[personal profile] chebe
I don't know why I left it so long to figure out how to do this. Yes, running everything yourself on a home connection is less stable than using a hosted service. But in the spirit of making the internet more chaotic, and a bit grungier, let's do this.

My set-up is quite specific. I bought (though rented is more correct) a domain, example.com, through my regular domain registrar. I want to run a subdomain, server.example.com, from hardware under the tv. I do not have a static ip, so I'm going to need a dynamic dns provider. I'm using dynv6, because they were the first provider recommended to me. (The irony being that in the course of this project I discovered my ISP (Internet Service Provider)'s router doesn't let me use ipv6 at all.) The hardware is something I don't want to talk about right now, but it's a linux box running a variant of debian. And I'm also using a hosted email provider that lets you bring your own domain. All accounts created and services paid for. But how does it all go together?


  • Step 1; Create the subdomain, and delegate it


  • Log into your domain registrar, go to whenever you can Manage DNS. The domain, example.com, will be set up with multiple nameserver (NS) records linking to this domain registrar.

    Log into dynv6, go to 'My Domains' and 'Add a domain', and create server.example.com, as a single zone. It will provide you with their NSs.

    Go back to your domain registrar, find where you can create subdomains, and do that. You will need to ensure that there is a NS record created, for server.example.com, that points to each of the dynv6 nameservers. Save, and wait for the DNS changes to get in sync.

    Back at dynv6 your Domain will have a Delegation Check section. That will let you know when everything is valid and ready to go.


  • Step 2; Set up your hardware on your network


  • My linux box has both ethernet and wlan connections. It might be just my router, but, I had expected the ethernet connection to be easier to set up. I mean, I plug the cable in, and it's online. But. There is something very strange happening, where that connection gets a public IP address, but is only sometimes able to access the internet. There are no ports blocked, it just isn't always available. There is no functionality on the router to configure it. I'll have to get on to support to figure out what's going on.

    So I had to use wlan. It's the usual, connect to the network, have internet. But, it gets a private IP address (something like 192.168.0.x). The router is the point of contact with the world, relaying messages between my server and the internet at large. The router blocks direct access on most ports. You have to log into the router and find the Port Forwarding configuration section. This can vary greatly, mine is Advanced Settings > Security > Port Forwarding. Then I 'Create a new rule' for my wlan private IP address, mapping ports 80-80 to 80-80. And another rule mapping ports 443-443 to 443-443. Ensure they are Enabled, then 'Apply changes'. 80 (being http) and 443 (being https), should now enable your server to communicate directly with the outside world. (You can only map a port to one IP address, so don't be thinking about setting up multiple servers.)

    (To try and reduce complications with the private IP address changing I also went to Advanced Settings > DHCP and added the current MAC address <-> IP address to the reserved list. I tried setting a static IP on the device, but it led to other unwanted complications, so hopefully this does the trick.)


  • Step 3; Set up ddclient on your hardware


  • In order for dynv6 to know where (what public IP address) to reach your server on, we need to set up a client to keep dynv6 updated about any changes. There are a bunch of clients, but I'm using ddclient. Install as detailed here. Create the start of /etc/ddclient.conf as detailed there too;
    use=web, web=checkip.dyndns.com/, web-skip='IP Address'
    ssl=yes


    Then go back to dynv6 > My Zones > server.example.com, and go to the Instructions tab. Copy the snippet under the ddclient heading and place it at the end of the config file. (Note; the password is your secret, don't share it.)

    use=web, web=checkip.dyndns.com/, web-skip='IP Address'
    ssl=yes
    protocol=dyndns2
    server=dynv6.com
    login=none
    password='YourSecretPassword'
    server.example.com


    Save, exit, and follow the instructions in the link for setting ddclient up to run as a service. To trigger the code (and tests it works) run sudo service ddclient restart, then check sudo service ddclient status for any error messages. Hopefully you'll see a success message like;
    SUCCESS: updating server.example.com: good: IP address set to 10.10.10.10.
    If you go to the Status tab in dynv6 you will see the public IP address displayed.

    If you're finding checkip.dyndns.com too slow, there are other options, including;
    web=ip1.dynupdate.no-ip.com
    web=api.ipify.org
    web=ipv4.wtfismyip.com/text

    You can also check the public IP (v4 or v6) on specific interfaces from the terminal;
    curl --interface eth0 -4 icanhazip.com
    curl --interface wlan0 -6 icanhazip.com


    People love dig, so to get it sudo apt install dnsutils. Running dig server.example.com should be successful and return the same IP as above in the ANSWER section.


  • Step 4; Optionally test it's all working


  • At this point all the main pieces should be in place. If you want to test it you can install apache2, just to test. No need for the whole lamp stack, apache2 will be enough.
    sudo apt install apache2
    Visit server.example.com in your browser, accept the no-cert warning, and you should see the apache2 default test page.

    Great! Now, remember to remove it (unless you are setting up an apache2 server), because it will get in the way if you don't.
    sudo apt remove apache2
    sudo rm /var/www/html/index.html


  • Step 5; Optionally set up email DNS records as well


  • If you also have a hosted email provider that lets you bring your own domain, and also want to set up email on server.example.com, you create the DNS records on dynv6. The email provider will have instructions on what to do, but broadly it involves creating a TXT record (to prove you own it), then the necessary MX records. And maybe some optional steps like SPF records. Do as they tell you and all should go according to plan. (And you too will become one of those people telling others to check Spam.)


  • Step 6; Install your server software | Choose your own adventure style


  • Whatever you are planning on doing, like apache2 or nginx, do it here. Also now is a time to think about things like iptables.


  • Step 7; Optionally run certbot


  • After you have the server software installed, you can get yourself a Let's Encrypt certificate so browsers don't scare away visitors. This too brief example uses nginx, there are other options available.

    You might need to install it first, something like sudo apt install certbot python3-certbot-nginx. Then,
    certbot --nginx -d server.example.com

    It will either work straight off, or you will descend into the spiral I did, whereby you get an error that it couldn't find a valid A record.

    dig was working fine. My browser was working fine. But certbot was failing. Because it doesn't use dig, it uses something more like unboundtest. Which you can use to debug certbot errors. (People also recommend dnsvis, but I didn't need it in this case.) Sure enough, unboundtest wasn't receiving an ANSWER. I made a couple of changes at the same time, so I'm not sure which helped fix it, but you can try;
    1. adding an A record in dynv6 for server.example.com. It wants you to add it for anything.server.example.com, so do that, then go back in and edit it back to server.example.com.
    2. go back to your domain registrar, and set up hosting for example.com, even if it's just a Parking page. This will set up a valid A record for example.com.
    3. ensure that your server network interface (i.e. eth0, wlan0) is still working.

    Hopefully something in there will help unboundtest to find the ANSWER, and when it does you should be able to run certbot without issue.

    You then link the generated certs in your server configuration, however you need to, and you'll have lovely certified connections your home server.

    You might also need to clean up some default pages if they get in your way;
    sudo rm /etc/nginx/sites-available/default
    sudo rm /etc/nginx/sites-enabled/default
    sudo rm /var/www/html/index.nginx-debian.html



  • Step finally;


  • Enjoy running your server!