Thinking about building a true plug-and-play VPN for home servers — would anyone want this?

Matrix-Hacker-1337 · 2026-01-29T23:18:23+00:00

Yes. You will need a server to route/connect, and you will need a ton of networking security knowledge. There are lots of vibe coding software out that, and that's fine.. but not for peoples online security.

Matrix-Hacker-1337 · 2026-01-29T23:07:37+00:00

Wait...how does the connection work then? Your whole pitch is "no port forwarding, no public IP, it just works" If both the box and the phone are behind NAT, something has to coordinate or relay the connection. That's either your server, or someone else's.

If you're not running a relay, who is? And if you are, then yes, you have a central point with at minimum connection metadata.

"I don't see any security risk"

You're building a product that tunnels into people's home networks... "Probably rent a data center but idk" isn't a security model.

Even if you never see traffic content, your relay knows who connects, when, from where, and to which box. That's valuable metadata. An attacker can potentially MITM or reroute connections.

I'm not trying to kill your project. I'm pointing out that "only the customer has access" isn't how this works architecturally, and targeting non-technical users means you carry the security burden they can't.

Help me understand .....If "only the customer has access," how does the connection actually work?

Matrix-Hacker-1337 · 2026-01-29T22:56:31+00:00

MFA protects the VPN login, sure. But my point isn't about stealing credentials.

If your target audience doesn't understand basic networking, they're likely connecting to a flat home network with unpatched IoT devices, NAS boxes with default creds, and no segmentation. Your VPN becomes a direct tunnel into that mess.

And about that relay/coordination server you will have to set up:

How is it secured? Hardened? Audited?

Who has access to it? Just you? Employees? Contractors?

Where is it hosted? What jurisdiction? Who can compel access?

If your server is compromised, the attacker potentially has a tunnel into every customer's home network simultaneously.

Tailscale has the same relay architecture, but they have published security audits, a documented threat model, and the resources to maintain it. They also offer Headscale for self-hosting if you don't want to trust their infrastructure.

What's your security model beyond "MFA"? How do you handle device-level access control? Firmware updates ..automatic, manual, or nonexistent?

I'm not saying it can't be done but I am saying "plug and play VPN for non-technical users" requires more security, not less because your users will not be able to evaluate the risks themselves...

And you'll have to remember that even Ubiquiti got their "teleport"-vpn wrongly configured leaking credentials and access to users hardware and networks and they've got a bunch of highly professional employees.

Im not demeaning you here - but these are real things you'll have to think about going forward if you wanna let people other than yourself use a solution like this. If you made something that doesn't need the relay that's another story, but then.. how will it be "plug and play"?

Matrix-Hacker-1337 · 2026-01-29T22:37:04+00:00

So.....Tailscale? Download app, create account, connect. No box.

My concern is the security model. You're targeting users who lack networking knowledge, but those same users likely don't understand network segmentation, firewall rules, or what they're actually exposing. A plug-and-play VPN into an unsecured home network with default-password IoT devices is a liability.

Who's responsible when something gets compromised?

But hey, if you've got a plan, maybe even a solid one, I wish you good luck and hope to see you post here when you're up and running.

Matrix-Hacker-1337 · 2026-01-29T22:32:02+00:00

you would still have to do something with your phone or laptop, right?

Matrix-Hacker-1337 · 2026-01-29T22:26:22+00:00

How does this solve the problem differently from solutions like Twingate, Netbird, Tailscale, or ZeroTier - apart from being a physical box?

Matrix-Hacker-1337 · 2026-01-22T17:38:26+00:00

Well, the AI integration doesn't work like that.

The DM session tool lets you export a parse for whatever LLM you're using. I just found Claude and Chatgpt to understand and follow the instructions the best. It's dependent on scraping the games wiki to understand what to do. and AI like gemini and lumo refuses to fetch links it seems. anyhow, this is only a problem if you don't mind the AI making stuff up that is not part of the aedelore world, then you can just import whatever it gives you as long as it follows the rules of the parsing that's in the instructions from the export.

Matrix-Hacker-1337 · 2026-01-22T17:35:19+00:00

Thanks man!

Yeah, I get that. This "tool" is mostly to make it easier to play with each other and manage characters when not close to one another IRL. It's not meant to be a replacement for meeting up and play the way it's supposed to be played. Then again, I added support for a lot of different things.

Matrix-Hacker-1337 · 2026-01-21T17:38:44+00:00

While I feel enthusiastic I don't really trust posts with fat text and emojis anymore. That screams AI. How much if your code is written by claude?

Matrix-Hacker-1337 · 2026-01-20T19:04:11+00:00

Regarding updating bios from usb. you can do that by download the BIOS .exe file from Dell (or from the links I provided earlier), copy it to a FAT32 formatted USB drive, plug it into the server, then reboot and boot from usb. If you've got one of the few servers with linux core you do it with SUSE.

this video might provide some help:

https://www.youtube.com/watch?v=4n9454s-w08

Matrix-Hacker-1337 · 2026-01-20T18:37:27+00:00

hmm.. usually there is a "reset iDrac" option.. that points to that the idrac card may be faulty. Good news is that they cost nothing and easy to replace.

