Devices that are used for self hosting applications will be referred to as "Servers on the Edge". Servers on The Edge connect as nodes to a Wireguard virtual private network (VPN) allowing for self hosted applications running on these servers to be exposed to the Internet via other nodes in the VPN with public and static IP addresses.
We refer to this second type of VPN nodes as "Internet Gateways". They route incoming and outbound TCP and UDP packets from the Internet in the VPN and visa versa.
The diagram below draws the network topology of The Edge and illustrates the usage of a Wireguard VPN for the sake of exposing self hosted applications to the Internet.
Devices on The Edge, e.g. ones running in residential areas, are often behind network address translation (NAT). They do not have public IP addresses. How can we make sure that applications running on Edge devices will be accessible and addressable on the Internet?
ngrok used to have an open source version that could have been self hosted. Conceptually we needed something similar to ngrok but open source and also maintaining more reliable connections. There are also other commercial offerings similar to this one. We won't mention them explicitly.
As for dynamic DNS, we concluded that we would only fall back to this technology, if there wouldn't be any other way to supply a public static IP address. It is unreliable and a hassle to set up.
How about renting a virtual private server (VPS) to route incoming and outbound data packets? Could we set up a VPN that connects this VPS with Edge devices?
Though, such a topology would increase the total price for self hosting, it had a major advantage. It guaranteed for a public static IP address that could later be mapped to a domain name, i.e. any self hosted applications would be both addressable and accessible on the Internet.
Our preliminary research pointed out that there were a couple of open source VPN technologies that were worth exploring.
An absolute classic, openvpn turned out to be a bit of a headache to set up and we failed to do it right.
Wireguard turned out to be a charm to set up. It is already a part of the modern Linux kernel versions and one just needs to install some userspace utilities. Thus, Wireguard is well supported by all Linux distributions out there. Its throughput compared to other VPN solutions is superior. System overhead is negligible and even less capable devices, such as Raspberry Pi, become Wireguard peers at no cost whatsoever.
Months of experimentation proved that connectivity through Wireguard VPN tunnels was reliable and non-problematic. It didn't require any maintenance whatsoever.