AGH with upstream lookups over DoH, and adblock list from oisd.nl.

Split-brain topology to give internal IP in preference to public IPs for my selfhosted services, and selective routing of a defined set of domains to a geo-unblocking service so I can access things like BBC iplayer etc. from my home network.

I suspect your friends probably don’t need access to your whole media stack.

What parts they do need access to, and from what type of devices, will determine the best approach.

At least on Linux you just include the bind address and port on the cmdline, e.g:

./filebrowser -a 127.0.0.1 -p 8008

EDIT: Just downloaded the Windows bin and seems to be exactly the same.

It would be remiss of me to not point out that up until somewhat recently they had a gaping wide security hole (for presumably years) that allowed any customer to send email as any other and fully pass their spf and dkim checks (due to shared keys and having no way of ensuring their users could only send mail from domains under their own account).

When this was disclosed they abused the reporter, kicked him off their service without giving him time to back up his mail, tried to discredit him, lied that their bad practices were commonplace throughout the industry (narrator: they weren’t) before finally going around removing all traces of the discussion. I was lucky(?) enough to see the reddit side of it as it unfolded and I’ve never seen such pseduo-tech bullshit being thrown around and well as nasty attacks on the reporter.

So yeah, they’re cheap but they also seem pretty poor technically (or at least were) and seem like horrible people. YMMV of course.

Nah, no idea what you’re on about. Must be a young man’s thing lol.

Lol, you’re gonna have you work cutout if you’re going around downvoting and saying that on every single comment that ever mentions a VPS.

Hosting your own MC server, no matter where, is a perfectly fine ‘self-hosted’ counterpoint to using a Microsoft Realms subscription. What ridiculous gatekeeping, lol.

Seeing as you say port 25565 you’re using Minecraft Java, so i’d prob just do this:

https://blogs.oracle.com/developers/post/how-to-set-up-and-run-a-really-powerful-free-minecraft-server-in-the-cloud

Couple of points:

1. Make your account PAYG to lessen likelihood of server being shutdown (will still be free)

2. Take nightly backups just in case.

You could stump up for a management console like AMP if you want to make things a bit easier.

GL.

I don’t self host anything where it would impact me unduly if it went down while I was on holiday to the point where I’d have to break state and go fix stuff.

I don’t want to have to leave my beer or beach and head off to fix things like an email server, restore a password manager db etc. so anything like that which is critical to the point where an outage would prob have me do so means I pay someone else.

Outside of fixing your SSH issues, you should also change from using 11.0.0.1 for WG as that’s a public IP. See RFC1918.

Gaming server? VPN? File-sharing?

I don’t self host anything where it would impact me unduly if it went down while I was on holiday to the point where I’d have to break state and fix stuff.

A password manager falls in that camp so it’s paid-for Bitwarden every night every day every possible way for me.

Sure Vaultwarden suits others - generally those who either want control of their data, smaller target on their back than a public instance user, watching their pennies etc.

Normally fine but if you want to be more careful about what is being pushed to your server you can use something like diun to get notifications and run updates manually.

Personally I love dockcheck, which I think is by a guy on the sub. I tend to just run that every now and again and be done with it unless I am notified of a perssing update, although I do still have a couple of things I don’t care too much about just auto update with watchtower.

You can either point the first proxy to the second proxy, or point it to the backends directly. Depends if you have firewalls in the way that stop the VPS proxy reaching your backends directly; or if that internal nginx instance is dong anything clever like handling auth, adding headers etc. etc.

In your instance I’d more likely have the VPS locked down and unable to access my internal resources and just open up its access to my internal nginx instance. Therefore chaining proxies would be my approach but there’s no right or wrong.

I’d go for an ESP8266/ESP32 with a telegram bot and LED (based sign) hanging off it. Just send a msg on telegram to turn it on/off.

That having been said loads of ways to trigger the sign status - it could poll a website to see what status it should display and you have a mechanism of updating that status yadda yadda yadda.

Note that those little chips needs wifi so you’d need to be able to connect it to wifi and have it get public internet access (or whatever you decide to control it). Loads of posts/youtube exist about driving WS2812 LEDs, or making your own DIY LED ‘neon’ signs. Cool little projects.

I assume you already have DNS=192.168.0.1 defined in your client WG config (or whatever DNS server you use at home)?

What makes you think this is the case?

A DNS leak test showing Cloudflare could just be that is the upstream resolver in your AGH config, for example.

Provide your phone model and Android version, I’ve never heard of the DNS being unchangeable. Bonus punts if you can post a screenshot of your phones ‘private dns’ settings.

‘Gaming routers’ is pretty much just a branding thing.

Ultimately best performance will be a decent ‘prosumer’ router that can traffic shape (e.g. implement CAKE) in order to keep ping times down even when the link is under load and then good switching and wifi for the internal side of things (modern wifi standards, gigabit(+) ports).

opnsense would be fine for the former (as would OpenWRT on a pi4, say), and then you need to plug in some decent access points like tp-link eapxxx range or unifi, ruijie etc. That combo should outperform one of those gaming routers that look like an upside down robot spider thing. Well, it won’t be worse and it’ll be more fliexible at the very least.

Also remember that your dad’s gaming device should be hardwired for best performance no matter what you end up going with.

Really this is more a /r/homenetworking thing, they’ll have plenty of advice for you to, inc. hardware recs.

Not sure about Roku, that might be asking too much, but Retroarch is the daddy of emulation frontends and I’ve seen people run that on Android boxes with ROMs just read from a NAS via SMB. It’s available on most platforms you can think of.

There’s also dedicated gaming OSes (which will run on many generic S905ish AndroidTV boxes as well as PCs etc) which serve as prettier wrappers to that and other emus, my personal preference being Batocera if you whole-heartedly wanting those client systems to become ‘retro gaming systems’.

KODI + IAGL would also be a workable soln on all platforms which have KODI, that can run the games directly from archive.org so negates need for the SMB share.

There’s also lots of retrogaming-adjunct subs where this will be answered better than by us nerds here too.

I’d have the clients connect to the central server in a hub-and-spoke VPN topology using something like WireGuard say.

Use the central host as either a jumphost or configure your personal devices to also connect to it via VPN and have it handle routing so you can connect directly to the clients once you’re connected to the central server.

Thid is a somewhat standard topology so no need to reinvent the wheel.

Cloudflare Tunnel’s cloudflared links your home to two closest data centres and so should (?) be quicker, but response times would depend on where a user is accessing your service from.

However, given residential ISP speeds and peering in most parts of the world you’d be unlikely to notice any real difference between the two and other than that ‘last leg’ access tech the processing within Cloudflare’s flow is the same whether you use cloudflared or direct proxying.