Complete Home Server Guide Part 3: Network Configuration and Remote Access
Port Forwarding, DDNS, SSH Security, and VPN Setup
Introduction: Why Network Configuration Matters
If you have built a home server, the most important step still remains. That is network configuration. No matter how great your hardware is or how perfectly you installed the operating system, without proper network configuration, your server is nothing but an isolated computer that cannot be accessed from outside.
In this part, we will cover all aspects of network configuration to make your home server accessible securely from anywhere. We will go through static IP setup, port forwarding, DDNS configuration, SSH remote access, security hardening, and WireGuard VPN step by step. It might seem complex at first, but by following along one step at a time, you will build an expert-level network environment before you know it.
1. Understanding Internal Networks and Static IP Configuration
1.1 Difference Between Internal IP and External IP
Before starting network configuration, you need to understand the concept of IP addresses clearly. In a home network, there are two types of IP addresses.
External IP (Public IP) is the address that your Internet Service Provider (ISP) assigns to your home. It is unique worldwide and is used when external networks need to find your network. It is usually assigned to the WAN port of your router.
Internal IP (Private IP) is the address that your router assigns to each device in your home. It uses ranges like 192.168.x.x, 172.16.x.x, or 10.x.x.x, and can only communicate within the same internal network.
1.2 Setting a Static IP on Your Server
A server should always have the same IP address. An IP automatically assigned by DHCP can change after rebooting or over time, which would break port forwarding and other configurations.
Static IP configuration using Netplan on Ubuntu/Debian:
# Check current network interface
ip addr show
# Edit Netplan configuration file
sudo nano /etc/netplan/00-installer-config.yamlModify the configuration file as follows:
network:
version: 2
ethernets:
enp0s3: # Change to your actual interface name
dhcp4: no
addresses:
- 192.168.1.100/24 # Your desired static IP
routes:
- to: default
via: 192.168.1.1 # Router IP (gateway)
nameservers:
addresses:
- 8.8.8.8
- 8.8.4.4Apply the configuration:
# Apply settings
sudo netplan apply
# Verify changed IP
ip addr showTip: When setting a static IP, it is best to choose an address outside your router's DHCP range. For example, if DHCP uses 192.168.1.2-192.168.1.99, using 192.168.1.100 or higher for your server avoids conflicts.
2. Understanding and Configuring Port Forwarding
2.1 What is Port Forwarding?
Port forwarding is a feature that directs traffic coming to a specific port from outside to a specific device on your internal network. Routers by default block external connections, so port forwarding is essential for accessing your server.
For example, to access your server via SSH from outside, you need to configure your router to "send connections coming to port 22 to 192.168.1.100".
2.2 Common Port Numbers
| Service | Port Number | Description |
|---|---|---|
| SSH | 22 | Remote terminal access |
| HTTP | 80 | Web server |
| HTTPS | 443 | Secure web server |
| FTP | 21 | File transfer |
| Samba | 445 | Windows file sharing |
| WireGuard | 51820 | VPN |
2.3 Setting Up Port Forwarding on Your Router
Port forwarding is configured in your router's admin page. Access your router IP (usually 192.168.1.1 or 192.168.0.1) in a browser and find the port forwarding or virtual server menu.
Common configuration items:
- Service Name: An easily identifiable name (e.g., SSH, Web Server)
- External Port: The port used when connecting from outside
- Internal IP: Your server's static IP address
- Internal Port: The actual port where the service runs on your server
- Protocol: TCP, UDP, or both
Security Tip: Changing the SSH port from 22 to another number (e.g., 2222, 22022) can significantly reduce automated attacks. In this case, set the external port to your desired number and keep the internal port at 22.
3. Solving Dynamic IP Issues with DDNS
3.1 Why You Need DDNS
Most residential internet uses dynamic IP. This means your ISP can periodically change your external IP or when your router restarts. Having to check the new address every time the IP changes is very inconvenient.
