These are some quick n’ dirty instructions so people can get up and running fast.

I wish I had known this was possible sooner.

Instructions:

Check that your VPN supports port forwarding and you have it enabled.

Grab your VPN’s internal IP with ip a

Find the interface for your VPN. For me it’s called tun0.

Open up /etc/nginx/nginx.conf

You can back it up, or comment everything out, or pick what’s necessary. Here’s what my file looks like.

	worker_processes  1;
	include modules.d/*.conf;

	events {
		worker_connections  1024;
	}
	http {
		server {
			listen [VPN INTERNAL IP]:[VPN FORWARDED PORT];
			server_name  localhost;
			location / {
				root '[ABSOLUTE PATH TO YOUR WEBSITE ROOT FOLDER]';
				index index.html; # Relative to your website root.
			}
		}
	}

Make sure your permissions are correct. For me, the ‘other’ group needs read permissions to the root folder, including where it’s mounted.

Start nginx with systemctl start nginx

You can visit your website on your host machine in a browser at [VPN INTERNAL IP]:[VPN FORWADED PORT]. For me, using the internal IP is required to view the website on my host machine.

To view the website on other machines, you can use [VPN EXTERNAL IP]:[VPN FORWARDED PORT]. The only thing you need to change is the IP address.

I hope this works for you and you are inspired to selfhost and take back power from those who stole it from us.

  • Limonene@lemmy.world
    link
    fedilink
    English
    arrow-up
    13
    arrow-down
    2
    ·
    2 months ago

    Not sure how much you’re paying for your VPN, but a virtual private server can be had for about $5 per month. You’ll get a real IPv4 address just for you, so you won’t have to use non-standard port numbers. (You can also use the VPS as a self-hosted VPN or proxy.)

    $5 per month doesn’t get you much processing power, but it gets you plenty of bandwidth. You could self-host your server on your home computer, and reverse-proxy through your NAT using the VPS.

    • BlueÆther@no.lastname.nz
      link
      fedilink
      English
      arrow-up
      3
      ·
      2 months ago

      You could even go the Oracle route on their free tier, probably has more compute than many $5/m VPS, although the learning curve is MUCH steeper than a simple VPS

  • Possibly linux@lemmy.zip
    link
    fedilink
    English
    arrow-up
    26
    arrow-down
    18
    ·
    edit-2
    2 months ago

    You you setup a proper domain and https for your website instead of having a random IP address and port. Don’t visit http pages in 2025. It is a major security risk.

    Edit: If you need help setting up https let me know. You will need a domain but they are fairly inexpensive. If it is a matter of technical knowledge let me know as I can help.

    • null_dot@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      31
      ·
      2 months ago

      LOL. On the scale of risky things I’ve done today, visiting this guy’s http website barely rates a mention.

      Someone posts about something they’ve learned and the best you can do is dump on them about whatever thing in order to demonstrate to everyone your superior knowledge.

      Everyone starts somewhere.

      • Possibly linux@lemmy.zip
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        2
        ·
        2 months ago

        I’m down to help people get https set up. I’m not trying to dunk but rather I’m trying to make the internet a safer place by reducing attacks and mass surveillance.

      • Encrypt-Keeper@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        5
        ·
        2 months ago

        Let’s be real, this guy has no knowledge. He’s just yet another security parrot who doesn’t even understand the why behind the things they’re regurgitating.

      • Possibly linux@lemmy.zip
        link
        fedilink
        English
        arrow-up
        8
        arrow-down
        3
        ·
        edit-2
        2 months ago

        How so?

        Data send back isn’t validated so someone could tamper with the data. A bad actor could add some arbittary Javascript plus ISPs have been caught inserting marketing materials into pages.

        From a privacy perspective it is also bad as not only does it include your user agent in plain text it doesn’t have any encryption on page contents which allows your ISP to snoop on what you are doing.

        All of these reasons are while we moved to https. X.509 certs are free and trivial to setup with Caddy or any other Reverse proxy/web server. If https was crazy had to setup I’d be more understanding but it is very easy to do in 2025.

