Part 16 — How I Run My Entire Digital Life on a Raspberry Pi: True Remote Access Freedom via Battle-Tested NGINX and No External Gatekeepers
In this episode, we will finally learn how to get rid of the last piece of the not-really-privacy-preserving puzzle, which is the reliance on Cloudflare tunnels. Now, we take our domain back to the registrar where we bought it, in my case, to Namecheap. Then, we will create a Let’s Encrypt wildcard certificate for all our domains and set up a dynamic DNS plugin that will update the IP address on Namecheap to the IP address the ISP has provided us. Subsequently, we will run Nginx in a container to act as a reverse-proxy for each of our services. The benefits of this approach include making our setup finally completely independent of any third-party (except the domain registrar which we cannot exclude), allowing us more flexibility and control over what protocols (e.g., HTTP2) and security policies we enforce (e.g., only TLS1.2 and above, strong Diffie-Hellman keys, remove unsafe ciphers, enforce HSTS).
Step #0: Router setup
Most of you, like me, are probably behind a home router. Now that we’re no longer using a Cloudflare tunnel to connect from the outside, we need to configure our router to forward specific traffic to our Raspberry Pi. This process varies depending on your router model, so you’ll need to refer to its documentation. Look for settings called “Port Forwarding” or “DNAT” (Destination NAT). Once you locate the configuration page, create three rules to allow SSH (preferably on a custom port to avoid common botnet scanning), HTTP, and HTTPS traffic to reach your Pi.
Your rules should look something like this:
Name | Destination Port | Forward to IP | Forward to Port
-----------------------------------------------------------
SSH | 5544 | 192.168.1.2 | 22
HTTP | 80 | 192.168.1.2 | 80
HTTPS | 443 | 192.168.1.2 | 443
Assuming your Pi’s local IP is 192.168.1.2 — adjust this to match your setup. You can also choose any custom port for SSH that suits your preference.
Step #1: Domain setup
Part 1: Configure Your Domain in Namecheap
Before you touch your Pi, you need to enable Dynamic DNS for your specific hostname(s) on the Namecheap website.
- Log in to your Namecheap account.
- Go to your Domain List: From your dashboard, click on Domain List on the left sidebar.
- Select your Domain: Find
your-domainand click the Manage button next to it. - Navigate to Advanced DNS: Click on the Advanced DNS tab at the top.
- Scroll down to the Dynamic DNS section and switch it to enabled.
- Crucially, copy the long Dynamic DNS password that appears. This is not your Namecheap account password; it’s a unique key for DDNS updates. Keep it secure!
Part 2: Create an A + Dynamic DNS record
Normally, you are supposed to make a DDNS record for the main domain, e.g., your-domain.tld. However, when I configured the ddnsclient (see later), Namecheap always threw an error. Therefore, the easiest way is to create a subdomain instead, e.g., server.your-domain.tld, which you will still be able to use, say to access your Pi via SSH. Accordingly, set server as Host, and for the Value, you can add any IP for now, e.g., set it to 127.0.0.1. Our ddnsclient will update this later.
Step #2: DDNS client setup
A DDNS client in Linux is a vital utility for anyone running services like web servers, game servers, or remote access solutions from a home or small office network with a dynamic public IP address. Since most Internet Service Providers (ISPs) frequently change these dynamic IPs, a DDNS client automatically detects when your IP address changes and then communicates that new IP to a Dynamic DNS service provider. This ensures that your chosen domain name (e.g., your-domain.tld) always points to your current public IP address, allowing uninterrupted access to your hosted services without the need for constant manual updates.
Install the client on your Pi, via apt-get install ddclient. Then, create a config file /etc/ddclient.conf with the following content:
# Configuration file for ddclient generated by debconf
#
# /etc/ddclient.conf
#check every 300 seconds (5min)
daemon=300
# timeout after 10 sec
timeout=10
ssl=yes
#namecheap ddns server to get the IP of our current ISP subscription
use=web,web=dynamicdns.park-your-domain.com/getip
#protocol is for namecheap, as it is our registrar ma
protocol=namecheap
# our domain name
login=YOUR-DOMAIN.TLD
#password (token key from namecheap advanced DNS tab)
password='YOUR_TOKEN'
# Host to update
# We use @ for the root domain (e.g., yourdomain.com) as a DDNS record
server.YOUR-DOMAIN.TLD
Substitute the placeholder domain names with your actual desired settings. Then, to activate the service immediately and configure it to launch automatically upon system boot, execute the following commands:
sudo systemctl restart ddclient
sudo systemctl enable ddclient
sudo systemctl status ddclient
The final command will provide immediate feedback on any issues. If all operations report success, your Namecheap dashboard should quickly reflect your updated IP address.