I have a server at home that I can access only locally. It runs Ubuntu (the version doesn’t matter). However, I need to make it possible to connect to it from outside — basically as if it had a public (white) IP address.
At the same time, for security reasons, I think the public IP address should not be assigned to the server itself, but to a separate computer that would work as a tunnel (gateway) from the outside to the server.
How can this be done while prioritizing security (that is, so that the local network cannot be compromised via the public IP address)?
Tailscale
I use a raspberry pi with WireGuard VPN installed. Connect to your routers public IP and chosen port then allow traffic from there to your server when connected.
ASUS routers have this feature built in.
As well as Ubiquiti (which will also run more reliably than Asuscrap)
Ubiquiti way better value for money.
Depends on exactly what you want to do with your server, you could just get away with SSH and a key file.
SSH into your "common" endpoint (e.g. A computer at home), use a port that's not typically SSH and port forward it internally. Then you're essentially done, you can log into your server as if you were local.
Also, make sure you're not behind a CGNAT, otherwise you're kinda fucked and it complicates things
Duckdns
Wg-easy + duckdns skip the vps
What external clients will connect to it? Just you and your devices? Your group of pals? Everyone in this sub?
Different solutions based on use case. But, if you don’t want to expose the host IP, ssh is out and DIY VPN is out.
Simple solution is TeamViewer. Moving up in complexity, try one of the SASE ZTNA solutions, Cloudflare, Twingate, and others offer free versions for home use.
PiVPN and install Wireguard. You can run installer twice and install OpenVPN as well on the second run. Then you have both but Wireguard is faster.
Cloudflare tunnel?