Advantages of Hosting My Own Network Services

Trusting my network security and services to my Internet Service Provider (ISP) offers convenience through their Domain Name System (DNS) services and simplified network management. Additionally, third-party Virtual Private Network (VPN) providers like ExpressVPN offer critical traffic encryption, especially when using public networks such as those in coffee shops and airports. However, relying on my ISP and a third-party VPN provider raises concerns:

  • Trusting these for-profit companies not to collect and share my internet queries and traffic with advertisers.
  • Having limited control over my local network’s performance and security.

By self-managing these services, I can control access to my personal information, encrypt traffic, and customize DNS query filtering, among other benefits. My primary self-hosted services include:

  • Unifi (Local Network Management)
  • Pi-Hole and unbound (DNS filtering and resolution)
  • Wireguard (VPN Server for encrypted traffic and internal resource access)

This blog entry reviews my hardware, software, and implementation choices for running these services.

Raspberry Pi: My Ideal Hardware

The Raspberry Pi is a small single-board computer that is well-suited for my self-hosted services. Outside of the chip shortage during the COVID pandemic, they are widely available and inexpensive, ranging from ~$15 to $60 USD. This affordability allows me to keep spare units in case of hardware failure. Although small, Raspberry Pis have the necessary ports I need (HDMI, 1Gbps Ethernet, USB 2.0 and 3.0, USB-C) and can run various Linux distributions (I tend to stick to Rapsberry Pi OS). They are widely used in the open-source community for everything from educational projects to commercial applications (a search on the Raspberry Pi subreddit with the flair “A Wild Pi Appears” will showcase their extensive use). Additionally, their ARM-based processors are increasingly practical due to rising software development for ARM machines.

Containerization for Network Service Lifecycle Management

The software powering my network services requires various dependencies (libraries, configuration files, etc). Even with automation tools like Ansible, managing these services’ upgrade lifecycle could be tedious and prone to misconfiguration, potentially causing service disruptions. To mitigate these risks, I run all my services as containers. A container is an isolated, portable unit of software that packages an application and its dependencies, allowing it to run consistently in almost any computing environment. Containers are immutable, meaning they can’t be changed once deployed. Upgrading software involves replacing one container with a more recent version, making it easy to upgrade or downgrade as needed.

Each of the services I run is powered by frequently updated, well-developed container image:

When running these services, I point each container to a separate storage volume (the storage on the server itself). If a container crashes or needs to be stopped/upgraded, the long-term data will persist. When the container restarts, it can access the data on the storage volume as if it never left. Decoupling my data from the application simplifies the backup process when rebuilding a server from scratch in case of hardware or software failure.

Web Management of Containers with Portainer

For my simple home network, I have no need for a complicated container orchestration platform like Kubernetes. While the container runtime Docker Engine is running in the background, Portainer Community Edition provides everything I need to manage services on my small network. I can manage all my containers, storage volumes, container images, and other artifacts through a GUI (Graphical User Interface):

I can easily upgrade a container image with a couple of clicks (I could do this with an Ansible playbook but prefer to keep this a manual process as I upgrade sparingly). If I need to access the container’s Command Line Interface (CLI), I can do so with a single click:

I might do this if I want to confirm what VPN clients (my phone or laptop) are actively connected to my Wireguard VPN server.

The Network Services

Pi-Hole

Pi-Hole is conceptually simple, but may add the most value of all of these services as it filters Domain Name Service (DNS) requests from all devices that use it. Although not with 100% accuracy, it intercepts a significant portion of known ad-service domains and prevents them from being downloaded/displayed. If I’m reading online news articles, I no longer have to wade through an avalanche of pop-ups and unwanted advertisement videos, and my particularly chatty Smart TVs are prevented from retrieving ads when I want to watch live television. I also preclude the need to use my ISP-provided DNS servers, reducing the data they can collect on my household and sell to third parties.

Below is the GUI for my Pi-Hole instance, showing the total number of DNS queries over a 24-hour period, the percentage of queries blocked, and the total number of domains on my blocklist. I have only 7 active clients because I have Pi-Hole as an opt-in service rather than having clients subscribe to it automatically via Dynamic Host Control Protocol (DHCP).

Several community-sourced lists exist to block ads without disrupting normal internet activity. I choose the green-colored lists from The Big Blocklist Collection, equating to over 1 million domains blocked by Pi-Hole. In rare cases where a domain is blocked incorrectly, I can whitelist it within the Pi-Hole GUI.

Unifi Controller

The Unifi Controller is a software network management system that provides centralized management for all Unifi network devices. It can be accessed via a computer or through iOS, iPadOS, and Android apps. The iOS app is pictured below:

For my switch, the controller allows me to visually see which ports are occupied, identify connected devices, and view the VLAN assigned to each port.

For my wireless network, I can configure multiple Service Set Identifiers (SSID)s, determine which access points broadcast these SSIDs, and monitor the devices connected to each SSID. Additionally, the controller performs nightly scans of the 2.4GHz and 5GHz channels to minimize interference from neighboring networks.

Additionally, I can schedule maintenance tasks and monitor event and activity logs, allowing me to be proactive in optimizing my network performance. Lastly, I will be able to upgrade my Unifi hardware over the years as wireless standards improve or if I need faster switch ports, while maintaining the same configurations.

Home Assistant

I’ll save Home Assistant details for a separate entry, but it’s an open-source home automation platform that integrates with almost any smart home device, making it an ideal center for running practical home automations.

WireGuard

WireGuard is a modern, open-source VPN protocol designed to be simple to set up, secure, and often provide faster speeds and lower latency compared to other VPN protocols. The WireGuard server allows me to securely access services in my home when I’m away, without opening known ports that attackers may try to access:

  • My mobile devices use Pi-Hole as the DNS server when connected to WireGuard VPN, giving me the same ad blocking experience on the go as when I’m at home.
  • I can manage my Unifi Controller, and access Home Assistant even when I’m out and about
  • I do much of my development on a Raspberry Pi at home, and with WireGuard, I can do my development from anywhere.
  • If I want to watch my home movie library as I travel, I can do it by setting up a site-to-site VPN between a travel router and my WireGuard server, and use an Amazon Firestick to run the JellyFin app.

Conclusion

Managing my own network services has enabled me to achieve a level of control, security, and customization that would not be possible by relying on my ISP or third-party providers. The use of Raspberry Pi hardware has proven to be a cost-effective and flexible platform for hosting these services, while containerization has simplified the management and upgrading of the software components. Tools like Portainer have made it easy to manage and monitor these services, ensuring they run smoothly and efficiently.

With Pi-Hole, I have significantly improved my browsing experience by blocking ads and protecting my privacy. The Unifi Controller has enabled me to manage my network devices with ease, optimizing performance and ensuring seamless connectivity. WireGuard has provided a secure and reliable way to access my home network from anywhere, enhancing my productivity and convenience.

Overall, the decision to self-host my network services has proven to be highly beneficial, offering me greater autonomy and peace of mind. Stay tuned for more discussions on the tools and strategies I use to maintain and enhance my home network.