        • null_dot@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          1
          ·
          2 months ago

          Do you really think someone is going to set up a MITM attack for the dozen people who visit this blog?

          • Possibly linux@lemmy.zip
            link
            fedilink
            English
            arrow-up
            6
            arrow-down
            2
            ·
            2 months ago

            No, but governments and ISPs can and have historically done so for all http traffic.

            It doesn’t matter the page. They just care about http.

            • missfrizzle@discuss.tchncs.de
              link
              fedilink
              English
              arrow-up
              7
              ·
              edit-2
              2 months ago

              specifically this is how QUANTUMINSERT worked (from the Snowden leaks.) also China used the same technique, injecting malicious JS through the GFW to get bystanders to DDoS github, in a much more obvious and indiscriminate way.

              nobody here is remotely likely to be targeted by NSA, of course, but you can actually do such attacks on a budget if you compromise any router in the chain. combined with a BGP hijack it’s not far out of reach for even a ransomware gang to pull something like that these days.

              • Possibly linux@lemmy.zip
                link
                fedilink
                English
                arrow-up
                2
                ·
                2 months ago

                To add to this, a whole lot of places have been compromised in the salt typhoon attacks. China has compromised infrastructure all over the place including ISP hardware.

      • jafra@slrpnk.net
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        4
        ·
        2 months ago

        Maybe there is, maybe it’s only little. Maybe people browsing should be more aware of where they click on. Either way, this method shouldn’t be used for any sensitive information least a personal cloud. Would be suicidal I guess.

      • surewhynotlem@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        9
        ·
        2 months ago

        I’ll bite.

        The risk is training people in bad behaviors, and then having those people do stupid things like type in a password.

        • Encrypt-Keeper@lemmy.world
          link
          fedilink
          English
          arrow-up
          11
          arrow-down
          1
          ·
          2 months ago

          There’s no password entry on this site, and what people do on other websites is not OPs responsibility.

          • surewhynotlem@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            4
            ·
            2 months ago

            Oh yes. Pushing personal responsibility to the end user has always been a very effective security strategy.

            • Encrypt-Keeper@lemmy.world
              link
              fedilink
              English
              arrow-up
              5
              ·
              edit-2
              2 months ago

              Lmao as the operator of a website your personal responsibility ends with your website. It is not OPs responsibility to protect other websites he does not operate, nor is it to take on the end user’s responsibility, or education. Don’t be silly.

              • surewhynotlem@lemmy.world
                link
                fedilink
                English
                arrow-up
                2
                arrow-down
                3
                ·
                2 months ago

                Of course it does. You’re only ever responsible for yourself.

                And that mentality does not lead to good things.

                • Encrypt-Keeper@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  arrow-down
                  1
                  ·
                  edit-2
                  2 months ago

                  Of course it does, could you imagine the alternative? Imagine spontaneously taking responsibility for the safety of the entire internet. That would be just nuts.

                  I can heartily recommend taking responsibility for yourself, and not trying to foist it on others. Especially some dude with a rinky dink little personal blog.

    • humanoidchaos@lemmy.cif.suOP
      link
      fedilink
      English
      arrow-up
      19
      arrow-down
      5
      ·
      2 months ago

      Thanks.

      It’s my understanding that https provides encryption for the data sent between you and the server. If you’re not sending any sensitive data, then the encryption shouldn’t be necessary.

      Don’t get me wrong, encryption is great even when it isn’t necessary. For my demonstration purposes though, I chose not to include it.

      I also believe it’s possible to set up HTTPS encryption without a domain name, but it might result in that “we can’t verify the authenticity of this website” warning in web browsers due to using a self-signed certificate.

      • stratself@lemdro.id
        link
        fedilink
        English
        arrow-up
        21
        ·
        edit-2
        2 months ago

        Let’s Encrypt are rolling out IP-based certs, you may wanna follow its development. I’m not sure if it could be used for your forwarded VPN port, but it’d be nice anyhow

        Edit: I believe encryption helps prevent tampering the data between the server and user too. It should prevent for example, someone MITM the connection and injecting malicious content that tells the user to download malware

          • turmoil@feddit.org
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            2
            ·
            2 months ago

            As I use docker for most of my deploys (as you should for websites exposed to the Internet anyway), I can wholeheartedly recommend traefik for this. Basically it has the functionality of nginx, but supports easy Let’s Encrypt certificates.

