Host Everything From Home Behind CGNAT...Today

Hey all,

I just randomly ran across your Github, linked from a Reddit post. I read the first paragraph or two, i.e. you’re looking for tunneling solutions targeted toward self-hosters behind NAT, and was like “Oh? I got you!”. I’ve been working on this exact problem full-time for the past 2 1/2 years. Here’s my Github: GitHub - homeserverhq/hshq: HomeServer Infrastructure and Integrated Installer.

As opposed to a single service as an alternative to Cloudflare, my solution is everyone has their own relay. You’ll have to rent a cheap VPS from whatever provider as the RelayServer ($5-$10 per month), but it functions as the entire front-end router to your infrastructure. Plus, if its a service just for you or your family members to access, then don’t expose it to the public internet, just keep it on your private internet. The RelayServer provides numerous functions:

  • Authenticated ingress point to private network for client devices (desktop/laptop/cellphone/tablet)
  • Authenticated ingress point to host other HomeServers, i.e. a “private internet”
  • Email relay with spam filter and store-and-forward (holds mail and resends if HomeServer is unreachable)
  • Expose web services to the public internet via RelayServer and reverse-proxy https traffic through tunnel to HomeServer(s)
  • Masquerade IP address, i.e. allows client devices to route internet-bound traffic using RelayServer’s IP
  • Port forwarding with DNAT, i.e. to pass packets to certain ports directly to a backend host
  • Separate data from access point

The installation takes about 15-20 minutes for base system, and another 45 minutes waiting around for everything else to install. I set this up to be easy for anyone to do, especially non-IT folks. I made some videos that explain it as well. Best place to start is here: Getting Started | HomeServerHQ Wiki. Basically, in a matter of an hour or two, you can have a full-scale production-grade infrastructure up and running with all of your favorite FOSS projects, and easily connect all of your devices. The code is 100% open-source, entirely bash script.

I am trying to build a support platform from this, because I know there is a lot of non-IT people that would want something like this, and answering questions and providing support takes time, and time is money. So my support forum is the only thing that I’m charging money for. It’s pretty cheap at $40 per year. It’s a Discourse forum just like this.

But my main goal right now is to get the word out, so any help on this would be appreciated. I’ve never had a Facebook/Twitter/X/Reddit account, or any other social media account, so I have zero reach ATM. I’ve been in heavy development mode for the past few years, but the infrastructure has really stabilized, and thus ready for distribution. If you do want to support me, that’s great, I appreciate it. I’ve blown through my savings putting this project together.

However, I didn’t join this forum just to hijack it. I’ll answer questions and engage here as well. Whoever is hosting this forum, thank you! I will contribute! I see boringproxy is sort of the main conversation here, so I’ll try to help as much as I can.

Cheers,

Dr. Doug

Hey Doug, thanks for sharing! hshq looks like an impressive amount of work. Quite ambitious.

My main feedback would be that there are a lot of projects in this space. It would be nice to have a comparison front and center that explains why someone would want to use hshq instead of one of the others.

I’d recommend starting with some from this list:

I think Umbrel might be the closest that I’m aware of.

1 Like

Hi Anders,

Thank you for your response and feedback. At one point a few months back, we did have a comparison chart like this on our Github, and maybe its worth consideration to bring it back. We had Umbrel, CasaOS, Cloudron, YunoHost, HomeLabOS, Ansible-NAS. But aside from a few small exceptions, if you combined all of the capabilities and features of all of those projects together, it would be just a small subset of ours. I don’t want to come across like a pompous jerk, but this project is just a quantum leap from those ideas. I like those projects and hold anyone that publishes open source in high regard, so it’s a matter of figuring out a way to do it respectfully.

To use a car analogy, they are handing you a box of parts, and you might be able to cobble together a go-cart with it. What we’ve created, structurally, is a polished Cadillac, ready to drive off the lot. One-click installs are nice, but just installing a vanilla instance of something without configuring or integrating it is…pedestrian - anyone can do that. We went the distance investigating all of the options/settings and every possible integration that we could find. Anything from SMTP, LDAP, monitoring, https, browsing databases, etc. If an option was available, we leveraged it. If an integration was available, we exploited it. Instead of just a box of parts, it is a fully coordinated system. This doesn’t even cover the networking aspect, which is entirely novel. No other project on the planet has anything like it. Basically, we took all of the desirable aspects of Cloudflare and WireGuard tunnels and incorporated them into a singular cohesive concept. This is the main role of the RelayServer. But you can do even more, by adding in a store-and-forward email relay, port forwarding with DNAT, and probably the coolest idea: overlapping private intranets. Your backend equipment in your home can be as big as you want, and you own it. The front-end RelayServer is lightweight and cheap, ~$5-10 per month for a handful of users depending on the provider. Or you can beef up the RelayServer a bit and service numerous HomeServers and lots of client devices.

I do like Umbrel though, they have a few good ideas. I like the prebuilt ISO (I already put something like that together this past weekend), mDNS for the home page (although we’d only use it to point to the initial install via web UI), they have a lot of crypto tools - which we haven’t incorporated yet, and their web UI is very clean. These are some things that we’ll probably have in the next few months, except for the web UI. I’m a back-end structural software engineer, never messed with drywall and painting very much, so need to find some people for that. We do have a very functional web UI for management, but something sleek like they have would be cool.

Anyhow, I will look into putting the comparison chart back into the Github. But this project should be a no-brainer for any aspiring self-hoster (or even current ones), especially if they want to get away from Cloudflare, Tailscale, Twingate, and/or any other third-parties. You could make the argument that you’re trading one for another with a VPS provider, but that isn’t a fair comparison. That’s why we run TLS inside of the tunnel, using a self-hosted certificate issuing authority. We took a lot of the fun out of putting everything together. Instead of spending weeks or likely months trying to setup a full-scale self-hosting environment, you’re completely done in an hour or two - everything just…works. I just need to figure out how to succinctly convey all of this.

I know you are working on boringproxy, and I haven’t tried testing it out yet, but rather just read through some of the documentation. I really like “The dream” (GitHub - anderspitman/awesome-tunneling: List of ngrok/Cloudflare Tunnel alternatives and other tunneling software and services. Focus on self-hosting.). It really identifies what you’re trying to do. I know this post might feel like I’m stepping on toes because in some sense, it competes with it. But you’re project is focused on making a very useful tool in a specific area, whereas mine is an all-in-one integrated approach. So they are certainly different, and there’s plenty of room for cooperation. I say this: Cooperation is good. Competition is better. Cooperation + Competition is elite. I know this response is long, probably more than you wanted to read. I was about to go through and cut a bunch of it out, but oh well, I’ll just leave it. If you made it this far, then kudos to you.

Talk soon,

DD

1 Like

Thanks for the thoughtful reply. As I said, very ambitious! I think your main challenge is going to be wrangling complexity. Complex systems are simply more brittle. Especially when you want other people to be able to run it on their own hardware. But it’s definitely possible. I think Discourse is pretty complex/bloated, and they pretty much own the forum market.

There’s also the lock-in aspect. Even if something is open source, if it’s not simple enough for an individual or small team to fork it, then that’s lock-in.

I’m excited to see how things go for you. I don’t think we’ve had a solid comprehensive solution that just works. Sandstorm was probably the closest from the user perspective, but the dev burden was too high.