![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
I don't know why I left it so long to figure out how to do this. Yes, running everything yourself on a home connection is less stable than using a hosted service. But in the spirit of making the internet more chaotic, and a bit grungier, let's do this.
My set-up is quite specific. I bought (though rented is more correct) a domain, example.com, through my regular domain registrar. I want to run a subdomain, server.example.com, from hardware under the tv. I do not have a static ip, so I'm going to need a dynamic dns provider. I'm using dynv6, because they were the first provider recommended to me. (The irony being that in the course of this project I discovered my ISP (Internet Service Provider)'s router doesn't let me use ipv6 at all.) The hardware is something I don't want to talk about right now, but it's a linux box running a variant of debian. And I'm also using a hosted email provider that lets you bring your own domain. All accounts created and services paid for. But how does it all go together?
Step 1; Create the subdomain, and delegate it
Log into your domain registrar, go to whenever you can Manage DNS. The domain, example.com, will be set up with multiple nameserver (NS) records linking to this domain registrar.
Log into dynv6, go to 'My Domains' and 'Add a domain', and create server.example.com, as a single zone. It will provide you with their NSs.
Go back to your domain registrar, find where you can create subdomains, and do that. You will need to ensure that there is a NS record created, for server.example.com, that points to each of the dynv6 nameservers. Save, and wait for the DNS changes to get in sync.
Back at dynv6 your Domain will have a Delegation Check section. That will let you know when everything is valid and ready to go.
Step 2; Set up your hardware on your network
My linux box has both ethernet and wlan connections. It might be just my router, but, I had expected the ethernet connection to be easier to set up. I mean, I plug the cable in, and it's online. But. There is something very strange happening, where that connection gets a public IP address, but is only sometimes able to access the internet. There are no ports blocked, it just isn't always available. There is no functionality on the router to configure it. I'll have to get on to support to figure out what's going on.
So I had to use wlan. It's the usual, connect to the network, have internet. But, it gets a private IP address (something like 192.168.0.x). The router is the point of contact with the world, relaying messages between my server and the internet at large. The router blocks direct access on most ports. You have to log into the router and find the Port Forwarding configuration section. This can vary greatly, mine is Advanced Settings > Security > Port Forwarding. Then I 'Create a new rule' for my wlan private IP address, mapping ports 80-80 to 80-80. And another rule mapping ports 443-443 to 443-443. Ensure they are Enabled, then 'Apply changes'. 80 (being http) and 443 (being https), should now enable your server to communicate directly with the outside world. (You can only map a port to one IP address, so don't be thinking about setting up multiple servers.)
(To try and reduce complications with the private IP address changing I also went to Advanced Settings > DHCP and added the current MAC address <-> IP address to the reserved list. I tried setting a static IP on the device, but it led to other unwanted complications, so hopefully this does the trick.)
Step 3; Set up
In order for dynv6 to know where (what public IP address) to reach your server on, we need to set up a client to keep dynv6 updated about any changes. There are a bunch of clients, but I'm using
Then go back to dynv6 > My Zones > server.example.com, and go to the Instructions tab. Copy the snippet under the
Save, exit, and follow the instructions in the link for setting
If you go to the Status tab in dynv6 you will see the public IP address displayed.
If you're finding checkip.dyndns.com too slow, there are other options, including;
web=ip1.dynupdate.no-ip.com
web=api.ipify.org
web=ipv4.wtfismyip.com/text
You can also check the public IP (v4 or v6) on specific interfaces from the terminal;
People love
Step 4; Optionally test it's all working
At this point all the main pieces should be in place. If you want to test it you can install
Visit server.example.com in your browser, accept the no-cert warning, and you should see the
Great! Now, remember to remove it (unless you are setting up an
Step 5; Optionally set up email DNS records as well
If you also have a hosted email provider that lets you bring your own domain, and also want to set up email on server.example.com, you create the DNS records on dynv6. The email provider will have instructions on what to do, but broadly it involves creating a TXT record (to prove you own it), then the necessary MX records. And maybe some optional steps like SPF records. Do as they tell you and all should go according to plan. (And you too will become one of those people telling others to check Spam.)
