A...
[1] https://www.cloudflare.com/ips/