I am still very much a novice in the self-hosting space, Linux etc. having fairly recently switched from using macOS as my daily driver and not tinkering much at all.

One of the things that often confuses me is networking and making sure my setup is secure. This is currently holding me back from hosting more stuff locally that I would require access to from outside my home, as I am afraid I am doing something that could severely compromise my data. It can sometimes be difficult to follow explanations from more advanced users due to the many different components of networking and security, and different layers of abstraction, which prevents me from following completely. I might understand one particular case, but then be unable to make connections to another one. So I would want to research this more intensively, and ideally I would end up being able to easily understand the data flows - the paths the data takes (e.g. I make a HTTPS request to some server from my laptop, how is that traffic routed correctly through my local area network and later the wide area network), in what forms (i.e. different protocols, encryption layers etc.).

In communities like this, I see there are a lot of very knowledgeable people who maybe could recommended any resources that cover this from the basics and onto more advanced stuff? Maybe a textbook from a university course on ICT that is considered particularly good? A YouTube channel with great explanations and visualizations? I am looking both at home LAN and internet in general. Enterprise level networks are not very interesting to me (at the moment).

  • Do you have a specific need to access your services from outside your LAN? Because “homelab” usually means stuff you’re running from your home, whereas “self-hosting” includes stuff that could be in the cloud. I, myself, distinguish the two as non-intersecting sets (although, that’s not strictly true). Homelab stuff often doesn’t need to be on the intertubes. Not exposing it greatly simplifies security.

    If you do need to expose things, I’d recommend a minimal VPS running the bare minimum software you need to reverse proxy, and a VPN endpoint that punctures your firewall to your LAN. E.g, if you’re only exposing a web interface to, e.g., Home Assistant, run only something like Caddy on your VPS and proxy through over your VPN. Focus all your attention on locking down that VPS. Turn off everything else. Firewall off SSH so you can only get to it from your VPN.

    Limiting your attack surface and locking down that surface is the easiest way to get maximum security, without turning security into a full-time job. The fewer things you have to secure, the fewer areas you have to become expert in securing; the fewer things you have running in a high-threat environment, the fewer things you have to worry about patching and monitoring.

    The alternative is to become a security expert, and spend a lot of time monitoring your systems and CVEs. There is no “it’s secured, now I can ignore it.” It’s a constant fight against hackers, and the best you can do (without it becoming a second job) is to minimize your attack surface.