2021

I have a WireGuard server running on a Raspberry Pi 4B at my home, exposed to the internet via a static IP address and port forwarding. I set it up using the Linuxserver.io WireGuard docker container, which is straightforward to use and manage.

As I am in a different city now, I had been postponing the updates to the docker container since it is risky to do so remotely. Any issue in the upgrade process could lock me out of my home network till I am physically present in my home.

As I hate deferring updates, I decided to apply the update remotely. To prepare for that, I logged into the Raspberry Pi via the WireGuard VPN and set up a remote forwarding SSH tunnel on a server of mine hosted in the cloud, using a command like,

$ ssh -R 2222:127.0.0.1:22 username@remote.server.address -N

This command forwards the 2222 port on the remote server to 127.0.0.1:22 on the Raspberry Pi, thereby allowing access to it from the remote server. The -N flag prevents the execution of any remote command (like say, starting the user’s shell) and is useful for just forwarding ports.

Then I logged in directly to that server and logged in to the Raspberry Pi using the forwarded port on that server. Now I could destroy and re-create the WireGuard container without the fear of being locked out since I was connected to the device using SSH and not the WireGuard VPN itself. So, I ran the following command.

$ ssh -p2222 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o CheckHostIP=no username@127.0.0.1

The UserKnownHostsfile=/dev/null option prevents the saving of the remote host’s SSH key in the ~/.ssh/known_hosts file, the StrictHostKeyChecking=no option prevents the checking of the remote host key, and the CheckHostIP=no option prevents the checking of the remote host’s IP address. These options disable a lot of important security measures that SSH provides by default ⚠️. But since we are connecting to a known host through a forwarded host, and don’t want to save any local data about it, these options are fine to use.

This command my remote SSH session, and I was worried that I had missed something important and was locked out. So, I disconnected the SSH session using the escape sequence (<enter>~.) and reconnected to my cloud server and then to the Raspberry Pi. It worked and I heaved a sigh of relief and was glad to have pulled this off without any issues. I verified that updated WireGuard container was running without any issues and that I was able to connect to the VPN. 😌

Update (April 2021): I switched back to Tiny Tiny RSS after fixing the abandoned LinuxServer.io Tiny Tiny RSS docker codebase to work with the latest Tiny Tiny RSS changes in my fork.

I have been using feed readers to consume RSS feeds for more than a decade now, starting with Liferea and then moving on to the web-based Google Reader (RIP) and NewsBlur. I used the free tier of NewsBlur for a long time and even contributed some bug fixes to it. The Android app was available on F-Droid and worked pretty well. However, as a self-hosting enthusiast, I wanted to self-host NewsBlur, and it was very difficult to do so. So I started searching for alternatives again.

I found Tiny Tiny RSS and fell in love with it as it was full of useful features and very easy to self-host. The project’s author can often be a very difficult person to deal with and is very opinionated. Fortunately, I had to ask for support on the official forums just a few times in the many years that I used Tiny Tiny RSS.

The TTRSS-Reader app on F-Droid proved to be a very good companion Android app, followed by a fork of the official version. When I moved all my self-hosted applications to a docker-compose based setup a couple of years ago, the LinuxServer.io tt-rss container image was very easy to set up and migrate to. Then the project stopped maintaining the container because the upstream author didn’t like them packaging his software and asked them to stop doing so. 🙁

The source for the container image was available on GitHub and I continued to use it to build and update the tt-rss container that I self-hosted. However, a month or so ago, there were some breaking changes to the configuration method used by Tiny Tiny RSS and my builds stopped working. Then I started checking if I could use the officially supported docker-based installation method documented here. However, that installation method required Tiny Tiny RSS to be run as a sub-folder under a top-level domain and not as a sub-domain like I wanted.

So I attempted to build my own Tiny Tiny RSS container and while doing so, realized that it is not worth doing so. I decided against spending any more time trying to get Tiny Tiny RSS to work as it was clearly not intended to be used in the way that I wanted to (according to the author). I started looking for alternatives again and liked FreshRSS. To be honest, it didn’t feel as polished and mature as Tiny Tiny RSS or NewsBlur, but was close enough.

I used the LinuxServer.io FreshRSS container to set up my instance and migrated all my feeds from Tiny Tiny RSS to it. As the web interface felt a bit clunky to me, I started using it via the client apps – NewsFlash on my desktop and Readrops from F-Droid on my phone and the experience has been okay.

Before I chose FreshRSS, I checked and investigated the current status of NewsBlur and if the self-hosting scenario had improved. The project has a docker-based deployment method now in the dashboard3 branch, but it looks like it might take a while for it to have first-class support. And the project has and uses a lot of bells and whistles which are not needed for a small instance or a single-user setup. I briefly considered subscribing to the premium plan on the official NewsBlur site, but didn’t do so out of subscription fatigue and also because I already pay for infrastructure which can be used for self-hosting many services.