2025-11-03 || Tags: n100 self-hosting
This post is more of an overview than anything else. I haven't covered all of the details nor about server hardening or similar. Running an internet accessible server is not without risks. People are constantly scanning the entire internet for all manner of vulnerabilities. So be careful!
Accessing the services you run at home greatly increases their usefulness. This isn't always the easiest thing though. Here, I will explain how I set this up for me.
In a sentence: I use a VPS as a proxy to my services via Tailscale. If that makes sense to you, I would not read the rest of this.
I have a few services (like Nextcloud and Mealie) running on my home server. It would be very useful to be able to access from beyond my home network and even from devices I don't own (i.e. couldn't install Tailscale on).
To do this, I have internet accessible VPS (see below) which receives the various HTTP requests, forwards them to my home network (connected via a Tailscale VPN), receives the services' response, then forwards the responses back to the original requester. The VPS here is acting as a proxy. Additionally, by using Let's Encrypt via Caddy, I can also add HTTPS to all of this meaning that all the communications to and from the server are secure. With Tailscale also providing secure communications between the VPS and my home server, everything is basically secure!
This is made easier through use of a domain. Each service I run at home that I want external access to has its own sub-domain (e.g. this blog at blog.arfy.party).
This is arguably the most important thing for this set up. The idea is that the VPS has a stable and accessible (i.e. not behind carrier grade NAT) IP address. These are relatively cheap these days. My default go-to was DigitalOcean. Now, I use IONOS because the price is really unbeatable at £1 per month.
I know... this isn't self-hosted... it's relying on an external service... it's relying on other people's code and services that you cannot audit...
Having said that, Tailscale is a great service. It runs everywhere, it's free (at least for the moment), and it "Just Works"(TM).
As mentioned, I'm already running a home server I want access to elsewhere around the world.
There are many places you can buy a domain. I use Porkbun as they provide good prices and an easy interface to add subdomains.
My domain cost me something like £20 for 5 years (I think it's so cheap because I use a weird TLD).
The VPS is running Ubuntu, but do pick whatever Linux distro you're comfortable with. You'll need to get the IP address of the VPS. To get this, you should run ip addr on the command line and look for the IP address(es) that looks appropriate (i.e. not the local loopback starting with 127., or the tailscale one starting with 10.). I use both IPv4 and IPv6 addresses - you don't need to though.
Go to your domain provider and update your domain settings to add a new A (and/or AAAA for your IPv6 address) record with the subdomain name you want (like "blog") and the IP address of your VPS.
There are other ways too using CNAME records. To do this, set the A record and call it something like myvps.domain.com and then set add the other domains you're wanting to add as CNAME records pointing to your myvps.domain.com.
You will need to install Tailscale on the VPS and the home server. With any luck, your home server will have a way to install this through its package manager and/or user interface. Installing on your VPS might be slightly more complex in that you need to use a CLI. Shouldn't be too bad though. The instructions are good.
With that set up and running on your home server, you'll need to get the Tailscale IP address of the server. I got this by running ip addr and looking for the IP address under the tailscale interface.
Caddy is an HTTP server. It does the same job as Nginx and Apache, but the configuration is easier and manages all the HTTPS Let's Encrypt stuff without me having to do anything.
I very highly recommend you run Caddy.
Caddy has pretty good documentation so you should take a look around there yourself first to familiarise a bit.
In my /etc/caddy/Caddyfile, each subdomain has the reverse_proxy field appropriately set and it really does just work! Restart caddy using something like systemctl restart caddy and you'll get all your HTTPS certificates set up and you should be able to access your home services from anywhere in the world.
And example one is here:
subdomain.arfy.party {
reverse_proxy 100.100.100.100:9925
import logging "service_name"
}
You'll see I also have some logging set up too. Here's that snippet too if you're interested (I put it at the top of my Caddyfile):
(logging) {
log {
output file /var/log/caddy/access_{args[0]}.log
}
}
If you're wanting to add a bit more security on your services, caddy allows for HTTP Basic Auth as well. Take a look at the documentation to get that set up.
I don't know how actually secure this sort of authorisation is, but it's probably better than none. I'm relatively sure that the password does get sent from your browser to the server in plaintext. This shouldn't be viewable by anyone other than the server though because the communications are all done over HTTPS and therefore are encrypted.
For security, Tailscale expires your keys every 180 days. This is obviously good and useful... but it can be very annoying if you forget this can happen.
Just remember that this happens when you start getting non-responses when trying to access your applications and don't start going down too many weird rabbit holes when trying to debug.
You don't really need the VPS to be completely honest.
One simple way to access your home services is to just use tailscale as the VPN service it provides. With tailscale installed and running on your device, you should just be able to access your home server (which should also be running tailscale) using the tailscale ip address of the
If your home IP address doesn't change very much and you know your ISP doesn't do extra funny things on their networking/NAT side (I think carrier-grade NAT can get in the way of this, maybe?), then you can just point your directly at home IP address.
You'll need to set up your home router to allow connections in and forward them to your home server's IP address.
I'm not overly familiar with how to set these up, but you can set up remote desktop software so you can control a device that's running in your home network.