The Router Problem

Summary
Many of the apps supplied in FreedomBox require that you open a hole (a port) in your router, which is potentially a security problem. It is also a problem for the user, as this is not the easiest thing to do, and each router does it differently.

Problem
There are really three different kinds of access which the FreedomBox applications might need. I will call them family, community and world. As an example of “family” I might use the Radicale and Syncthing apps to backup my smartphone, but only when I am at home on my LAN, never when I am out in the world. As an example of “community” I might use Infinoted to collaborate with specifically selected individuals (my community). And BitTorrent, Privoxy, and Tor only make sense in the “world” context.
Others may choose to use the same apps with different access, for example choosing to connect to their Radicale calendar from anywhere on the internet, not just when they are at home.
For ease of use I wish there was a slide switch that I could set for family, community, or world, (for each applicable app) and that setting the switch would automatically configure the router, opening ports as needed.
There is also a second problem with a personal home server. It is specifically prohibited by my ISP’s Acceptable Use Policy (AUP), which states that I may not “use or run dedicated, stand-alone equipment or servers from the Premises that provide network content or any other services to anyone outside of your Premises local area network.” Most ISPs prohibit personal servers in your home.

Solution
I see several possible solutions. My favorite would be to incorporate router software into the FreedomBox so that we could have that slider switch I mentioned and have the installation of an app also set up the router software, opening ports as necessary. However this solution creates its own problems: first it ignores the AUP issue, second, it requires a Box with at least two ethernet ports, and third I don’t know of any Debian-based router software, although there may well be one.
The solution that I will probably adopt is to eliminate the “Box”, I would have some of the software, like Privoxy, run as add-ons on my router, and some of the software, like Radicale, run on a VM inside my firewall.
The third possible solution is a hosted solution. I could put the entire FreedomBox distro onto a VPS (a virtual private server), like Linode or Digital Ocean. (No I am not affiliated with either company.) To me it makes sense to put an internet server in a “server farm” with redundant high-speed connections and power supplies. I also don’t have a problem with creating a free blog on WordPress.com, as long as I mean for the world to see my blog. I am just very careful about what I want the world to see. That is why I don’t like opening router ports.
I really appreciate the FreedomBox team putting together the list of apps, but I am not at all sure I will be using them as an integrated distribution on a single box. I would like to, because I think the idea of a “box” that you simply plug in, and use to control and protect all your own data, is a great idea. I am just not sure how it can be implemented, because I can’t get around the router and AUP problems.