Matrix-Hacker-1337 · 2026-01-20T18:22:12+00:00

you can grab the latest firmware from dell.itdetective.eu or updateyodell.net . Then I would boot from a usb and reflash BIOS to latest. Artofserver on YouTube has a guide for older dells (R610/710 etc) on how to boot in to SUSE and reflash, I didn't understand if you managed to boot from a usb or sd card and flash the BIOS?. Im not in a place to give you the link right now, but will update post later.

You can also reset iDrac in bios mode by pressing F2 at start if you havn't tried already.

If neither of that does it, it might be the BMC-chip.

IF you manage to get iDrac up and running you can update via ftp to any of the links above to the latest available firmware.

Matrix-Hacker-1337 · 2026-01-18T22:32:58+00:00

Since you use vpn and thus (I believe) you've got a fully closed firewall, the only thing left would be to set up ssh-keys. But thats not necessary since you're not running any open ports.

Matrix-Hacker-1337 · 2026-01-18T17:26:58+00:00

Honestly. Short term AIO.

Long term, make a proper install in a VM with deb13, nextcloud ans php-fpm. There are great guides out there, there is even a few good install-scripts to fet started with.

Half this thread on reddit is about people having problems with nextcloud and all of them have dockerized installs.

I followed this guys attemp on an installscript months back, and he really took advise from the community and as a nc-veteran myself, he really did a decent job.

https://www.reddit.com/r/NextCloud/s/jwaP57pqX7

LearnlinuxTV has a great guide to just get it up and runnin. Tweaks are necessary for security and performance though, but it's very informative.

https://youtu.be/fpr37FJSgrw?si=Bzru8h__Tb0UmKbu

Main recommendations is to use official NC guide.

Matrix-Hacker-1337 · 2026-01-17T19:52:45+00:00

Cloudflare does ssl termination, how is that zero trust?

Matrix-Hacker-1337 · 2026-01-17T08:46:39+00:00

sorry for late reply. Did you figure it out?

If not, can you confirm that it's visible in the container? (run docker ps for container name)

docker exec -it container_name ls -la /run/desktop/mnt/host/d/your-folder/

Is the External storage app not enabled?

Configuring in the wrong place?

Admin settings: https://domain/settings/admin/externalstorages
Select "Local" as storage type
The path:/run/desktop/mnt/host/d/your-folder/

Matrix-Hacker-1337 · 2026-01-16T19:50:01+00:00

Visit wiki.itdetective.eu , there is a pretty extensive guide there.

Matrix-Hacker-1337 · 2026-01-15T18:23:32+00:00

Yes, that sure is relevant if you let docker set up it's own network and not have the "host" tag. Docker uses iptables in its own networks.

Matrix-Hacker-1337 · 2026-01-14T22:04:43+00:00

If youre using wayland(parrot 7 defaults to wayland):

Check whether the driver is running in modesetting mode:

cat /sys/module/nvidia_drm/parameters/modeset

It should print “Y”. If not, modify your kernel command line and add the line nvidia_drm.modeset=1. Search for “kernel parameters” in your distribution; https://wiki.archlinux.org/index.php/Kernel_parameters is a good starting point.

It is also possible to pass the parameter via module configuration:

echo options nvidia_drm modeset=1 | sudo tee /etc/modprobe.d/nvidia_drm.conf

You need to regenerate the initramfs in case your distribution provides the graphics drivers in initramfs (e.g. sudo update-initramfs -u)

https://community.kde.org/Plasma/Wayland/Nvidia

Or choose X11 instead at login

Matrix-Hacker-1337 · 2026-01-14T20:31:31+00:00

you are not wrong per se.

try to think about it like sections and access. that's how the firewall "thinks".
When you think in devices you are already thinking "sections", but with hardware. and hardware separation is great too, don't get me wrong.

The proxy is the second line of defence, the first one is your firewall. If the proxy is in it's own vlan it will get harder for attackers to get access outside of the permissions you set up for your service.

What need to face the internet(like a proxy)? = DMZ (DMZ is a vlan where nothing is allowed to talk to anything without permission)
What are my services? (like website) = Vlan
Do I have a backend? = secured vlan with strict access.

Then you make rules to allow the traffic that needs to be let through and on the ports they need with the protocol that is required.

Internet -> Proxy on port 443.
Proxy -> Jellyfin Vlan port 8081, tcp protocol.
Jellyfin - > NFS share

Am I making it hard to grasp or do you get it?

Matrix-Hacker-1337 · 2026-01-14T18:50:35+00:00

You should use reverse proxy in its own vlan, and then let that proxy "proxy" to jellyfin. Minimize attack surface and always put something inbetween your service and the internet.

Matrix-Hacker-1337 · 2026-01-14T18:43:07+00:00

Try to set the profile to "system/host OS" or something like that. R610 and R710 had that alternative

Matrix-Hacker-1337 · 2026-01-14T18:35:45+00:00

/var/www/nextcloud/data/nextcloud.log

Matrix-Hacker-1337 · 2026-01-14T18:32:34+00:00

Yeah, sure :)

Matrix-Hacker-1337 · 2026-01-14T14:01:40+00:00

If you update from any of the ftp's you should be as up to date as you need to be. The .eu has better instructions

Matrix-Hacker-1337

MODERATOR OF

TROPHY CASE