Step 6; Install your server software | Choose your own adventure style
Whatever you are planning on doing, like
Step 7; Optionally run
After you have the server software installed, you can get yourself a Let's Encrypt certificate so browsers don't scare away visitors. This too brief example uses
You might need to install it first, something like
It will either work straight off, or you will descend into the spiral I did, whereby you get an error that it couldn't find a valid A record.
1. adding an A record in dynv6 for server.example.com. It wants you to add it for anything.server.example.com, so do that, then go back in and edit it back to server.example.com.
2. go back to your domain registrar, and set up hosting for example.com, even if it's just a Parking page. This will set up a valid A record for example.com.
3. ensure that your server network interface (i.e. eth0, wlan0) is still working.
Hopefully something in there will help unboundtest to find the ANSWER, and when it does you should be able to run
You then link the generated certs in your server configuration, however you need to, and you'll have lovely certified connections your home server.
You might also need to clean up some default pages if they get in your way;
Step finally;
Enjoy running your server!
My set-up is quite specific. I bought (though rented is more correct) a domain, example.com, through my regular domain registrar. I want to run a subdomain, server.example.com, from hardware under the tv. I do not have a static ip, so I'm going to need a dynamic dns provider. I'm using dynv6, because they were the first provider recommended to me. (The irony being that in the course of this project I discovered my ISP (Internet Service Provider)'s router doesn't let me use ipv6 at all.) The hardware is something I don't want to talk about right now, but it's a linux box running a variant of debian. And I'm also using a hosted email provider that lets you bring your own domain. All accounts created and services paid for. But how does it all go together?
Log into your domain registrar, go to whenever you can Manage DNS. The domain, example.com, will be set up with multiple nameserver (NS) records linking to this domain registrar.
Log into dynv6, go to 'My Domains' and 'Add a domain', and create server.example.com, as a single zone. It will provide you with their NSs.
Go back to your domain registrar, find where you can create subdomains, and do that. You will need to ensure that there is a NS record created, for server.example.com, that points to each of the dynv6 nameservers. Save, and wait for the DNS changes to get in sync.
Back at dynv6 your Domain will have a Delegation Check section. That will let you know when everything is valid and ready to go.
My linux box has both ethernet and wlan connections. It might be just my router, but, I had expected the ethernet connection to be easier to set up. I mean, I plug the cable in, and it's online. But. There is something very strange happening, where that connection gets a public IP address, but is only sometimes able to access the internet. There are no ports blocked, it just isn't always available. There is no functionality on the router to configure it. I'll have to get on to support to figure out what's going on.
So I had to use wlan. It's the usual, connect to the network, have internet. But, it gets a private IP address (something like 192.168.0.x). The router is the point of contact with the world, relaying messages between my server and the internet at large. The router blocks direct access on most ports. You have to log into the router and find the Port Forwarding configuration section. This can vary greatly, mine is Advanced Settings > Security > Port Forwarding. Then I 'Create a new rule' for my wlan private IP address, mapping ports 80-80 to 80-80. And another rule mapping ports 443-443 to 443-443. Ensure they are Enabled, then 'Apply changes'. 80 (being http) and 443 (being https), should now enable your server to communicate directly with the outside world. (You can only map a port to one IP address, so don't be thinking about setting up multiple servers.)
