My self-hosting experience is primarily with Plex and qBittorrent, but I’m trying to get a digital library set up that will be available remotely. I’ve been reading about some options, but I’m not sure about what is best to use or how to deploy it.
What is the best way to make Kavita available to remote users safely from a home server?
You’ll have to strike a balance between security and ease. Your two major options are reverse proxy and VPN (Tailscale is one option for VPN)
For reverse proxy, you functionally open the app to the internet. Anyone with the correct web address can access the login page. This is inherently less secure than VPN, but not irresponsibly so. Beyond the reverse proxy itself, you’ll also have to learn how to configure an HTTPS certificate to increase security since it will be open to the internet.
For VPN, every user you want to be able to access the service has to be tied into the VPN and have the VPN running throughout their access. Tailscale is arguably the easiest way to configure a VPN right now, as you won’t have to manually deal with VPN configuration files for every device. VPN use will functionally make it like you’re on your home network. VPN access to your network should not be given to tons of people if at all possible.
Tailscale also has the funnel option to open up a single service to the outside world without needing a reverse proxy and has its own ssl certificates
This is what I’m looking for! Would I basically pay for a remote server that bounces the signal through Tailscale securely?
Note that Tailscale does not give other users access to your entire home network but just specific machines and you need to explicitly share those machines.
This is exactly what I need. I’m only trying to open one service in one container to the outside world.
Hm, in that case Tailscale isn’t quite what you want. It’s not about opening up to the internet but rather your own virtual private network (hey, a VPN) with manually approved devices.
They do have a new Funnel feature which allows exposing specific parts to the Internet via their proxy though: https://tailscale.com/blog/introducing-tailscale-funnel
Why wouldn’t the funnel solution be exactly what I’m looking for? Feels almost too good to be true.
If I’m understanding this correctly, I just have to set up Tailscale funnel on my local server, and it will generate a publicly accessible IP through their proxy that can be accessed remotely in a similar fashion to how Plex premium routes signals through their proxy for easy remote access? If that’s correct, that’s basically my dream solution because it only exposes kavita and doesn’t require a secondary server to bounce the signal through.
There’s three reasons:
That said, if I had to share something with the public internet temporarily, I’d try not doing that first but could see myself using TS Tunnels.
I need to share permanently though. Would it be better to use tailscale to make a connection to a remote server and then use that server as a front end that bounces back to my home server?
Not really. As soon as you have a path from global internet into your home network, all bets are off and you’re now in charge of securing all of that against the entire world.
That said, if this is a regular old HTTP service, I believe Cloudflare Tunnels offer a way to put an authentication mechanism in front. This can work if, just like with Tailscale, you have a limited known set of users but the difference is that those users don’t to have to install and use a VPN client to access your service but rather authenticate using an “external” HTTP service through their browser. Again, I do not believe this works for services accessed through APIs and certainly not ones using custom protocols.
I can’t stress enough that getting those remote users to use Tailscale is probably the best and easiest solution.
These are good suggestions. I’ve heard very good things about zerotier, tailscale, and a couple of open source alternatives that let you run your own coordination server on a static IP.
Point of clarification, a good VPN product gives ACL options that can restrict the tunneled traffic to specific hosts. You doing have to give remote VPN users access to an entire network.
Between these two options, the consequences of doing it wrong might be a little higher when you open up public access like proxy. A little less risk doing VPN or overlay remote access like tailscale.