Bit of a newbie to networking and homelab stuff in general so bear with me, but I’m looking to be able to access my ESXi server from anywhere that isn’t my actual home, but I’m curious about going about that safety.
Right now I’ve got a Raspberry Pi set up as a Wireguard VPN that’s got a FreeDNS domain setup and from there I just put in the IP of the server. Is this a good solution?
Also, I want to host a game server or two and a “cloud storage” solution for myself - what would be the best way to go about getting these accessible from the Internet? Port forward for the game server, VPN for the file server?
It is potentially safer. I would still only use secure and encrypted protocols such as SSH and SFTP to communicate with the servers, with keys instead of passwords, prohibit root login, and use strong local user/root passwords. Security is all about layers. Ideally, you’d also want access to the actual management interface limited to a VLAN not accessible even through the VPN, but I don’t know your usecase. So for the “cloud” storage, expose only the https port on the VLAN accessible from the internet via your VPN if you don’t need to be able to access the SSH port on your server from the outside. If you do, it’s fine to expose that as well, but be aware that you are opening yourself up to additional risk.
For the game server, put it on its own VLAN, with no access to anything else on your network, forward ports from the internet, and add a rule to let just your gaming rig communicate with that port from its VLAN. Or just put it inside that same VLAN if it’s a dedicated gaming box.
Wireguard VPN is a good choice. I also like using Zerotier or Tailscale.
Check out Tailscale!
Yeah a VPN would be a very safe and simple solution
You mainly have 3 solutions, the basic would be opening port 80 and 443 and use a reverse proxy, tcp services couldn’t work, depending on what reverse proxy app you use.
Then, tunneling, it’s like having a personal VPN, you need to find a service like Cloudflare that can do that, Cloudflare is nice but limited in the way you need to have a DNS with them, and the free tier tunnel is limited to http and https without using an app, for tcp you need to install an app on the client, and it still limited on some way.
Zerotier is another solution, different from a VPN, but very similar, on a VPN you need a host, with zerotier is like a virtual lan, where all the components share the information of any client. But you still need a client app.
If you want a solution, without an app on the client side, the best solution is reverse proxy on your server, and maybe Cloudflare proxy to protect your IP, but only for the http and https services.
Right now I’m facing the problem of setting up a Minecraft server for me and some friends, I can’t use nginx proxy manager because it doesn’t support tcp, I probably need traefik but it’s still difficult and time consuming to setup, then my IP would be exposed anyway because Cloudflare don’t give proxy support for free for tcp use, you would need a payment tier to get it. So for now, I’m just trying to open ports and set a DNS to my IP. Still have problems, because my ISP limits me on what ports I can open.
Ah, there still the fourth option, just open ports you need for your services. But not a good solution for security.
Edit: in case you don’t know. Most website services like nextcloud etc, work via http or https. Services like gameservers, don’t use those protocols, they just need open ports to work and generally on the tcp side.
Go read about it. No end to end encryption. The law is outrageous and a travesty. Online safety law. Not sure about enforcement overseas though. I thought that was one reason to have the VPN…
It is, but not if you ask 
I mean if you can’t tell yourself maybe you shouldn’t do it in any case.
If you are in the UK, VPNs might be under new government restrictions.
Edited for correction.
I don’t have a managed switch atm so idk any solutions to create a VLAN, but that was part of my plan.
The current setup that gets a connection to my server works like this: At the modem there’s a little Linksys GS108 running cables to ports for all the rooms in the apartment + the Pi. A main eero is connected on the other port on the modem.
The room where the server is in has another 4port switch (I know, it’s ugly but there’s 1 port for the whole room) which then runs to the server + a personal PC and another eero.
Judging by what others are saying here, I feel like using Tailscale on the Pi would be really handy so the entire network isn’t accessible with the VPN + if I manage to find a managed switch that would be helpful so I can create a VLAN.
Will definitely be checking that out - seems like a pretty ideal solution with what I’ve got right now.
Are you suggesting Wireguard is not end to end encrypted?
Note the “I’m new to this” clause in my original post.
Good learning, in my experience, involves asking questions along the way and checking your work. Here’s me checking my work with likeminded people.
I am in the US, so that shouldn’t be a problem. Also- what? The UK banned VPNs?!
Correction, not banned but here is some clarification:
Effectively, the Commission’s plan is to oblige all providers of email, chat, and messaging services to search for suspicious messages and share anything dubious with the police - basically, monitoring and scanning all everyone’s communications, even if users are using encryption technology - a VPN for example.
So if you are caught doing anything naughty, your VPN provider is now compelled to share it with the UK authorities, and any rabbit holes uncovered.
So VPNs are not as secure now and could be deemed illegal via this new law in the eyes of the law. So what is the point of having one?
I’m not a solicitor. I interpreted that way.
This is just my opinion so take it for what it’s worth, but I woudn’t use tailscale. It costs you money every month, and makes you dependent on an external service provider. If you setup wireguard yourself, and learn how it works, you get better security for free, since you don’t have to worry about Tailscale leaking your keys. It’s really not that much extra work. Once it’s setup on the devices you want to be able to connect, you’ll basically never have to touch it again, except when you want to add a new device once in a blue moon.
You don’t NEED VLANs. I haven’t gotten around to setting them up myself, despite owning the neccesary hardware. It’s just best practices that I know through my work. It’s definitely better though, and good to learn. I recommend that you grab a couple of cheap managed switches off of Ali express and get to learning.
I’m not suggesting anything, maybe it’s monitored. Maybe the powers at be, can breeze through 256 AES encryption and snoop on your packets indefinitely while you pay for your service oblivious.
Just trying to get my head around this new law, which if I read it right, puts us end users in a difficult situation with regards to VPNs.
Let’s face it. It’s super easy for the UK ISPs to block or limit VPN traffic. They could say the internet is a privilege not a right.
I say it is a service like water or gas. Go read this new law. You can down vote me all you like, but I cannot change this situation. We need to bring awareness to this new law that has been quietly passed.
The industry might need to revise the tunneling protocol because of this new law. I just want to be on the right side of it.
OK! Then: it is but you need to know what you are doing. Because safety doesn’t come by default and you can set it up in an unsafe way.
Edit: it’s like saying that a car with an airbag is safe (but you also need to wear your seat belt, otherwise it’s not safe at all)
No haven’t been banned and aren’t illegal. 
IOS and Android already have that built-in. They store your Push Messages on their servers and the US government has access to it all