this post was submitted on 19 Sep 2024
51 points (89.2% liked)

Selfhosted

40183 readers
703 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
51
submitted 1 month ago* (last edited 1 month ago) by [email protected] to c/[email protected]
 

After the arrest of Pavel Durov, I wanted to move from Telegram to something end-to-end encrypted. I know Signal is pretty good, but I think it is better to have our messages in my own server.

I have already looked in XMPP, but it required SSL certs and I did not have the mood to configure them.

Do you know any other selfhosted messaging service for a group of 4-5 friends, or an easy way to configure an XMPP server? Or shall I use Signal after all (I don't really care that much about being selfhosted, I just thought it would be more privacy friendly)?

UPDATE: I managed to set up an XMPP server using prosody with the SSL certs. We have been testing it with my friend and it seems to go well.

top 35 comments
sorted by: hot top controversial new old
[–] [email protected] 51 points 1 month ago

If setting up TLS is too much work, better stay with a service. Signal is nice.

[–] [email protected] 27 points 1 month ago (1 children)

SSL certs is so easy with let's encrypt, that really shouldn't be a blocker.

If you want something easy I think you have your answer with Signal

[–] [email protected] 2 points 1 month ago* (last edited 1 month ago) (4 children)

I know, but for some reason my router does not let me access my domain (with duckdns) when connected to my network. So even if I get certs for the domain, I will not be able to access it. I have set up local DNS entries (with Pi-Hole) to point to my srrver, but I don't know if it possible to get certs for that, since it is not a real domain.

EDIT: Fixed it. (See reply for fix)

[–] [email protected] 3 points 1 month ago (1 children)

I have set up local DNS entries (with Pi-Hole) to point to my srrver, but I don't know if it possible to get certs for that, since it is not a real domain.

So long as your certs are for your fully qualified domain there's no problem. I do this, as do many people


mydoman.com is fully qualified, but on my own network I override the DNS to the local address. Not a problem at all


DNS is tied to the hostname, not the IP.

[–] [email protected] 3 points 1 month ago (1 children)

Can confirm, I do this as well for my local services (especially important for Jellyfin), I just point my local DNS server at my local IP and everything works perfectly.

[–] [email protected] 1 points 1 month ago (1 children)

Another fun trick you can play is to use a private IP on your public DNS records. This is useful for Jellyfin on Chromecast for instance


it uses 8.8.8.8 for DNS lookup (and ignores your router settings), so it wants a fully qualified domain name. But it has no problem accessing local hosts, so long as it's from 8.8.8.8's record.

[–] [email protected] 1 points 1 month ago (1 children)

I suppose, but then you're kind of screwed if you want to access Jellyfin outside of your network. I suppose you could use a VPN, but it's probably easier to just not use the Chromecast (or just accept that it's going to hit the WAN regardless).

[–] [email protected] 0 points 1 month ago (1 children)

Yeah I don't expose Jellyfin over the Internet, so it doesn't matter for me, and wouldn't work at all over WAN (unless VPN'd to home network).

Also, it's all reverse proxied, and there's nothing preventing having two Jellyfin hostnames, e.g., jf-local.mydomain.com and jf-public.mydomain.com.

[–] [email protected] 2 points 1 month ago (1 children)

Then you're all clear.

I personally want my Jellyfin to be on the WAN, and I have certain devices on my internal network VPN'd to my VPS, which exposes the services I want to access remotely. But if you don't need that, using the local addr in your DNS config totally works. Getting TLS certs will be complicated, but you don't need that anyway if everything is local or over a VPN.

[–] [email protected] 2 points 1 month ago

Getting TLS certs will be complicated

I just use Let's Encrypt with a wildcard domain


same certs for public and private facing domains. I'm sure this isn't best practice, but it's mostly just for me so I'm not too worried :)

[–] [email protected] 2 points 1 month ago* (last edited 1 month ago)

Are you using a *.duckdns.com domain or is that only for Dynamic DNS pointed to something like jelly.domain.com? I'm not sure if you'll be able to get a cert in the former scenario.

