= Setting up a cheap VPS to shield home connection? =

![ ](httpswww.redditstatic.com/desktop2x/img/renderTimingPixel.png)

I'm currently exposing services directly from my residential connection (through a caddy reverse proxy) which means I've opened up ports 80 and 443. Obviously not a great idea. I do love the idea of accessing my services without having to connect through a VPN, and I'm willing to take some risk.

So I've concluded that I should get a cheapo VPS that basically only tunnels the requests to those 2 ports to my home via a wireguard connection.

Looking at the offerings on lowendbox most of them seem to be in the US, while I'm in Europe. The difference between the US and European VPS prices is about 15 to 20 euros. Not super much but if I can do cheaper I will. Do you think the latency will be very noticeable? It's probably worth the money to get a VPS closer to home right?

![ ](httpswww.redditstatic.com/desktop2x/img/renderTimingPixel.png)

Ionos has the perfect vps tier for that. 1 euro VPS S. Stays that price forever. 400Mbit/s true unlimited traffic. No fair use bs. DC in Germany, US and some other locations iirc. I'm with them since 4 years I think and only once I had a problem which disappeared itself after a few hours. Ping was "high" at around 40ms with 2 percent package loss. I can recommend them. Else use oracles free tier. Valid option too.

I'm not sure it actually protects you from anything, might even make things worse. There are most likely more bots scanning the IP ranges of VPS providers than there are those scanning residential IPs. Not sure about that.

If you do straight port forwarding, the malicious activity towards your VPS will just be forwarded to your home server. Only difference is the target IP.

Host a reverse proxy on the VPS, which proxies the requests over Wireguard. I'd add Crowdsec in the VPS as well, it can detect some malicious activity from e.g. Nginx logs and block those IPs on the firewall. That will give some protection. It will also block a known list of bad IPs by default, which is updated regularly. Very easy to set up, though when I search something on my Nextcloud, clicking "show more" seems to be detected as HTTP probing, and I get blocked if doing it too many times consecutively.


I also used Cloudflare proxy to mask my home IP until very recently, but after reading about it, I'm quite sure that the benefits are very few for a small self-hoster like us. For the mentioned Nextcloud, I'm getting better performance with a direct connection without the CF proxy, at least it feels like it. From the privacy perspective this is also better, not that I really believe CF cares about the contents of my traffic.

For the VPS provider, look into Hetzner, they have DCs in Europe with very good performance and quite affordable prices, with plenty of outbound traffic included. A nice web UI too. The smallest option is quite enough for this purpose. I'd say paying a bit more for a provider that has DCs close to you is worth it.

Ps. I'm not affiliated with Crowdsec or Hetzner, just a happy user.

Would it make sense to skip the Wireguard and configure your home firewall to only allow 80/443 from your VPS?

That way only requests coming through your proxy can get through your firewall, and you don't have a full tunnel into your home infrastructure if your VPS gets compromised. It obviously requires that you have a static public IP on your VPS, but with the Oracle free tier they give those away for free too.

The smallest shared CPU virtual machine at Linode is $5 USD monthly, billed hourly, and you can get a $100 credit these days (balance expires in 60 days after you start).

httpswww.linode.com/pricing/

Digital Ocean has something similar. Vultr too, although their trial is for 14 days IIRC.

All have data centres in Europe. Use one of them?

Not so sure what additional security you would gain with that - if you want to filter certain visitors, you can run a firewall on your home server just as well as on a VPS, and since you're just tunnelling traffic through the VPS, anyone who sees a vulnerability in your server will get in regardless.

You might as well just run your server in a DMZ or separate VLAN at home.

== About Community ==

Members

Online