This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/performation on 2025-01-18 09:08:40+00:00.

Hello everyone,

after using my homelab for about half a year with a VPN I decided to expose some services directly. I have read a good amount of stuff on the topic and want to double check I have not missed any major points.

I know there will be a lots of comments saying I should not do this at all if I have to ask or just use a VPN or cloudflare tunnel but I do not want to do that. I am just looking for some friendly advice on best practice.

So the plan is: Opening and redirecting port 443 in my router to my VM. The VM is running on proxmox in a isolated VLAN. It is a very minimal install which apart from docker, git and nfs is running only the bare minimum. Firewall is handled by proxmox, it is set to allow only port 443 and my SSH from internal IPs from my admin VLAN.

The VM has docker running in rootless mode with a total of 4 services I want to expose + Traefik and Authentik. Traefik drops all traffic not pointing to the correct sub-domains. I have set the usual HTTP headers, rate limiting, geo blocking etc. Authentik accepts logins only via password and 2FA. I have also set up crowdsec, fail2ban on both my router and the VM and watchyourlan. SSH login is key only but shouldn’t be possible from an external IP anyway.

Updates to proxmox, the VM and the docker containers will be done manually a few times a week for now. Last thing I am currently working on is loki + grafana for access logs so I can monitor things myself.

There are automatic backups of all data and configs onsite and offsite, so in case of disaster I am going to wipe the VM and restore a backup.

So what did I miss? TIA to anyone.