Simplifying Yunohost installation with a reverse proxy and tunnel managing service

Hello good people -

Could the installation of Yunohost be simplified dramatically (thereby making self hosting available to many more people) by a relatively low-cost simple reverse proxy service?

This would be a service that forwards requests from a URL to a yunohost intance. As a service, it would be similar to pagekite or ngrok other utilities that enable sharing a localhost / various services from machines behind firewalls.


  1. No need to open ports on router / firewall. Communication between the yunohost machine in the user’s home and the reverse proxy could be handled in the application, the user doesn’t have to know or care how.
  2. This would make it possible to make the dns / subdomain management / etc. handled automagically between yunohost and the service.
  3. Could still keep the SSL certs / etc. on the local yunohost, since the service is just in charge of forwarding requests.

This seems too easy - and would make self-hosting much more availble to the common person, right? Or am I missing something?


1 Like

Ah actually it looks like this is what I’m looking for. It just seems like the whole “getting started” process should get reworked around something like this.


I may be missing your point, but I don’t see how self-hosting with Yunohost would be easier with a reverse proxy.

  1. What ? Which ports wouldn’t you need to open ? Maybe ports that some specific applications need, but this is not that common. The user will still need to open the following “standard” TCP ports (depending of which services he uses) : 22, 25, 80, 443, 587 and 993.
  2. Isn’t it already automagically managed ? :slight_smile: You create the domains/subdomains and assign applications to them. How could it be easier for the user ?
  3. This isn’t really an advantage.

For the disadvantages, by adding a new service, the resource consumption and the complexity of the system will increase.

Hey SohKa - thanks for diving into this suggestion! I’ll answer point by point.

  1. You would need to open 0 ports in the router - in fact you wouldn’t need to do anything at all with the router. Forward facing proxy services like or ngrok allow you to map ports on your local server to the reverse proxy entirely through their application, which maintains a tunneling connection with the external reverse proxy. So the end user would not have to know what a port even is, much less configure one on their router.

  2. DNS / domain management. The user still has to configure their DNS in some way / add ports and subdomains for xmpp / etc. With a service like boringproxy (or ngrok) configured to reduce the burden on the yunohost user, you could dramatically reduce the need to understand or configure domains at all. For example - the default config could be to simply assign each app its own subdomain when it is installed (and do all the various xmpp / mail / etc. dns port stuff as well). This could be handled via requests between yunohost and the proxy service.

The user setup experience becomes: 1) Sign up for reverse proxy service (with customized config / setup for yunohost), 2) download and flash yunohost, 3) enter reverse proxy information / secret, 4) choose and install apps.

I think that would dramatically increase the number of people who can self-host. It would require that the service also handles some dns. but you guys have vastly more knowledge and experience about this. Am I missing something?


I guess one big “no-no” is the fact that this would pretty much look like a yuno-cloudflare, with one centralized proxy (or man-in-the-middle depending on how you look at it) which :

  • is a single point of failure - after you start reaching 100~1000 instances depending on it, you start being really worried about what happens if the proxy goes down. Also legal authority may take you (the proxy owner) responsible to block illegal content.
  • privacy concerns: the proxy owner has quite a lot of power over all the traffic of people using the service. Even if the traffic is theoretically encrypted you still have access to plenty of metadata, not to mention the possibility or redirect (or not) HTTP to HTTPS - or to craft a Lets Encrypt certificate considering the DNS points to the proxy anyway

Nevertheless the idea is interesting if people would be made aware of those concerns …

A few other notes :

  • Not sure how it relates to the whole DNS story … We already have & other auto-configured domain … to me this is pretty much independent of how/where you’re hosting the server (behind a reverse proxy or not)
  • There’s already a VPNclient app which pretty much solves the “how-to-bypass-NAT” in a similar-but-different way. The 2 main issues right now are: a) it’s mainly designed for a specific .cube format created by the FFDN folks, and it’s not trivial for people where to find such a VPN provider ; b) additional monthly cost (4€/month I think ?)
  • The whole “how-to-bypass-NAT” issue is nonexistent if you just host on a VPS. Which, yes, isn’t “pure self-hosting” because you don’t have control over the physical layer, but still represent a huge step forward in the grand scheme of “not depending on megacorps for your digital life”

boringproxy is a combination of a reverse proxy and a tunnel manager

That’s what I was missing. It’s not just about setting up a local reverse proxy.

