Hi,
I would like to have some inputs regarding my current usage of YunoHost, and see if it can give some ideas to others, or if I can get some feedback.
The problem
I have multiple YNH instances, including one on a RPi that follows me in my often-changing homes.
I have recently experienced two cases where I could not trust my network, or alter its settings.
- First case, in a temporary flat sharing housing, I set my RPi with YNH and my shared drives… only to realize the next morning that my samba shares where open to anyone in the house.
- Second case, my current flat, where I cannot open ports 80 and 443, because they are locked at the ISP level.
I think those issues also cover what is currently happening with Free sharing the same IPv4 address among multiple client (see Freebox - let's encrypt ne fonctionne plus).
A solution
You will tell me “use a VPN!”, and I would agree. But I find cumbersome relying on a main server that I would have to keep somewhere safe and stable. I had been looking to alternatives, which led to my packaging of ZeroTier for YNH, which basically creates a virtual Ethernet network between devices.
All my YNH instances are now connected to this private network. It has helped me solve both issues evoked above:
- Samba shares are now only allowing connections from the ZeroTier network interface.
- I can access my HTTP-locked RPi, bypassing the ISP constraints, through its ZeroTier IP address.
What do you think of this setup? What would you have done better/different?
I have found a couple of problems so far:
Emails
I think with this kind of setup, they are not fixable. I can rely on my regular-connected YNH instances, so it’s OK for my use case.
DNS
I am trying to figure out a way to have friendlier access to my devices, by dedicating a subdomain (e.g. zt.domain.tld) for the internal addresses (like rpi.zt.domain.tld pointing to my RPi’s zerotier address). But I am not sure where is the best to put this DNS record. Should it be:
- at the domain provider level, leaking my internal network addresses to the public?
- within each devices’
/etc/hostsfile? It’s easy to set up, though a bit manual, except for phones… - dedicate one device as a DNS server, which would not solve the manual work, but fixes the phones problem.
This last one is working so far. I am trying to set up LetsEncrypt certificates, but HTTP challenge is not possible. I think DNS should work, however YNH does not handle it yet, correct? If it were to be supported, should one alter the DNS records locally during the challenge, or elsewhere?