# How I Host This Blog on My Home Server

> A step-by-step guide to hosting a personal website from a home server using Tailscale and Cloudflare, without port forwarding.

Source: https://riobits.dev/blog/home-server
Markdown: https://riobits.dev/blog/home-server.md
Published: 2026-06-19
Author: Abdulghani (Riobits) — https://riobits.dev

---
## Contents

Nothing feels better than owning your system 100%. In fact, the blog you're reading right now is fully hosted on my own home server.

A lot of my friends have asked me how they can do the same thing, especially how I got around the headache of [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding). (We don't even need it)

Well, today I'm going to answer all of those questions! You'll learn how to spin up your own home server and save yourself around $10 a month.

**Requirements**

- Tailscale Account (Free)
- Cloudflare Account (Free)
- Domain (around $10.81, depending on the domain)
- Server hardware (an old laptop or a mini PC)

## Server preparation

Grab that old laptop or mini PC you've got lying around. From today onward this machine is your server.

The first thing it needs is an operating system. We're going with Ubuntu Server, not the desktop version. The server image is lighter since it doesn't ship with a graphical interface, and you won't be plugging a monitor into it anyway. Head to the [Ubuntu Server download page](https://ubuntu.com/download/server) and grab the latest LTS release.

Now get that ISO onto a USB stick. I use [balenaEtcher](https://etcher.balena.io/) for this because it just works on every OS, but [Rufus](https://rufus.ie/) on Windows does the job too. Flash the ISO, plug the USB into your server, and turn it on. You might need to mash F12 or F2 or Del to get into the boot menu and pick the USB.

From there the installer walks you through everything. Pick your language and keyboard, let it erase the disk, and create your user. Pay attention to the username and password you choose because you'll be using them constantly from here on.

Once it finishes and reboots you'll land on a text login prompt. You can leave it sitting there. We're not going to manage the server from that screen. We're going to reach it from our own laptop instead.

## Reaching your server securely with Tailscale

This is the part that surprises people. To log into your server from anywhere in the world, you do not need to open a single port on your router. No port forwarding, no dynamic DNS, no exposing your home IP to the whole internet.

The trick is [Tailscale](https://tailscale.com/). It builds a private encrypted network between your devices using WireGuard under the hood. Think of it as a VPN, but instead of funneling everything through one central server, your devices talk to each other directly. The rest of the internet can't even tell your server exists.

Make a free Tailscale account first. Then on your server, install it with this one line:

```bash
curl -fsSL https://tailscale.com/install.sh | sh
```

Bring it online:

```bash
sudo tailscale up
```

That command prints a link. Open it in your browser and approve the server into your network. Now do the same thing on the laptop or phone you'll be managing from. Install Tailscale, sign in with the same account, and approve the device.

Run this on the server to see its private address:

```bash
tailscale ip -4
```

You'll get an IP that starts with `100.`. That's your server's address on your private network, the one only your devices can reach. From your laptop, you can now SSH in like this:

```bash
ssh your-username@100.x.x.x
```

That's really it. You're connected to your server over an encrypted tunnel, from anywhere, and you didn't touch your router. The server stays invisible to the public internet. Only devices you've personally approved can see it.

From now on, every command you run, every file you push, every config you tweak goes through this private connection. This is your back door into the machine, and only you have the key.

## Putting your sites online with Cloudflare Zero Trust

So you can talk to your server privately, but nobody else can yet. That's exactly what you want for management. But what about the actual websites you plan to host? The whole point is for people to see them.

This is where [Cloudflare](https://www.cloudflare.com/) comes in, specifically a tool called Cloudflare Tunnel that's part of their Zero Trust suite. It works kind of like Tailscale but pointing the other direction. Instead of letting you reach into your server privately, it lets your server reach out to Cloudflare and say "send me the traffic for my website". Cloudflare then relays visitors to your server through that same tunnel.

The important part is that your server makes an outbound connection. Nothing inbound ever needs to be opened on your firewall. Still no port forwarding.

To use this you need a domain, and its DNS has to be managed by Cloudflare. If you don't own one yet, now's the time. I buy mine from [Porkbun](https://porkbun.com/) because they're cheap and their panel doesn't annoy me. Once you've got the domain, point its nameservers at the ones Cloudflare gives you. This is a one time thing and Cloudflare walks you through it when you add the domain to your dashboard.

With your domain living on Cloudflare, head to the [Zero Trust dashboard](https://one.dash.cloudflare.com/). On the left sidebar click Networks, then Tunnels, then create a tunnel. Pick Cloudflared as the connector type and give it a name like `my-server`.

On the next screen Cloudflare shows you a ready to paste install command with a token baked in. It looks something like this:

```bash
sudo cloudflared service install eyJhIjo...
```

Before that command works you need the `cloudflared` program on your server. On Ubuntu 24.04, add Cloudflare's package repository and install it:

```bash
sudo mkdir -p --mode=0755 /usr/share/keyrings
curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared noble main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
sudo apt update && sudo apt install cloudflared
```

Now copy that install command from the dashboard and run it on your server. It installs cloudflared as a system service, connects it to your tunnel, and starts it up. Your server is now linked to Cloudflare, but it isn't serving anything yet.

Stay in the dashboard and move on to the Public Hostnames step. This is where you decide what address points to what. Say you've got an app running on port 3000 on your server. You'd add a public hostname like `app.yourdomain.com`, set the service type to HTTP, and the URL to `localhost:3000`. Save it.

Open `https://app.yourdomain.com` in your browser and there it is. Your site, on the real internet, with HTTPS handled for you automatically by Cloudflare. You didn't open a single port on your router to do it.

Every new site you want to host is just another public hostname in the dashboard. Spin up something else on port 8080, add a new hostname for `blog.yourdomain.com` pointing at `localhost:8080`, save, and you're live again. The pattern scales as far as you want to take it, and none of it touches your router.

## The full picture

Let me zoom out so you can see how it all fits together.

You have a machine in your house running Ubuntu Server. It's plugged into your home network like any other device, nothing special about the setup.

Tailscale sits on top of that and gives your server a private address that only you and your approved devices can reach. When you need to log in, run a command, or fix something, you SSH in over Tailscale. As far as the public internet is concerned, your server isn't even there.

Cloudflare sits on top of that too, but it faces outward. It takes the websites you host and puts them on the real internet through a tunnel. Visitors hit Cloudflare, Cloudflare forwards the request to your server, your server answers, and Cloudflare sends the reply back. The outside world only ever talks to Cloudflare, never to your home network directly.

Two different jobs for two different tools. Tailscale is your private door, and only you have the key. Cloudflare is the front desk, it greets visitors and shows them to the right room.

No port forwarding. No exposed home IP. No dynamic DNS hacks. Just a clean setup that costs you almost nothing and keeps your server locked down.

Welcome to hosting your own stuff.