Your router won't let you access it because you're trying to connect from your internal network to your external network, so you're just connecting in a loop and not getting routed properly. This could work if you had a firewall that would let you set up a loopback NAT, but my guess is your router won't let you setup NAT rules like that.

You won't be able to get a certificate using a local domain from a public certificate authority (like Let's Encrypt). You would want to define the FQDN you want to use, like jelly.domain.com, and generate the certificate for this domain. You can do this manually with certbot and import the certificate to jellyfin, or put jellyfin behind a reverse proxy like Caddy or Nginx and let it handle automatic renewal for you.

The local DNS entries would then redirect internal requests for jelly.domain.com to your local server, which presents the same certificate for jelly.domain.com regardless of whether you're accessing it via the private or public IP.

A bonus of using something like Caddy is being able to open a single port on your router for every service. I have multiple services all accessed via the same port, and Caddy just reads the requested subdomain (jelly.domain.com, nextcloud.domain.com, etc) to route the traffic to the corresponding local server. This lets it handle every cert for all services with no manual steps needed for any of them after the initial setup, and reduces your attack surface by only having one port open.

[–] [email protected] 1 points 1 month ago

I managed to fix this problem by pointing my domain name to my private IP address (with pihole's local DNS entries), so I could access it. Then, I just got certs for the domain and applied them with nginx.

[–] [email protected] 1 points 1 month ago

Why not use a different DDNS service? There are plenty out there. :) I think this may solve your issue. I've been using freemyip.com''s for a while and have had no problem in the past issusing LetsEncrypt SSL's. At the moment, I'm on Cloudflare tunnels so it's automatic with them, which I know is a huge trust issue for a lot of people, but I don't mind it for my stuff. But I do like to have my DDNS as a backup service from time to time.

[–] [email protected] 17 points 1 month ago* (last edited 1 month ago)

Most people use either Matrix or XMPP. Both work.

There is a nice overview of chat protocols here: https://www.messenger-matrix.de/

I mostly use matrix as of today. I think it's alright. It's a bit difficult to explain encryption and device verification to other people... I think that could be designed better. But apart from that it works very well. So does XMPP which I've used before that. Have a look at the messenger matrix and all the options before deciding on an ecosystem. I'd take one of the friends and do some evaluation before dragging the whole group in. You can do that with some pre-existing servers before learning how to host the server part.

And btw: With most of them you can just use some public servers. You should do that unless you're willing to put in the effort to maintain an own server. That'd give you complete control over the infrastructure... But it's also a liability to maintain a server, do the updates etc for a group of friends and maybe years to come... End to end encryption will keep the content of your messages private, anyways. (If you use it.)

[–] [email protected] 11 points 1 month ago

Use XMPP. Thanks to Let's Encrypt being implemented in basically every reverse proxy, setting it up is a matter of seconds.

[–] [email protected] 10 points 1 month ago

Signal is more likely to have more mass appeal. Matrix can bridge just about anything but is (IMHO) a pain to setup the first time. XMPP is reliable and available just about anywhere. I use the first two.

Ask your friends though.

[–] [email protected] 10 points 1 month ago* (last edited 1 month ago) (1 children)

Simplex is an option, you can host your own servers and it has crossplatform GUI + CLI

I think it's pretty cool, and it's pretty easy to set up (there are a lot of options you may wanna look at though)

https://simplex.chat/

https://github.com/simplex-chat/simplex-chat

[–] [email protected] 1 points 1 month ago (1 children)

It's hell on ram for Android, unfortunately.

Still, looks very promising

[–] [email protected] 2 points 1 month ago

ya the desktop gui is pretty ram hungry as well. It's not perfect but weighing the pros and cons of all available options I have come to like and appreciate simplex quite a bit. The client has also gotten a lot better recently.

The main downside on android for me is the battery drain but I think that is a consequence of me not using google push notifications

[–] [email protected] 10 points 1 month ago

something end-to-end encrypted.

required SSL certs and I did not have the mood to configure them.

...right...

Did you look into snikket? It's XMPP-in-a-box.

[–] [email protected] 8 points 1 month ago

TL;DR - use Signal.