@aleks summarized my thoughts in his previous post.

Ah - there had to be a catch. The current way to use boringproxy would be by hosting your boringproxy instance on a digital ocean droplet / VPS, so one would have to be subject to their terms for illegal content / etc. (The creator has plans for adding DNS config etc.) But I wonder if setting things up with yunohost such that it was easy to do this reverse proxy / tunnel with any external VPS would be worth exploring. You still have to trust the provider, but that’s no worse than being fully on a VPS, right (and somewhat better if it’s only the metadata that’s likely to leak.)

I think so! To me the primary barrier to wider adoption of self hosting is usability - and needing to open ports / do custom DNS are the main factors working against usability. And while the concerns you raise are absolutely real and relevant, I wonder if we couldn’t think of ways to engineer against them.

You are absolutely right - apologies for not making that clear from the start, my mistake! I’ve edited the topic title to clarify.
And while I’ve got you both here - thanks so much for all your work on YunoHost! I’m excited about using it, as soon as I resolve my rather puzzling DNS config issue. :wink:


At the moment I’ve been on hold for over 20 minutes with my ISP, and when they do finally answer and I ask them to configure my reverse DNS, they will say “What’s reverse DNS?”
Edit: 1 minute after writing the above, my ISP answered, and said “What’s reverse DNS?” He is now calling his lifeline for expert help.
I post this here not because I need help - but because this issue could also be solved by a reverse proxy tunnel manager to a trusted service. So - I think it’s important and worth considering how we make life so much easier for yunohost users by still allowing them to host in their home, but removing all the complexity of router and DNS configuration from the equation, thereby opening up the possibility of self hosting for a massively larger percentage of the population.
And now I’ve just heard back after the second hold, and they don’t support reverse DNS changes at all. sigh, oh well.


This would be helpful for users on ISPs which block various ports, who prefer to host on their own physical devices instead of “just put it on a VPS.”

Then a VPS which may require substantially fewer resources, and thus cost substantially less per month, can be used to proxy traffic from its public IP to Yunohost.

Every dollar not spent on hosting costs, such as by using one’s own physical hardware, is helpful to users without much income.

1 Like

For example, if my ISP fails at some point, I use my phone’s wifi hotspot as a backup.

I’d love to use this kind of automatic public reverse proxy as a backup solution too, so I can connect the raspberry to the hotspot and keep my services online.

If the idea is to deploy boringproxy or other reverse proxy/tunneling software on a vps just for one self-hosted machine, why not just setup an openvpn server on this VPS and redirect all the traffic into it…

We already have a vpn client app . We should consider to rework on easy deployment of vpnserver app.

In fact you need proxying only if you want to split one IPv4 onto 2 or more machines. But if you have a vps with 2 ipv4, you can create a “vpn self-hosting” for 2 machines…
Proxying is harder to implement…

Very interesting topic thank you.
From my (limited) understanding, OpenVPN is not considered optimal for this use, due to various issues including performance. Wireguard seems much more fit for the task. The developer of boringproxy seems to maintain a list of tunnelling tools on his github.
HomelabOS, another FOSS operating system for self-hosting, has the option to install exactly that sort of solution via what they call “bastion server” and they use tinc as VPN/tunnelling tool. tinc is not mentioned in the list above for some reason, although it seems to work well.

I am currently preparing my (future) Yunohost server setup and I intend to get a cheap VPS to use just for tunnelling. I am not comfortable with opening ports on my home router, among other reasons.

The term “bastion server” for something that will drecrease in several context the security is a bit strange IMHO.

I totally agree with you about wireguard or other vpn techno. But currently, vpnclient (openvpn) is the only easy app for vpn self-hosting on yunohost… The wireguard ynh app is currently a bit more difficult to setup. Contribution on that topic are welcome.

Note, yunohost 4.3 will improve upnp, so we hope in several situation, the user won’t need to open port by itself.

1 Like