Locally hosting an internet-connected server

Original Article ↗ Hacker News Discussion ↗

Dynamic DNS, Port Forwarding, and “Just Use a Bastion” vs Author’s Goal

  • Several commenters say dynamic DNS + single public IP + port forwarding + reverse proxy is usually enough, especially for HTTP(S), with SSH on one or two ports and a gateway host (bastion) for internal access.
  • Pushback from others: this still requires non‑standard ports, SSH jump hosts, or client‑side config across many devices, which the author explicitly wants to avoid.
  • The VPS+Wireguard+policy‑routing approach is defended as letting each machine appear as if it has its own public IP and standard ports, with “boring” hosting semantics.

Limits of Single IP, CGNAT, and Static IP Pricing

  • Dynamic DNS fails behind CGNAT; some pay extra for a static IPv4 to escape CGNAT and get better stability.
  • CGNAT is described as “hell” for hosting and sometimes painful even for ordinary users (CAPTCHAs, bans on shared IPs, gaming NAT problems).
  • Others claim CGNAT is irrelevant for most people who don’t host, leading to debate referencing online gaming and anti‑scraping measures.
  • ISPs often charge large premiums for static IPs or multiple IPv4s; using a cheap VPS with extra IPs is seen as a cost‑effective workaround.

IPv6: In Theory a Fix, In Practice a Mess

  • Many note that IPv6 would make this trivial (global addresses, no NAT), and in some regions home users do get stable /56 or /48 prefixes.
  • Others report broken or unstable IPv6 from ISPs (changing prefixes, flaky routing, bad DNS), or no IPv6 at all; some use Hurricane Electric tunnels as a workaround.
  • Longer subthread debates “IPv8” or an expanded IPv4‑compatible scheme; consensus in the thread is that this is unrealistic and would face the same deployment barriers as IPv6.
  • View that lack of IPv6 is mostly business/organizational inertia, not technical impossibility.

Alternative Tunneling / Overlay Approaches

  • Suggestions: Tailscale/Headscale, Nebula, Yggdrasil, Cloudflare Tunnel, Pangolin/Newt, GRE+OSPF, ssh -L/-J, commercial “expose behind NAT” services.
  • Tradeoffs discussed:
    • Ease of setup vs needing to manage Wireguard, iptables/nftables, and routing.
    • Centralization and TLS termination with Cloudflare vs privacy and control on a VPS.
    • Using reverse proxies (nginx, Traefik, HAProxy) on the VPS vs raw DNAT.

Security, Logging, and Exposure Concerns

  • Some argue for a strong warning that exposing home servers requires baseline hardening; others downplay the practical risk if systems are updated and standard software used.
  • Concern raised that SSH port‑forward‑based relays make all traffic appear from the VPS IP, complicating logging and spam prevention; DNAT on the VPS avoids rewriting the source IP, preserving visibility.
  • One commenter worries about placing private keys on the VPS; others recommend minimizing secrets and using socket‑level proxying.

VPS Relay vs Just Hosting on VPS

  • Question posed: why not host services directly on the VPS?
  • Responses: local workloads may need huge storage or specific hardware; VPS acts as a thin front door while most data and processing stay on home machines, reducing VPS cost.