Re: self-hosting -- go for it! The DIY route is an excellent learning experience, so this is the way to go if you want your own privacy-friendly chat service. There's quite a lot to achieving "privacy" and "security" though (heck, even defining these is challenging)... have you self-hosted before? How important are service quality / speed / reliability, backups, mobile + desktop? Will the folks you want to chat with use/like it too?

Re: Signal -- definitely check out this app as well. They (the Signal Foundation) take privacy very seriously. Messages are only stored on devices running Signal, and they are ephemeral by default. Actually, that's a good thing to consider: How important are durable / offline archives of your chats, useful with other tools (like grep?). Signal makes offline archiving difficult by design (for the sake of security/privacy).

Note that Signal is technically self-hostable, but I gather this is very difficult.

I self-host Nextcloud and I use Talk. I don't love it, but I do find it useful for some things. Flipping on Nextcloud is pretty easy, but it is challenging to make it secure, reliable, fast, etc. And you still have to convince others to use it.

[–] [email protected] 7 points 1 month ago

https://snikket.org/ is the easy to configure XMPP server, but it still needs SSL certificates. But that's fairly easy to do with Snikket AFAIK.

Or you could simply ask the Snikket developers to host a server for you for a small fee. If you are US or Canada based https://jmp.chat/ is also a great service, and it includes a free Snikket server as an add-on.

[–] [email protected] 7 points 1 month ago (1 children)
[–] [email protected] 2 points 1 month ago

IMO, Briar is the best option. I recently started a project to connect users in the Briar private groups and forums. We just need to get enough users active to get the network effect working for us and not against us.

[–] [email protected] 2 points 1 month ago
[–] [email protected] 2 points 1 month ago

I hear XMPP through Snikket is pretty easy. I just used prosody though

[–] [email protected] 2 points 1 month ago

i was trying to find a link to Apache's chat server that we used to power cruise ship chat applications w/out internet. i didn't find it but this list i found has some neat projects listed, so i thought i would share that at least: https://medevel.com/26-os-chat-servers/ (no affiliation)

[–] [email protected] 1 points 1 month ago* (last edited 1 month ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
IP Internet Protocol
NAT Network Address Translation
SSL Secure Sockets Layer, for transparent encryption
TLS Transport Layer Security, supersedes SSL
VPN Virtual Private Network
XMPP Extensible Messaging and Presence Protocol ('Jabber') for open instant messaging
nginx Popular HTTP server

[Thread #980 for this sub, first seen 19th Sep 2024, 20:25] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] 1 points 1 month ago (1 children)

Rocket.chat could be an option

[–] [email protected] 1 points 1 month ago (1 children)

I used this for a while. Notifications were lackluster on Samsung phones.

[–] [email protected] 1 points 1 month ago (1 children)

What should notifications be like instead?

[–] [email protected] 1 points 1 month ago

Well, Samsung would kill the app when it was in the background, so notifications would only appear when you explicitly opened the app.

[–] [email protected] 1 points 1 month ago* (last edited 1 month ago) (1 children)

I have already looked in XMPP, but it required SSL certs and I did not have the mood to configure them.

There are definitely XMPP clients that do end-to-end encryption that do not rely on TLS for key exchange, though.

https://en.wikipedia.org/wiki/Off_the_record_messaging

Off-the-record Messaging (OTR) is a cryptographic protocol that provides encryption for instant messaging conversations. OTR uses a combination of AES symmetric-key algorithm with 128 bits key length, the Diffie–Hellman key exchange with 1536 bits group size, and the SHA-1 hash function. In addition to authentication and encryption, OTR provides forward secrecy and malleable encryption.

The primary motivation behind the protocol was providing deniable authentication for the conversation participants while keeping conversations confidential, like a private conversation in real life, or off the record in journalism sourcing. This is in contrast with cryptography tools that produce output which can be later used as a verifiable record of the communication event and the identities of the participants. The initial introductory paper was named "Off-the-Record Communication, or, Why Not To Use PGP".[1]

I've used Pidgin with the libOTR plugin that implements that protocol.

[–] [email protected] 7 points 1 month ago* (last edited 1 month ago) (1 children)

These days I think OMEMO is a better choice than OTR, if your client supports it.

[–] [email protected] 1 points 1 month ago