        • Laser@feddit.org
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          2
          ·
          edit-2
          2 months ago

          Let’s Encrypt are rolling out IP-based certs, you may wanna follow its development. I’m not sure if it could be used for your forwarded VPN port, but it’d be nice anyhow

          It shouldn’t be because you’re not actually the owner of the IP address. If any user could get a cert, they could impersonate any other.

          I believe encryption helps prevent tampering the data between the server and user too. It should prevent for example, someone MITM the connection and injecting malicious content that tells the user to download malware

          No, encryption only protects the confidentiality of data. You need message authentication codes or authenticated encryption to make sure the message hasn’t been transported tampered with. Especially stream ciphers like ChaCha (but also AES in counter mode) are susceptible to malleability attacks, which are super simple yet very dangerous.

          Edit: this post is a bit pedantic because any scheme that is relevant for LE certificates covers authenticity protection. But it’s not the encryption part of those schemes that is responsible.

          • Frezik@lemmy.blahaj.zone
            link
            fedilink
            English
            arrow-up
            5
            ·
            2 months ago

            Public key crypto, properly implemented, does prevent MITM attacks. TLS does do this, and that’s all that matters here

            • Laser@feddit.org
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              4
              ·
              2 months ago

              Public key crypto, properly implemented, does prevent MITM attacks.

              It does, but modern public key crypto doesn’t encrypt any client data (RSA key exchange was the only one to my knowledge). It also only verifies the certificates, and the topic was about payload data (i.e. the site you want to view), which asymmetric crypto doesn’t deal with for performance reasons.

              My post was not about “does TLS prevent undetected data manipulation” (it does), but rather if it’s the encryption that is responsible for it (it’s not unless you put AES-GCM into that umbrella term).

              • Frezik@lemmy.blahaj.zone
                link
                fedilink
                English
                arrow-up
                3
                ·
                2 months ago

                Client data absolutely is encrypted in TLS. You might be thinking of a few fields sent in the clear, like SNI, but generally, it’s all encrypted.

                Asymmetric crypto is used to encrypt a symmetric key, which is used for encrypting everything else (for the performance reasons you mentioned). As long as that key was transferred securely and uses a good mode like CBC, an attacker ain’t messing with what’s in there.

                I think you’re confusing the limitations of each building block with how they’re actually implemented together in TLS. The whole suite together is what matters for this thread.

                • Laser@feddit.org
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  edit-2
                  2 months ago

                  Client data absolutely is encrypted in TLS. You might be thinking of a few fields sent in the clear, like SNI, but generally, it’s all encrypted.

                  I never said it isn’t, but it’s done using symmetric crypto, not public key (asymmetric) crypto.

                  Asymmetric crypto is used to encrypt a symmetric key, which is used for encrypting everything else (for the performance reasons you mentioned).

                  Not anymore, this was only true for RSA key exchange, which was deprecated in TLS 1.2 (“Clients MUST NOT offer and servers MUST NOT select RSA cipher suites”). All current suites use ephemeral Diffie-Hellman over elliptic curves for key agreement (also called key exchange, but I find the term somewhat misleading).

                  As long as that key was transferred securely and uses a good mode like CBC, an attacker ain’t messing with what’s in there.

                  First, CBC isn’t a good mode for multiple reasons, one being performance on the encrypting side, but the other one being the exact reason you’re taking about: it is in fact malleable and as such insecure without authentication (though you can use a CMAC, as long as you use a different key). See https://pdf-insecurity.org/encryption/cbc-malleability.html for one example where this exact property is exploited (“Any document format using CBC for encryption is potentially vulnerable to CBC gadgets if a known plaintext is a given, and no integrity protection is applied to the ciphertext.”)

                  As I wrote in my comment, I was a bit pedantic, because what was stated was that encryption protects the authenticity, and I explained that, while TLS protects all aspects of data security, it’s encryption doesn’t cover the authenticity.