DDNS (Dynamic DNS) solves this problem. It automatically links your changing IP address to a fixed domain name, allowing you to always connect using an address like myserver.duckdns.org.
3.2 Setting Up Duck DNS
Duck DNS is a free DDNS service. It is simple to set up and reliable.
Step 1: Create a Duck DNS Account
- Go to https://www.duckdns.org
- Log in with a social account
- Create your desired subdomain (e.g., myserver)
- Note and save the token value
Step 2: Set Up Auto-Update Script on Server
# Create script directory
mkdir -p ~/duckdns
cd ~/duckdns
# Create update script
nano duck.shScript content:
#!/bin/bash
echo url="https://www.duckdns.org/update?domains=myserver&token=YOUR_TOKEN&ip=" | curl -k -o ~/duckdns/duck.log -K -Grant execution permission and test:
# Grant execution permission
chmod 700 duck.sh
# Test run
./duck.sh
# Check result (should output OK)
cat duck.logStep 3: Set Up Automatic Execution with Crontab
# Edit crontab
crontab -e
# Add to run every 5 minutes
*/5 * * * * ~/duckdns/duck.sh >/dev/null 2>&13.3 No-IP Alternative
No-IP is another popular DDNS service. Free accounts require manual confirmation every 30 days, but offer more domain options.
# Install No-IP Dynamic Update Client
cd /usr/local/src
sudo wget https://www.noip.com/client/linux/noip-duc-linux.tar.gz
sudo tar xzf noip-duc-linux.tar.gz
cd noip-2.1.9-1
sudo make
sudo make install
# Configure and run
sudo /usr/local/bin/noip2 -C
sudo /usr/local/bin/noip24. SSH Remote Access Configuration
4.1 SSH Server Installation and Basic Configuration
SSH (Secure Shell) is the most basic and secure method for remotely managing your server.
# Install SSH server (usually already installed)
sudo apt update
sudo apt install openssh-server
# Check SSH service status
sudo systemctl status ssh
# Enable auto-start on boot
sudo systemctl enable ssh4.2 SSH Security Hardening
Default settings work, but changing a few settings is recommended for security.
# Edit SSH configuration file
sudo nano /etc/ssh/sshd_configRecommended setting changes:
# Change port (optional, change from default 22)
Port 22022
# Disable direct root login
PermitRootLogin no
# Password authentication (change to no after setting up keys)
PasswordAuthentication yes
# Disable empty passwords
PermitEmptyPasswords no
# Maximum authentication attempts
MaxAuthTries 3
# Login grace time
LoginGraceTime 60
# Allow only specific users (optional)
AllowUsers yourusernameApply settings:
# Check configuration syntax
sudo sshd -t
# Restart SSH service
sudo systemctl restart ssh4.3 SSH Key Authentication Setup
Using SSH keys instead of passwords greatly improves security. Without the key file, connection is impossible, making you safe from brute force attacks.
Generate keys on client (local PC):
# Generate key pair (Windows PowerShell or Linux/Mac terminal)
ssh-keygen -t ed25519 -C "your_email@example.com"
# Or RSA method (better compatibility)
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"Copy public key to server:
# From Linux/Mac
ssh-copy-id -p 22022 username@server_ip
# From Windows PowerShell
type $env:USERPROFILE\.ssh\id_ed25519.pub | ssh -p 22022 username@server_ip "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"Test key authentication then disable password authentication:
# Test connection with key
ssh -p 22022 username@server_ip
# If successful, disable password authentication on server
sudo nano /etc/ssh/sshd_config
# Change to PasswordAuthentication no
sudo systemctl restart ssh5. Security Hardening with fail2ban
5.1 What is fail2ban?
fail2ban is a tool that monitors log files, detects repeated login failures, and automatically blocks those IP addresses. It effectively defends against SSH brute force attacks.
