NovaDNS/Docs

Search documentation

Search for a page in the NovaDNS docs

HomepageDashboard

Learn

Home Server Guide

A practical walkthrough of running a home server that is reliably reachable from the internet using NovaDNS — covering hostnames, port forwarding, reverse proxies, and security best practices.

Overview

A home server is any machine in your home (or small office) running services you want to access remotely. It might be an old PC running Linux, a Raspberry Pi, a NAS device, or a dedicated machine. The challenge is always the same: your ISP gives you a public IP that can change at any time, making it impossible to reach your server reliably without DDNS.

With NovaDNS, you get a stable hostname like home.novaip.link that follows your IP wherever it goes. Combined with port forwarding and a reverse proxy, you can run a full stack of self-hosted services — all reachable by a memorable address.

Popular services people run at home include Home Assistant, Plex, Jellyfin, Nextcloud, Vaultwarden, Gitea, Grafana, and WireGuard VPN.

Setting up your hostname

Start by creating a host in NovaDNS. Log in to your dashboard, click Add host, and choose a subdomain. For a home server, something like home or nas works well. Your hostname will be yoursubdomain.novaip.link.

After creating the host, copy the update token shown in the host detail page. You will need it to configure your DDNS client.

1

Create a host

Dashboard → Add host → choose a subdomain (e.g. home) → save.

2

Copy the update token

Click the host → copy the 64-character token from the credentials panel.

3

Configure DDNS on your router

Most routers have a DDNS section. Set server=novadns.io, username=your email, password=the token, hostname=home.novaip.link.

4

Verify the record

Run "dig home.novaip.link A +short" — it should return your public IPv4 within a minute.

If your router does not have a built-in DDNS client, install ddclient on any Linux machine on your network. See the Client Setup guide for copy-paste configurations.

Port forwarding

Your router sits between the public internet and your local network. By default it blocks all inbound connections. To make a service reachable from outside, you need to create a port forwarding rule that maps a port on your public IP to a port on your server's local IP.

Find port forwarding in your router's admin panel — it may be labelled Virtual Server, NAT, or Port Forwarding. Set your server to a static local IP first (via a DHCP reservation) so the rule does not break when the server reboots.

ServicePort(s)Notes
HTTP / HTTPS80, 443Web services, reverse proxy entry point
SSH22Remote terminal — consider a non-standard port for security
Plex32400Direct play without relay
Home Assistant8123Default HA port; expose via reverse proxy in production
WireGuard VPN51820 UDPPreferred: route all traffic through VPN instead of forwarding individual services
Jellyfin8096Media server; or 8920 for HTTPS
Nextcloud443Expose only via HTTPS reverse proxy
ISP note: some residential ISPs block inbound connections on port 80 and 443. If you cannot reach your server on these ports, check your ISP's terms of service. In many cases you can use a non-standard port and instruct users to specify it explicitly, or use a VPN tunnel (see below).

Reverse proxy

A reverse proxy sits in front of your services and routes requests to the right one based on the hostname or path. It also handles TLS termination, so you get HTTPS for all your services through a single forwarded port 443 — without exposing each service's native port to the internet.

Caddy is the easiest option for home servers — it automatically obtains and renews Let's Encrypt TLS certificates for any domain you configure, with zero extra setup.

CaddyfileCaddy — multi-service example
home.novaip.link {
  reverse_proxy localhost:8123  # Home Assistant
}

media.novaip.link {
  reverse_proxy localhost:8096  # Jellyfin
}

files.novaip.link {
  reverse_proxy localhost:11000 # Nextcloud AIO
}

Each subdomain above would be a separate NovaDNS host pointing to the same IP. Caddy routes traffic based on the Host header, so you only forward ports 80 and 443 on your router — all services share the same entry point.

Nginx Proxy Manager is a popular alternative with a graphical web interface — suitable if you prefer not to edit config files.

Popular self-hosted services

These are some of the most popular services people run at home and expose via DDNS.

Home AssistantHome automation platform. Runs on a Raspberry Pi or any Linux machine. Expose via Caddy for remote access.8123
Plex / JellyfinMedia server for movies, TV shows, and music. Jellyfin is the fully open-source option.32400 / 8096
NextcloudSelf-hosted cloud storage and collaboration suite. Replaces Google Drive, Docs, and Calendar.443 (via proxy)
VaultwardenLightweight Bitwarden-compatible password manager server. Run your own end-to-end encrypted vault.443 (via proxy)
GiteaLightweight self-hosted Git service. A fast alternative to GitHub for private or team repositories.3000 / 443 (via proxy)
GrafanaMetrics and monitoring dashboards. Pair with Prometheus to monitor your server and services.3000

VPN access with WireGuard

Rather than exposing individual services to the internet, a better approach for many users is to run a WireGuard VPN server on their home network. Remote devices connect to the VPN and then access all home services over the private tunnel — as if they were sitting on the local network.

Use your NovaDNS hostname as the Endpoint in your WireGuard client configuration. When your home IP changes, NovaDNS updates the DNS record within 60 seconds, and WireGuard automatically resolves the new IP on the next reconnect.

wg0.confWireGuard client — minimal config
[Interface]
PrivateKey = YOUR_CLIENT_PRIVATE_KEY
Address    = 10.0.0.2/32
DNS        = 10.0.0.1

[Peer]
PublicKey           = YOUR_SERVER_PUBLIC_KEY
Endpoint            = home.novaip.link:51820
AllowedIPs          = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
PersistentKeepalive = 25 sends a keepalive packet every 25 seconds. This keeps the tunnel alive through NAT and ensures your WireGuard client notices an IP change and re-resolves the endpoint promptly.

On your router, forward only UDP port 51820 to your WireGuard server. No other ports need to be exposed — all your services remain on the private network.

Security recommendations

Exposing services to the internet comes with responsibility. Follow these practices to keep your home server safe.

  • Always use HTTPS. Use Caddy or Nginx Proxy Manager to get free Let's Encrypt certificates. Never expose a service over plain HTTP in production.
  • Move SSH off port 22. Automated bots scan port 22 constantly. Changing to a non-standard port (e.g. 2222) significantly reduces noise. Better still, disable password auth and require SSH keys only.
  • Enable MFA everywhere. Use two-factor authentication on all exposed services — especially Nextcloud, Gitea, and Home Assistant.
  • Keep services updated. Outdated software with known CVEs is one of the most common attack vectors. Set up automatic updates or check for new releases regularly.
  • Consider a VPN instead. For personal use, routing everything through WireGuard and keeping services off the public internet is the most secure approach.
  • Use fail2ban. Install fail2ban on your server to automatically block IPs that repeatedly fail authentication.
Previous
Troubleshooting
Next
IP Cameras Guide

Was this page helpful?