                  Anyhow, the point is rather moot because I’m pretty sure they won’t get a certificate for the IP anyways.

          • SteveTech@programming.dev
            link
            fedilink
            English
            arrow-up
            2
            ·
            2 months ago

            It shouldn’t be because you’re not actually the owner of the IP address. If any user could get a cert, they could impersonate any other.

            They’re ‘shortlived’ 7 day certs, verified using a HTTP challenge. It doesn’t matter who owns the IP, it’s just a matter of who holds the IP.

            • Laser@feddit.org
              link
              fedilink
              English
              arrow-up
              2
              arrow-down
              2
              ·
              2 months ago

              Right, and for the challenge, you need to have access to a privileged port (which usually implies ownership), which you won’t get assigned.

              • stratself@lemdro.id
                link
                fedilink
                English
                arrow-up
                2
                ·
                edit-2
                2 months ago

                Ah right, completely forgot about that (80 for HTTP-01, 443 for TLS-ALPN-01). Is a bummer unfortunately

      • Possibly linux@lemmy.zip
        link
        fedilink
        English
        arrow-up
        26
        arrow-down
        8
        ·
        2 months ago

        That is a pretty bad take as all data is sensitive. Https also provides integrity to prevent man in the middle attacks.

        • theshatterstone54@feddit.uk
          link
          fedilink
          English
          arrow-up
          12
          arrow-down
          3
          ·
          2 months ago

          And that’s why even static sites like Hugo blogs or even simple pages like the one OP posted should have HTTPS. Source: Studied Distributed Systems at university.

      • WhyJiffie@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        2
        ·
        2 months ago

        but it is sensitive data. the webserver can send executable code to the web browser. if it does not that doesn’t matter, what matters is that it can be inserted by a middleman. It’s not like there’s a dedicated person needed to do that, it can just happen automatically.

      • Possibly linux@lemmy.zip
        link
        fedilink
        English
        arrow-up
        3
        ·
        2 months ago

        You can pickup a cheap domain from gen.xyz. The cheapest domain is $0.99 which is pretty affordable especially since you probably are already paying for a internet connection.

        Once you have the domain you can point it to your IP and then set port 443 on that address to point to Caddy. On Caddy you can either configure it as a server or use it as a reverse proxy to point to something else.

        Security wise I would put all of this on its own vlan with ACLs to control access. If that sounds confusing start with https.

      • drspod@lemmy.ml
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        3
        ·
        2 months ago

        Anyone with the ability to inject or modify packets in the network path between server and client can inject malicious javascript or browser exploits into an unencrypted HTTP TCP stream. The client’s User-Agent and other headers would allow the attacker to customize their attack to target that specific browser version, and compromise the client machine.

      • SMillerNL@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        1
        ·
        2 months ago

        It’s my understanding that https provides encryption for the data sent between you and the server. If you’re not sending any sensitive data, then the encryption shouldn’t be necessary.

        As others have pointed out, everything can be sensitive. If I’m self hosting nextcloud instance with chat that under British law should check for age… self hosting is now sensitive.

        In addition to that, without a secure connection you’re stuck with HTTP/1.1 from 1999 instead of the modern 2 or 3 versions.

        I also believe it’s possible to set up HTTPS encryption without a domain name, but it might result in that “we can’t verify the authenticity of this website” warning in web browsers due to using a self-signed certificate.

        You can: https://letsencrypt.org/2025/07/01/issuing-our-first-ip-address-certificate

        • N0x0n@lemmy.ml
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          2 months ago

          In addition to that, without a secure connection you’re stuck with HTTP/1.1

          That’s not entirely true. A lot of requests, even with https, are send over HTTP/1.1. And this is kinda mind blowing that in 2025 we still rely on something so old and insecure…

          Same goes with SMS and the old SS7 protocol from 1970… 2FA SMS is probably the most insecure way to get access to your bank account or what ever service promotes 2FA sms login.

          • falynns@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            2 months ago

            I can’t believe SMS is still used for anything but sure OTP sent in text makes sure my account is secure Mr Bank.

          • SMillerNL@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            2 months ago

            Does that contradict what I said? Sure, HTTP 1 is still widely used, but without TLS you can’t use anything else.

