thekrautboy

I'd ideally like to do away with the VPN entirely, so I don't need to set up client apps to give new devices access, but adding the extra layer of CG-NAT on top of those services makes this all more confusing for me, since most of the information I've found online doesn't involve CG-NAT.

You could run the reverse proxy on your VPS, and keep your VPN as a tunnel between your VPS and your home network. Clients would connect without any extra software to the public reverse proxy, which then redirects them through the tunnel to your home network.

If you want to keep your VPS, that is the way i would do it.

If you want to get rid of your VPS and also dont use software on the clients to connect, then you would need to use something like Cloudflare tunnels, which would replace your own setup. Clients connect to Cloudflare, and they redirect through a tunnel to your home network.

• Head to "www.example.com" -> End up at self hosted authentication page asking for Username/Password.

You can do that easily with Authelia for example. The question is tho, how people end up at that prompt initially. If you want to fully selfhost, you either need some outside node on a VPS for example which redirects through a tunnel to your actual home network. Or you use a third party service like Cloudflare.

• Skip authentication if being accessed from within local network (Need to have WAF or I'll be in the doghouse...)

Again, Authelia can do that.

• Upon authentication be sent to self-hosted landing page (similar to Heimdall) with links to my local services.

If you combine Authelia with a reverse proxy, you can redirect after auth to wherever you want, for example exactly Heimdall, or Homarr or whatever.

• Clicking on said links would send you to different subdomains depending on service chosen (emby.example.com, blueiris.example.com, homeassistant.example.com, etc...)

Again, a reverse proxy, ideally combined with a local DNS like Pihole for example, would do that easily for you. And you could use Lets Encrypt certs for valid SSL to use https://emby.example.com instead of http://emby.example.com:8096 or http://192.168.50.120:8096. You do not need to purchase a public domain for that, but LE requires a public domain which could be a free subdomain for example from a provider like Duckdns.org or Dedyn.io Many reverse proxies have support for LE dns01-challenge with a lot of providers, so you dont even need to open any ports for that part.

Fyi this sub here is about selfhosting software services, not about any hardware purchase or upgrade advice.

Consider subs like /r/HomeServer /r/Homelab etc for that.

Fyi this sub here is about selfhosting software services, not about any hardware purchase or upgrade advice.

Consider subs like /r/HomeServer /r/Homelab /r/BuildaPC etc for that.

Fyi this sub here is about selfhosting software services, not about any hardware purchase or upgrade advice.

Consider subs like /r/HomeServer /r/Homelab /r/BuildaPC /r/Synology /r/QNAP etc for that.

Fyi this sub here is about selfhosting software services, not about any hardware purchase or upgrade advice.

Consider subs like /r/HomeServer /r/Homelab /r/BuildaPC for that.

You wont like to hear this but: Dont do this. Do not try to circumvent protections that company IT has put in place. You will find yourself in a meeting with IT and HR much quicker than you think.

You have 3 options:

• Stop doing what youre trying to do

• Talk to IT and see if they would make exceptions for you

• Keep attempting this and risk losing your job

You might want to bookmark a sub like /r/LegalAdvice for the future, good luck! /r/SysAdmin and /r/CyberSecurityAdvice can probably also tell you to stop doing this.

Fyi this sub is about software.

Why not simply ask /r/Nextcloud?

Have you tried to search this subreddit? Photo library tools get discussed so often, you can easily find existing threads.

Database version upgrades can be tricky. Always make a proper backup before! Ideally you would make a db dump plus a copy of the db container data.

Typically smaller version upgrades are not a problem, for example updating from 10.9.4 to 10.9.5 shouldnt be a issue.

But major upgrades, like going from 9.6 to 10.2 can cause more problems and you should always pay attention to the release notes of a new version and also make sure that the software that makes use of that db is also still compatible with that new db version. For example it could be that Nextcloud says to stay on 10.9 and 11.0 is not yet supported.

Since databases are usually not configured so that anyone can connect to it, let alone the open internet, it is not too bad when you lag behind a few versions. Ideally when using Docker networking for example you would have a closed network that only connects the db with the actual app that needs the app, and nothing else can connect to that db.

TS is based on the technology of WG, but they are not the same really. TS you can very easily connect multiple devices into one private network, regardless where they actually are.

WG only connects one point to another. For example your phone from the outside to your homenetwork WG container. If the phone can also reach other computers in your network then is up to you. But WG stops there, basically.

However TS is not fully selfhosted, just like i mentioned about Cloudflare. Because TS requires a outside node to be reachable (that is a control server provided by that company) and through that TS can start tunnels from your homenetwork to that public server, similar to what a Cloudflare tunnel would do. The advantage is you dont need to open any ports for that, TS can connect as outgoing connection. The downside is, you need the TS software running in order to connect to any of your hosted services, so it also differs there from a reverse proxy for web services.

But you can selfhost the TS controlserver with the opensource project Headscale. But it still needs to run on a public facing node in order to make connections possible.