(To try and reduce complications with the private IP address changing I also went to Advanced Settings > DHCP and added the current MAC address <-> IP address to the reserved list. I tried setting a static IP on the device, but it led to other unwanted complications, so hopefully this does the trick.)
ddclient
on your hardwareIn order for dynv6 to know where (what public IP address) to reach your server on, we need to set up a client to keep dynv6 updated about any changes. There are a bunch of clients, but I'm using
ddclient
. Install as detailed here. Create the start of /etc/ddclient.conf
as detailed there too;use=web, web=checkip.dyndns.com/, web-skip='IP Address'
ssl=yes
Then go back to dynv6 > My Zones > server.example.com, and go to the Instructions tab. Copy the snippet under the
ddclient
heading and place it at the end of the config file. (Note; the password is your secret, don't share it.)use=web, web=checkip.dyndns.com/, web-skip='IP Address'
ssl=yes
protocol=dyndns2
server=dynv6.com
login=none
password='YourSecretPassword'
server.example.com
Save, exit, and follow the instructions in the link for setting
ddclient
up to run as a service. To trigger the code (and tests it works) run sudo service ddclient restart
, then check sudo service ddclient status
for any error messages. Hopefully you'll see a success message like;SUCCESS: updating server.example.com: good: IP address set to 10.10.10.10.
If you go to the Status tab in dynv6 you will see the public IP address displayed.
If you're finding checkip.dyndns.com too slow, there are other options, including;
web=ip1.dynupdate.no-ip.com
web=api.ipify.org
web=ipv4.wtfismyip.com/text
You can also check the public IP (v4 or v6) on specific interfaces from the terminal;
curl --interface eth0 -4 icanhazip.com
curl --interface wlan0 -6 icanhazip.com
People love
dig
, so to get it sudo apt install dnsutils
. Running dig server.example.com
should be successful and return the same IP as above in the ANSWER section.At this point all the main pieces should be in place. If you want to test it you can install
apache2
, just to test. No need for the whole lamp stack, apache2
will be enough.sudo apt install apache2
Visit server.example.com in your browser, accept the no-cert warning, and you should see the
apache2
default test page.Great! Now, remember to remove it (unless you are setting up an
apache2
server), because it will get in the way if you don't.sudo apt remove apache2
sudo rm /var/www/html/index.html
If you also have a hosted email provider that lets you bring your own domain, and also want to set up email on server.example.com, you create the DNS records on dynv6. The email provider will have instructions on what to do, but broadly it involves creating a TXT record (to prove you own it), then the necessary MX records. And maybe some optional steps like SPF records. Do as they tell you and all should go according to plan. (And you too will become one of those people telling others to check Spam.)
Whatever you are planning on doing, like
apache2
or nginx
, do it here. Also now is a time to think about things like iptables
.certbot
After you have the server software installed, you can get yourself a Let's Encrypt certificate so browsers don't scare away visitors. This too brief example uses
nginx
, there are other options available.You might need to install it first, something like
sudo apt install certbot python3-certbot-nginx
. Then,certbot --nginx -d server.example.com
It will either work straight off, or you will descend into the spiral I did, whereby you get an error that it couldn't find a valid A record.
dig
was working fine. My browser was working fine. But certbot
was failing. Because it doesn't use dig
, it uses something more like unboundtest. Which you can use to debug certbot
errors. (People also recommend dnsvis, but I didn't need it in this case.) Sure enough, unboundtest wasn't receiving an ANSWER. I made a couple of changes at the same time, so I'm not sure which helped fix it, but you can try;1. adding an A record in dynv6 for server.example.com. It wants you to add it for anything.server.example.com, so do that, then go back in and edit it back to server.example.com.
2. go back to your domain registrar, and set up hosting for example.com, even if it's just a Parking page. This will set up a valid A record for example.com.
3. ensure that your server network interface (i.e. eth0, wlan0) is still working.
Hopefully something in there will help unboundtest to find the ANSWER, and when it does you should be able to run
certbot
without issue.You then link the generated certs in your server configuration, however you need to, and you'll have lovely certified connections your home server.
You might also need to clean up some default pages if they get in your way;
sudo rm /etc/nginx/sites-available/default
sudo rm /etc/nginx/sites-enabled/default
sudo rm /var/www/html/index.nginx-debian.html
Enjoy running your server!
no subject
Date: 2023-07-18 11:27 am (UTC)