            For SMS we don’t have a choice, but if you configure your own web server you do have a choice.

      • fmstrat@lemmy.nowsci.com
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 months ago

        Not that I think you need it for this, but a DynDNS implementation would give you a hostname you can dynamically change to your VPN ip, thus solving the SSL host issue.

      • N0x0n@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        2 months ago

        I also believe it’s possible to set up HTTPS encryption without a domain name, but it might result in that “we can’t verify the authenticity of this website” warning in web browsers due to using a self-signed certificate.

        Just create your own rootCA and IntermediateCA and sign your certificate with those, put the CA in your trust store of your system and get rid of this self-signed warning on every device and happily access all your service via: *.home.lab or whater ever local domain pleases you.

          • N0x0n@lemmy.ml
            link
            fedilink
            English
            arrow-up
            1
            ·
            2 months ago

            Fair point ! Yeah sure if you host a blog online it doesn’t make sense… But if you only self-host your services for family and some friends and access them over VPN, a local CA is actually a privacy respecting choice.

            Hosting something on the web (specially self-hosted) without the propre software and hardware is a bad idea in the first place anyway !

    • rarsamx@lemmy.ca
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      4
      ·
      2 months ago

      All those “experts” lecturing you and they don’t even know about man in the middle attacks.

      They don’t know that there are active bots searching for HTTP addresses to inject risky code or redirect to malicious sites.

      You providing some feedback which may help OP is seen as criticism.

      • Possibly linux@lemmy.zip
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        1
        ·
        edit-2
        2 months ago

        They don’t know that there are active bots searching for HTTP addresses to inject risky code or redirect to malicious sites.

        I’m going to be honest I have no idea what you are talking about.

  • sylvieslayer@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    2 months ago

    I’m sorry if this is dumb, but do I need to run the vpn on a dedicated machine? If so can I use a raspberry pi?

    • humanoidchaos@lemmy.cif.suOP
      link
      fedilink
      English
      arrow-up
      6
      ·
      2 months ago

      It’s not dumb at all! Don’t be afraid to ask. I’m not an expert and still learning myself.

      The VPN is running on the same machine that I am hosting the website on. There may be some configuration you can do to perhaps have the connection routed through your raspberry pi with a VPN running on it to the machine that’s hosting the website, but I’m not sure how.

      Otherwise, you should be able to at the very least run the entire setup on a raspberry pi.

    • humanoidchaos@lemmy.cif.suOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 months ago

      Sorry, it should be up again now.

      I’ve updated the post with the instructions. I don’t really plan on hosting this for a long period of time, at least not in this state.

      I hope some people have gotten some use out of it.

      • krnl386@lemmy.ca
        link
        fedilink
        English
        arrow-up
        2
        ·
        2 months ago

        No worries! Reminds me of my early days of self-hosting. Got myself banned from my ISP for 48 hours for self-hosting. 😬

        Thanks for sharing!

  • Diurnambule@jlai.lu
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    2 months ago

    I am using wireguard in docker to connect from anywhere to my locals network. https://github.com/linuxserver/docker-wireguard?tab=readme-ov-file#usage Set the variable INTERNAL_SUBNET to your local IP range. For me it was 192.168.178.0 And set a folder you can reach as it’s working folder. And your done for setting the wireguard server.

    Need yo allow your server to be reachable from the web to wire guard ports. I guess you know how to since you did for you website.

    To add clients (I have android and Linux) you go fetch the config on you server. If you went for numbered peers it look like peer4.conf and you use these file to allow clients to connect.

    Edit : I missread you don’t ask for help.nice site by the way

  • stratself@lemdro.id
    link
    fedilink
    English
    arrow-up
    3
    ·
    2 months ago

    Thanks for the guide. How did you get the VPN forwarded port? I believe this depends on the VPN provider’s software?

    • humanoidchaos@lemmy.cif.suOP
      link
      fedilink
      English
      arrow-up
      4
      ·
      2 months ago

      No problem.

      For my VPN, it tells me the forwarded port in the software’s GUI. I’m not sure how to find it out through the command line.