That’s a great tip. I’d completely forgot you can use telnet for that. Thanks!

Thanks for the response. I really should just dive in, but I’ve got this nagging fear that I’m going to forget about some DNS record that will bork my entire mail service. It good to hear about some working instances that people are happy with.

Tainted in that the kernel and ZFS have different licenses. Not a functional impairment. I have no way to check to check a system not using ZFS. For my use case, Debian plus ZFS are PVE’s principal features.

I have synapse server running in docker on a VPS and it’s been pretty reliable. At my office I use it as sort of a self-hosted Slack replacement. For our use case, I don’t have federation enabled, so no experience on that front. It’s a small office and everyone here uses either Element or FuzzyChat on desktop and mobile. It runs behind an nginx reverse proxy and I’ve got SSO set up with Authentik and that’s worked very well. Happy to share some configs if that would be useful.

Have you by any chance documented your PMG set up? I’m also a very happy Mailcow user and spinning up PMG is something I’ve been meaning to tackle for years so I can implement archiving with mailpiler, but I’ve never really wrapped my head around how everything fits together.

Ceph isn’t installed by default (at least it hasn’t been any time I’ve set up PVE) and there’s no need to use ZFS if you don’t want to. It’s available, but you can go right ahead and install the system on LVM instead.

I’ve been pretty happy with NetBird. Definitely worth testing

Here’s the how it works doc for NetBird: https://docs.netbird.io/about-netbird/how-netbird-works.

It uses a signal server for establishing the initial connection and then makes p2p WireGuard tunnels.

Because of your question, I tested disabling the server, which I run on a VPS, and I could still reach all the connected hosts and routes. I didn’t think to try it at the time, but I’m guessing I wouldn’t be able to add new clients while the server is down.

I do this with self-hosted NetBird, but that’s not raw WireGuard. I’ve heard about a few projects that help set up mesh WireGuard topologies, but I haven’t used them directly:

• https://github.com/pilab-cloud/wgmesh
• https://github.com/Dan-J-D/wgmesh
• https://github.com/aschmidt75/wgmesh
• https://github.com/k4yt3x/wg-meshconf

Maybe those would be a good starting point for your own version.

Unbound can query the root dns servers, but it’s also commonly used as a recursive resolver, which just uses a server upstream, similar to systemd-resolved. I use unbound network-wide, but I have it querying 9.9.9.9 to take advantage of their filtering.

You may already have a local dns caching mechanism on your computer. I think by default Ubuntu uses systemd-resolved (it does on my desktops anyway). If you check dig it’ll show lookups coming from 127.0.0.53. With that in place, your local machine is caching lookup results and anything it doesn’t know, it’s forwarding to the network’s resolver (which it gets via dhcp, usually).

The thing I like for this purpose is smokeping. It checks basic connectivity on a periodic schedule and records latency over time. I keep it pointed at my isp’s gateway as well as a number of public sites and services I run to keep tabs on basic network health and to try to pinpoint where issues come from.

You ever see those Wired videos where they talk about a concept on five different levels ranging from beginner to expert?

The first level answer is likely that, yes, you’re reasonably secure in your current setup. That’s true, but it’s also really simplified and it skips a lot of important considerations. (For example, “secure against what?”) One of the first big realizations that hit me after I’d been running servers for a little while and trying to chase security is the idea of a threat model. What protects me from a script kiddie trying to break into one of my web servers won’t do much for me against a phishing attack.

The more you do this, though, the more I think you’ll realize that security is more of a process than an actual state you can attain.

I think it sounds like you’re doing a good job moving cautiously and picking up things at each step. If the next step is remote access, you’ve got a pretty good situation for a mesh VPN like Tailscale or Netbird or ZeroTier. They’ll help you deal with the CGNAT and each one gives you a decent growth path where you can start out with a free tier and if you need it in the future, either buy into the product or self host it.