These are some quick n’ dirty instructions so people can get up and running fast.

I wish I had known this was possible sooner.

Instructions:

Check that your VPN supports port forwarding and you have it enabled.

Grab your VPN’s internal IP with ip a

Find the interface for your VPN. For me it’s called tun0.

Open up /etc/nginx/nginx.conf

You can back it up, or comment everything out, or pick what’s necessary. Here’s what my file looks like.

	worker_processes  1;
	include modules.d/*.conf;

	events {
		worker_connections  1024;
	}
	http {
		server {
			listen [VPN INTERNAL IP]:[VPN FORWARDED PORT];
			server_name  localhost;
			location / {
				root '[ABSOLUTE PATH TO YOUR WEBSITE ROOT FOLDER]';
				index index.html; # Relative to your website root.
			}
		}
	}

Make sure your permissions are correct. For me, the ‘other’ group needs read permissions to the root folder, including where it’s mounted.

Start nginx with systemctl start nginx

You can visit your website on your host machine in a browser at [VPN INTERNAL IP]:[VPN FORWADED PORT]. For me, using the internal IP is required to view the website on my host machine.

To view the website on other machines, you can use [VPN EXTERNAL IP]:[VPN FORWARDED PORT]. The only thing you need to change is the IP address.

I hope this works for you and you are inspired to selfhost and take back power from those who stole it from us.

  • stratself@lemdro.id
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    2 months ago

    Let’s Encrypt are rolling out IP-based certs, you may wanna follow its development. I’m not sure if it could be used for your forwarded VPN port, but it’d be nice anyhow

    Edit: I believe encryption helps prevent tampering the data between the server and user too. It should prevent for example, someone MITM the connection and injecting malicious content that tells the user to download malware

    • Laser@feddit.org
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      2 months ago

      Let’s Encrypt are rolling out IP-based certs, you may wanna follow its development. I’m not sure if it could be used for your forwarded VPN port, but it’d be nice anyhow

      It shouldn’t be because you’re not actually the owner of the IP address. If any user could get a cert, they could impersonate any other.

      I believe encryption helps prevent tampering the data between the server and user too. It should prevent for example, someone MITM the connection and injecting malicious content that tells the user to download malware

      No, encryption only protects the confidentiality of data. You need message authentication codes or authenticated encryption to make sure the message hasn’t been transported tampered with. Especially stream ciphers like ChaCha (but also AES in counter mode) are susceptible to malleability attacks, which are super simple yet very dangerous.

      Edit: this post is a bit pedantic because any scheme that is relevant for LE certificates covers authenticity protection. But it’s not the encryption part of those schemes that is responsible.

      • SteveTech@programming.dev
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 months ago

        It shouldn’t be because you’re not actually the owner of the IP address. If any user could get a cert, they could impersonate any other.

        They’re ‘shortlived’ 7 day certs, verified using a HTTP challenge. It doesn’t matter who owns the IP, it’s just a matter of who holds the IP.

        • Laser@feddit.org
          link
          fedilink
          English
          arrow-up
          0
          arrow-down
          1
          ·
          2 months ago

          Right, and for the challenge, you need to have access to a privileged port (which usually implies ownership), which you won’t get assigned.

      • Frezik@lemmy.blahaj.zone
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 months ago

        Public key crypto, properly implemented, does prevent MITM attacks. TLS does do this, and that’s all that matters here

        • Laser@feddit.org
          link
          fedilink
          English
          arrow-up
          0
          arrow-down
          2
          ·
          2 months ago

          Public key crypto, properly implemented, does prevent MITM attacks.

          It does, but modern public key crypto doesn’t encrypt any client data (RSA key exchange was the only one to my knowledge). It also only verifies the certificates, and the topic was about payload data (i.e. the site you want to view), which asymmetric crypto doesn’t deal with for performance reasons.

          My post was not about “does TLS prevent undetected data manipulation” (it does), but rather if it’s the encryption that is responsible for it (it’s not unless you put AES-GCM into that umbrella term).

          • Frezik@lemmy.blahaj.zone
            link
            fedilink
            English
            arrow-up
            1
            ·
            2 months ago

            Client data absolutely is encrypted in TLS. You might be thinking of a few fields sent in the clear, like SNI, but generally, it’s all encrypted.

            Asymmetric crypto is used to encrypt a symmetric key, which is used for encrypting everything else (for the performance reasons you mentioned). As long as that key was transferred securely and uses a good mode like CBC, an attacker ain’t messing with what’s in there.

            I think you’re confusing the limitations of each building block with how they’re actually implemented together in TLS. The whole suite together is what matters for this thread.

      • turmoil@feddit.org
        link
        fedilink
        English
        arrow-up
        0
        arrow-down
        1
        ·
        2 months ago

        As I use docker for most of my deploys (as you should for websites exposed to the Internet anyway), I can wholeheartedly recommend traefik for this. Basically it has the functionality of nginx, but supports easy Let’s Encrypt certificates.