The Complete Guide to Self-Hosting in 2026
Everything you need to know about self-hosting your applications, from choosing services to exposing them safely.
Self-hosting gives you full control over your data and services. This guide covers everything you need to get started, especially how to expose your services to the internet safely.
Why Self-Host?
- Privacy. Your data stays on your hardware.
- Control. Customize everything to your needs.
- Cost. Often cheaper than SaaS subscriptions at scale.
- Independence. No vendor lock-in, no ToS changes.
Popular Services to Self-Host
| Service | What it does | Default Port |
|---|---|---|
| Jellyfin | Media streaming (movies, TV, music) | 8096 |
| Immich | Photo & video backup (Google Photos alternative) | 2283 |
| Nextcloud | File sync, calendar, contacts | 443 |
| Ollama | Local AI/LLM inference server | 11434 |
| Vaultwarden | Password manager (Bitwarden compatible) | 8080 |
| Home Assistant | Smart home automation | 8123 |
| OpenClaw | Self-hosted AI agent (WhatsApp, Telegram, Discord) | 3080 |
| Gitea | Self-hosted Git (GitHub alternative) | 3000 |
The Challenge: Exposing Services
Running services on your home network is easy. Making them accessible from outside is where it gets complicated:
The Traditional Way (Hard)
- Get a static IP or set up dynamic DNS
- Configure port forwarding on your router
- Set up a reverse proxy (nginx, Caddy, Traefik)
- Get SSL certificates (certbot, Let’s Encrypt)
- Configure a firewall
- Set up DDoS protection
- Hope your ISP doesn’t block ports or use CGNAT
The CGNAT Problem
Many ISPs now use Carrier-Grade NAT (CGNAT), which means you share a public IP with other customers. Port forwarding simply doesn’t work. Traditional self-hosting guides fall apart at step 2.
The HomeGate Way (Easy)
- Sign up for HomeGate
- Install Tailscale on your home server
- Add your service in the dashboard
- Your service is live with HTTPS
No port forwarding. No static IP. No nginx config. Works behind CGNAT.
How HomeGate Works
HomeGate is a reverse proxy that connects to your home server via Tailscale:
Internet → HomeGate Proxy (SSL + DDoS protection) → Tailscale Tunnel → Your Home ServerYour home IP is never exposed. Visitors connect to our infrastructure, and we securely tunnel the traffic to your services.
Custom Domains
Every service gets a free *.homegate.sh subdomain. To use your own domain:
jellyfin.example.com CNAME your-id.homegate.shSSL certificates are provisioned automatically. No certbot, no renewal scripts.
Security Best Practices
Even with HomeGate handling the proxy layer, good security hygiene matters:
On Your Home Server
- Keep your OS and Docker images updated
- Use strong passwords for all services
- Enable 2FA where supported (Nextcloud, Vaultwarden, Gitea)
In HomeGate
- Use IP allowlisting to restrict access to known IPs
- Use header authentication for services that support it
- Monitor bandwidth for unusual activity
Getting Started
The fastest path from zero to a publicly accessible self-hosted service:
- Create a HomeGate account
- Install Tailscale:
curl -fsSL https://tailscale.com/install.sh | sh - Add your service in the dashboard (name + port)
- Connect with the auth key HomeGate provides
- Access your service at
https://your-id.homegate.sh
You’ll be live in under 5 minutes.