Secure and limit the access to yunohost without using port forwarding or third party softwares

I love yunohost and I think it’s an amazing and easy way to self-host.

I’m installing and testing lots of apps and I’m thinking about using yunohost to store some sensitive data (photos, contacts, personal documents, …).

I’m trying to build an environment simple to maintain and configure, as open source as possible, secure and easily accessible by me (and me only) on 2 different OS and devices.

To keep it as secure as possible I have an advanced use case in mind:

  1. I have a rasperry pi with yunohost installed.
  2. The rasperry pi is connected to my home network.
  3. I don’t want to forward any port.
  4. I don’t want to expose the rasperry pi to the public.
  5. I will be the only person using it.
  6. I want to have access to the apps from inside my local network
  7. I want to have access to the apps from one trusted Windows 11 laptop and one trusted Android smartphone that I use when I travel.
  8. I don’t want to install any software beside of the apps listed in the yunohost app catalog or the standard software already installed with the rasperry pi OS.
  9. I don’t want to use any third party external service or any closed source software.

Some notes:

  • I don’t care about emails. I don’t send or receive emails using yunohost
  • I don’t care about instant messengers of any kind (including XMPP). I don’t use them on yunohost.

What is the best solution in this scenario?
I was thinking about some kind of reverse ssh proxy connection or a VPN but my skills are limited and I’m getting lost.

I think that if we find a good solution to this scenario Yunohost could become the best choice for most of the “average user without tech skills but with privacy and security in mind” problems.

Did you find ana answer for this? I would like to install yunohost at home, but I don’t want to open ports as I don’t intend to access it from the internet.

I find those paradoxal and incompatible :upside_down_face:

And if you don’t plan to use mail and if you are the single user on it, maybe Freedombox is more suitable.

Not even through ssh on an alternate port (other then 22) and using ssh keys instead of passwords ?

Or better by installing a VPN server on your server and forwarding a port to it and use a VPN client to access it ?


if you want full opensource, Headscale (opensource self-hosted version of Tailscale)

You should look at Freedombox. You could run your box over an onion address on TOR. With Yunohost you will have a lot of stuff you don’t need running.

I am thinking of trying to run a server without Yunohost in the future, too. I don’t need XMPP, Yunohost settings, or email. It would be nice to have some toggles to disable some things that we don’t really need but some are so integral to how Yunohost runs, it is probably impossible.

Old, bitter grandpa rant : people think the word “secure” alone means something, but it means nothing without a threat model. Hell you can’t even be secure against everything all at once, because sometimes the security measures you should put in place for 2 different threats are effectively opposite.

Security is very often associated with a cost in usability.

Based on your description, you seem to have requirements similar to top-secret military project, so are you really willing to put all that effort … Saying this also because people often want the MAXIMUM security (assuming this even means something… again, security against what?) without realizing the practical implications.

That’s a big one, at least for example because this means you can’t automatically get a Lets Encrypt certificate (which requires port 80 to be forwarded). I guess you can live with a self-signed cert but :roll_eyes:

I guess you could have your phone connect via a VPN … but even then your VPN needs some sort of external endpoint to attach to, one way or another …

Yyyyyeah … Well if you’re not using Lets Encrypt certificates, you’re gonna at least one day want updates, which means relying on third party such as yunohost or debian repositories …

And I’m pretty sure you could find a dozen of external service which you need one way or another, such as DNS resolvers, npm/pip/git repositories, etc …

There are plenty of stuff people don’t need in their home computer or smartphone, yet people don’t go full “I’m gonna build my own computer”, so what exactly are you trying to achieve with this … The point of YunoHost (or your home computer, or your car) is that it should just work so you can focus with what matter in life instead of spending literally thousands of hours on boring technical shit

1 Like

this is exactly true! that’s the main reason why that project is always a ‘i’ll do it next year’ kinda thing and it never happens :rofl: