OpenBalena Behind NAT Router - Possible?

I’m attempting to setup OpenBalena on a spare machine I have setup at my house running Ubuntu 22.04. I’m doing this as a trial run before setting it up (and paying) on AWS.

I have a domain I purchased through GoDaddy, and I’d like to point the domain at my Ubuntu machine that I have setup OpenBalena on (I’m to the point of pinging my server).

Obviously I can forward port 80,443 etc to the Ubuntu machine, but I don’t really want to do that since it might affect other machines in the local network.

Any way around this?

Hi @jordanhardy1 - well the clients need to be able to directly connect to the server, so some kind of “forward” has to be done. Thinking about it, actually 3 things come to my mind:
a) Portforwarding, like you described, with the negative side effect that if your OpenBalena machine became compromised, so would your complete network
b) Putting the OpenBalena server onto a seperate network interface into a DMZ, located between Internet/WAN and your LAN. If compromised, the machine could then not damage the rest of your network as long as your Firewall remains intact - this will probably need a more advanced router or own hardware firewall - using the normal DMZ option in cheaper home routers will not isolate the system on another interface but just forward all incoming traffic to it - so this would be like a) - but worse, as everything goes to it. This we want to avoid.
c) Cumbersome but possible - create an OpenVPN or Wireshark server in your home network and expose it to the internet, e.g. also with a DMZ solution. Before each deployed balena Client put an OpenVPN client which connects securely to your home network and forwards all traffic from the client via it. But this is also adding a lot of cost and complexity and I think openBalena also deploys its own VPN - so it will add a lot of overhead and might break things (talking about MTU issues and other stuff…)

So if its just going to be a small and short test, a) could be ok-ish, if you would want to spend some money for more security, I would go with b). You could also run with another machine your own pfSense e.g. firewall and realize a DMZ with that.