The Complete Guide to Self-Hosting in 2026
Everything you need to know about self-hosting your applications — from choosing services to exposing them safely.
Self-hosting gives you full control over your data and services. This guide covers everything you need to get started — especially how to expose your services to the internet safely.
Why Self-Host?
- Privacy — Your data stays on your hardware
- Control — Customize everything to your needs
- Cost — Often cheaper than SaaS subscriptions at scale
- Independence — No vendor lock-in, no ToS changes
Popular Services to Self-Host
| Service | What it does | Default Port |
|---|---|---|
| Jellyfin | Media streaming (movies, TV, music) | 8096 |
| Immich | Photo & video backup (Google Photos alternative) | 2283 |
| Nextcloud | File sync, calendar, contacts | 443 |
| Ollama | Local AI/LLM inference server | 11434 |
| Vaultwarden | Password manager (Bitwarden compatible) | 8080 |
| Home Assistant | Smart home automation | 8123 |
| Gitea | Self-hosted Git (GitHub alternative) | 3000 |
The Challenge: Exposing Services
Running services on your home network is easy. Making them accessible from outside is where it gets complicated:
The Traditional Way (Hard)
- Get a static IP or set up dynamic DNS
- Configure port forwarding on your router
- Set up a reverse proxy (nginx, Caddy, Traefik)
- Get SSL certificates (certbot, Let’s Encrypt)
- Configure a firewall
- Set up DDoS protection
- Hope your ISP doesn’t block ports or use CGNAT
The CGNAT Problem
Many ISPs now use Carrier-Grade NAT (CGNAT), which means you share a public IP with other customers. Port forwarding simply doesn’t work. Traditional self-hosting guides fall apart at step 2.
The HomeGate Way (Easy)
- Sign up for HomeGate
- Install Tailscale on your home server
- Add your service in the dashboard
- Your service is live with HTTPS
No port forwarding. No static IP. No nginx config. Works behind CGNAT.
How HomeGate Works
HomeGate is a reverse proxy that connects to your home server via Tailscale:
Internet → HomeGate Proxy (SSL + DDoS protection) → Tailscale Tunnel → Your Home ServerYour home IP is never exposed. Visitors connect to our infrastructure, and we securely tunnel the traffic to your services.
Custom Domains
Every service gets a free *.homegate.sh subdomain. To use your own domain:
jellyfin.example.com CNAME your-id.homegate.shSSL certificates are provisioned automatically. No certbot, no renewal scripts.
Security Best Practices
Even with HomeGate handling the proxy layer, good security hygiene matters:
On Your Home Server
- Keep your OS and Docker images updated
- Use strong passwords for all services
- Enable 2FA where supported (Nextcloud, Vaultwarden, Gitea)
In HomeGate
- Use IP allowlisting to restrict access to known IPs
- Use header authentication for services that support it
- Monitor bandwidth for unusual activity
Getting Started
The fastest path from zero to a publicly accessible self-hosted service:
- Create a HomeGate account
- Install Tailscale:
curl -fsSL https://tailscale.com/install.sh | sh - Add your service in the dashboard (name + port)
- Connect with the auth key HomeGate provides
- Access your service at
https://your-id.homegate.sh
You’ll be live in under 5 minutes.