I’m thinking of trying out Freedom Box but I have some questions first.
Reading on here I’ve just learned of pagekite.net, how secure and private is it? Is it better than opening ports on my router or creating a DMZ? What other ways are there to expose services to the WAN?
When you fist start Freedom Box, are any of the services already enabled? Will I have to turn anything off to make it more secure?
Reading on here I’ve just learned of pagekite.net, how secure and private is it? Is it better than opening ports on my router or creating a DMZ?
AFAIK it is a tunneling service so all traffic goes through them and you need to trust them.
What other ways are there to expose services to the WAN?
The DNS can be owned (rented) over either static IP or dynamic.
When you fist start Freedom Box, are any of the services already enabled?
No.
Will I have to turn anything off to make it more secure?
That depends on your requirements. For usual personal privacy, not. Freedom activists fighting their dictators ought to go further.
Thanks for the reply!
If I do it that way will it be like the other devices are connected to my local network? I’m hoping to set up a way for my family to chat and share files but I don’t particularly want their Android devices to have more access to my network than is necessary!
And yes, I only require normal person privacy levels 
Zerotier works better for me. It is free for personal use (I think for up to 32 network nodes) and works on all major operating systems, some NAS boxes and some routers. I have T-Mobile residential internet (Nokia router), which is notoriously difficult for situations needing inbound connections from the WAN. Both Zerotier and Pagekite work for me, but Zerotier gives me more configuration flexibility.
Thanks, I’ll have a look at it!
I have been using freedombox for maybe a couple years directly exposed to WAN/Internet with no security issue I’m aware of.
Mainly you will observe automated ssh attacks which are controlled by freedombox using fail2ban. This will limit the number attempts allowed from a given IP address to only a few before the connection attempts are just ignored by freedombox. It seems to work well, but does log lots of scary looking messages for all the script-kiddies trying to log in as root.
I’ll keep that in mind if I get lots of stuff in my logs!
I’ve decided to go with pagekite for now since it’s already in FreedomBox and it seems to be working alright.
Here’s another question if anyone knows the answer, how can you use different pagekite addresses to point to different services? For example instead of using myname.pagekite.me/bepasty I could use bepasty-myname.pagekite.me (and similar for Matrix etc.).
I can’t say for pagekite, but Apache virtual hosts does what you describe. You can map a service to a virtual hostname on your fb:
I’m not experienced with pagekite, but in general the answer is that yes, you can do this. Maybe with pagekite, or certainly with some Apache configuration. If you look here, in freedombox doco, or on freedombox debian wiki you’ll find something along these lines.
Thanks for that suggestion @joseph, it seems to be just what I was looking for.
After quite a bit of reading about virtual hosts I still can’t figure out how to get it working though! Can anyone help?
I had a file /etc/apache2/sites-available/share.mydomain.com.conf that contained:
Use FreedomBoxTLSSiteMacro share.mydomain.com
I replaced that with:
<VirtualHost *:*>
ServerName share.mydomain.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html/tester
ErrorLog ${APACHE_LOG_DIR}/share-error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
The file is symlinked in sites-enabled.
I’ve restarted apache2.
/var/www/html/tester has execute access for everyone.
tester contains a file called index.html that has read access for everyone.
share-error.log is empty.
apachectl configtest says the syntax is OK.
When I visit share.mydomain.com it still just loads plinth. What I want to do eventually is have it go straight to the bepasty web client; I’m just using /var/www/html/tester until I can figure out how to get it working.
Are you sure this is the right file? I recently set up a virtual host in Apache for a slightly different purpose (proxying traffic for a specific domain to another device, here), and that configuration was done in /etc/apache2/sites-enabled/000-default.conf.
Most things I read about it suggested putting it in a seperate url.conf file for convenience. I’ve changed share.mydomain.com.conf back to what it was before and tried adding the VirtualHost stuff at the top then the bottom of 000-default.conf. The URL still points to plinth.
I was reading through this post, and found this small section that implies traffic to the home page should be getting redirected to Plinth (on purpose):
4.2.3. How to have a homepage on https://freedombox.local/ or the public IP
- The default page is set on your machine in /etc/apache2/conf-available/freedombox.conf (the RedirectMatch. You can can configure this file to make freedombox.local direct to a specific landing page. It will redirect any connections that don’t specify a /path.
I took a peek at /etc/apache2/conf-available/freedombox.conf , but the way this mechanism is implemented is a little beyond my grasp.
## Redirect traffic on home to /plinth as part of turning the machine
## into FreedomBox server. Plinth then acts as a portal to reach all
## other services.
##
RedirectMatch "^/$" "/plinth"
RedirectMatch "^/freedombox" "/plinth"
Probably best not to mess with it anyway–the file has a warning at the top that basically says “don’t touch!”
Can you try adding a /path to your domain, such as “share.mydomain.com/pastebin”?
Thanks for looking into it @BluishHumility, don’t think I’ll try messing with that then! Adding the path to the end does work fine so I’ll just stick with that 