5.2 fail2ban Installation and Configuration
# Install
sudo apt update
sudo apt install fail2ban
# Copy default configuration file
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# Edit configuration
sudo nano /etc/fail2ban/jail.localKey settings for SSH protection:
[DEFAULT]
# Ban time (seconds)
bantime = 3600
# Monitoring time window
findtime = 600
# Maximum failure count
maxretry = 3
# IPs to exclude from banning (your IP)
ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24
[sshd]
enabled = true
port = 22022 # Change to match your SSH port
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600# Start and enable fail2ban
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
# Check status
sudo fail2ban-client status
sudo fail2ban-client status sshd
# Check banned IPs
sudo fail2ban-client get sshd banned
# Unban a specific IP
sudo fail2ban-client set sshd unbanip 123.456.789.06. Building a WireGuard VPN Server
6.1 Why You Need VPN
Using a VPN (Virtual Private Network) allows you to access all services as if you were inside your home network when connecting from outside. You do not need to open individual ports, which also improves security.
WireGuard is a modern VPN protocol that is simple to set up, fast, and highly secure. It is much lighter and more modern than OpenVPN.
6.2 WireGuard Server Configuration
# Install WireGuard
sudo apt update
sudo apt install wireguard
# Generate server key pair
cd /etc/wireguard
umask 077
wg genkey | sudo tee privatekey | wg pubkey | sudo tee publickey
# View keys
sudo cat privatekey
sudo cat publickeyCreate server configuration file:
sudo nano /etc/wireguard/wg0.conf[Interface]
# Server's VPN internal IP
Address = 10.0.0.1/24
# Server's private key
PrivateKey = SERVER_PRIVATE_KEY_HERE
# WireGuard port
ListenPort = 51820
# Packet forwarding settings
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
# Client 1's public key
PublicKey = CLIENT_PUBLIC_KEY
# IP to assign to client
AllowedIPs = 10.0.0.2/32Enable IP forwarding:
# Configure IP forwarding
sudo nano /etc/sysctl.conf
# Uncomment net.ipv4.ip_forward=1
# Apply
sudo sysctl -pStart WireGuard:
# Start interface
sudo wg-quick up wg0
# Check status
sudo wg show
# Enable auto-start on boot
sudo systemctl enable wg-quick@wg06.3 Client Configuration
Generate client keys (on server):
wg genkey | tee client_privatekey | wg pubkey > client_publickeyClient configuration file:
[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.0.0.2/24
DNS = 8.8.8.8
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = your.ddns.domain:51820
AllowedIPs = 0.0.0.0/0 # All traffic through VPN
# Or AllowedIPs = 192.168.1.0/24, 10.0.0.0/24 # Only specific networks
PersistentKeepalive = 25WireGuard official apps are available for Windows, Mac, iOS, and Android. You can import configuration files or easily set up via QR code.
7. Firewall Configuration
7.1 UFW Basic Configuration
UFW (Uncomplicated Firewall) is Ubuntu's default firewall tool. You can manage firewall rules with simple commands.
# Check UFW status
sudo ufw status
# Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH (use your port if changed)
sudo ufw allow 22022/tcp
# Allow HTTP/HTTPS
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Allow WireGuard
sudo ufw allow 51820/udp
# Enable UFW
sudo ufw enable
# Check rules
sudo ufw status verbose8. Summary and Network Check Checklist
We have covered network configuration and remote access for your home server. Let us finally verify that all settings are properly configured.
Configuration Complete Checklist
- Is a static IP assigned to the server?
- Is the necessary port forwarding configured on the router?
- Is DDNS updating the IP correctly?
- Does SSH key authentication work?
- Is fail2ban enabled?
- Is the firewall properly configured?
- Does VPN connection work correctly? (optional)
External Access Test
# Test SSH access from outside (use mobile data or external network)
ssh -p 22022 username@your.ddns.domain
# Check port open status (use external service)
# https://www.yougetsignal.com/tools/open-ports/Your home server is now ready to be accessed securely from anywhere. In the next part, we will cover file server setup. We will discuss Samba for Windows sharing, NFS configuration, and efficient disk management methods.