In this section I will help you setup your personal server using Cloudflare Tunnels. Use this if you either can't or prefer not to forward ports on your router.
After following this tutorial you will have:
- Secure access to your selfhosted web services using Cloudflare Tunnels
- Remote access from the Internet using VNC
- Remote access from your LAN using SSH
- Shared over LAN folders using Samba
- Couple of web or standalone dockerized services
- Minecraft server with mc.your-domain.tld
In the end your server may look like this (diagram made by me in draw.io):
For the Linux distro, I will use EndeavourOS, but you can use any Arch-based distro (e.g. Manjaro, Garuda, or plain Arch) to essentially copy-paste commands. I chose EndeavourOS, because it comes with some useful stuff (that I will eventually need) installed and already configured and it has ISOs with many DE (KDE Plasma, Gnome, Xfce4 and more). If you opt for a non-Arch-based distro, you will need to find equivalent instructions for your chosen distribution.
-
If you are using EndeavourOS just run
yay. For other distros find equivalent instructions. -
This depends of your distribution and your graphical environment. Just google how to do that. It shouldn't be complicated.
-
Change your default shell to zsh and enable plugins with oh-my-zsh
Setup VNC and SSH to remote access your server.
IMPORTANT! You need to either download some dummy X11 driver (not recommended) or buy dummy HDMI adapter for about 4 euro (recommended).
-
-
- Install RealVNC Viewer on your client (in my case Windows 11 Home).
-
- Install RealVNC Server on your server:
yay -S realvnc-vnc-server
sudo systemctl enable --now vncserver-x11-servicedAfter you do this, login to your RealVNC account on RealVNC Server. Make sure you check
SHA-256encryption. Reboot and boom! You have encrypted VNC connection! With VNC you can connect to your server from anywhere. -
-
SSHserver should be pre-installed on most Linux distros but if it isn't on yours, then you have to install it to complete steps below.sudo systemctl enable --now sshdnow you can connect from any device within your LAN to your server by command:
ssh <username>@<hostname/your_local_ipv4_address>
for example:
ssh myAwesomeLinuxUsername@192.168.0.18
type password for your user and congrats! You are connected via SSH! With SSH you can connect to your server from LAN only.
I also recommend setting key-based auth as well as disable
rootlogin and password login. Everything about that is covered in Port Forwarding part of this repository.If you want to connect from the Internet you can check something like Tailscale or buy some VPS.
Setup Docker with Docker Compose and add your user to "docker" group. This steps may vary depending on your Linux distro.
Visit offical docker website for instructions for your distribution
-
yay -S docker
sudo usermod -aG docker $USERnewgrp docker
sudo systemctl enable --now docker -
DOCKER_CONFIG=${DOCKER_CONFIG:-$HOME/.docker}mkdir -p $DOCKER_CONFIG/cli-pluginscurl -SL https://github.com/docker/compose/releases/download/v2.19.1/docker-compose-linux-x86_64 -o $DOCKER_CONFIG/cli-plugins/docker-composechmod +x $DOCKER_CONFIG/cli-plugins/docker-compose
Install and enable firewall to prevent common attacks:
yay -S firewalldsudo systemctl enable --now firewalld.serviceInstall Samba package:
yay -S sambaAs Samba doesn't come with config file, we need to create one. I will use official config file from Samba repository.
Paste this config here:
sudo nano /etc/samba/smb.confIn the section [global] change workgroup to following:
workgroup = WORKGROUPso it will match Windows's default one.
-
In order to access your samba share from other computers, you must change your firewall's setting:
firewall-cmd --permanent --zone=public --add-service=samba
firewall-cmd --reload
systemctl enable --now smb.service -
Create
sambausersgroup and add yourself to it:sudo groupadd -r sambausers
sudo usermod -aG sambausers YOUR_USERNAME
Create samba password for your shares:
sudo smbpasswd -a YOUR_USERNAME
-
I will use my Jellyfin media library as an exemplary yet practical share.
Scroll to the bottom and add:
[Media] comment = Jellyfin Media path = /srv/server/media writable = yes browsable = yes create mask = 0700 directory mask = 0700 read only = no guest ok = noAt this point make sure that directory you specified in share's path actually exists! If not run Jellyfin service or create it manually with:
sudo mkdir /srv/server/mediaChange directory ownership and permissions:
sudo chown -R :sambausers /srv/server/media
sudo chmod 1770 /srv/server/media
Setup Cloudflare Tunnels with Portainer to allow access to your services outside your home network, then add as many services as you want.
IMPORTANT! Remember to add 2FA through Cloudflare Tunnels dashboard to some sensitive services such as Portainer.
In every case you need to run.
- Cloudflare Tunnels - making services accesible outside your home network.
- Portainer - easy managment for your Docker stuff.
Personal preference:
- Jellyfin - the free software media system.
- Jellyseerr - an application for managing request for your media library.
- NextCloud - a safe home for all your data.
- Homarr - customizable browser's home page for your homeserver.
- Mealie - a recipe manager for the modern household.
- Linkding - selfhosted bookmark manager.
- Uptime Kuma - a fancy selfhosted monitoring tool.
- Minecraft - Minecraft server with your own IP.
- Dashdot - a modern server dashboard.
- Watchtower - update your Docker containers automatically.
- qBittorrent - qBittorrent BitTorrent client.
- Starr Apps - collection managers apps with similar functionalities for anime, tv shows, movies, music and ebooks.
- Home Assistant - open source home automation that puts local control and privacy first.
- Custom service