Over the years, I have spent more than $30 each month for a mix of services that handled different parts of my digital life. The most-used services in my stack were Plex Pass, Google One, and Apple One; individually, they didn’t feel like much, but combined, they added up to a number I started noticing.

At the same time, I was already running a server 24/7. An old Dell Latitude handled the compute, and a Synology DS218J stored the data. I realized that the subscriptions were solving problems the server could already solve. That was when I decided to replace them with free, self-hosted alternatives.

Replacing the services turned out to be simple and easy, but making them accessible from anywhere was the harder challenge. That's where Pangolin changed the experience entirely.

Three subscriptions, three self-hosted replacements

The easy part

I was using Plex even when I hadn’t built my home Debian server. It was hosted on my old Synology NAS, and technically my first self-hosted service. But getting Plex to work outside my home network was never straightforward. CGNAT made that worse (more on that later). To cope, I finally settled on Plex Pass for around $4.99/month at that time (before I eventually migrated).

For a few years, I paid the monthly fee, and that stopped as soon as I built my home server. Jellyfin was among the first services I replaced Plex with. I was amazed to see all the open-source work around Jellyfin; it didn't feel like a free product. When I replaced one paid service with a free, self-hosted alternative, and it worked as expected, I started questioning every other monthly subscription I had. The next subscriptions I looked at were Google One and Apple One.

👁 XDA
Quiz
8 Questions · Test Your Knowledge

Home server dos and don'ts
Trivia challenge

Think you know how to run a home server the right way? Put your knowledge to the test.

SecurityHardwareNetworkingStorageSoftware
01 / 8Security

Which of the following is the most important first step when setting up a home server that will be accessible from the internet?

Correct! Default credentials are one of the most exploited vulnerabilities in home servers. Attackers use automated bots that constantly scan for devices still using factory-set logins, so changing them immediately is a critical first line of defense.
Not quite. The answer is changing all default usernames and passwords. Leaving default credentials in place is one of the leading causes of home server compromises, as bots actively scan the internet for devices using factory-set logins.
02 / 8Networking

What is the recommended practice when exposing a home server service to the internet, rather than opening ports directly on your router?

Correct! Using a VPN tunnel or a reverse proxy like Nginx Proxy Manager or Cloudflare Tunnels adds a protective layer between the internet and your server. This approach hides your real IP, limits the attack surface, and gives you much finer control over who can access what.
Not quite. The best practice is to use a VPN tunnel or reverse proxy. Options like UPnP and DMZ hosting expose your server with little to no filtering, making it far easier for attackers to find and exploit open services.
03 / 8Storage

You're running a NAS at home and want to protect against drive failure. Which RAID level offers both redundancy AND the best use of drive capacity across four drives?

Correct! RAID 5 uses parity data spread across all drives, meaning you only lose one drive's worth of space to redundancy across the entire array. With four drives, you get the equivalent of three drives of usable storage while still tolerating a single drive failure.
Not quite. RAID 5 is the answer here. RAID 0 has no redundancy at all, RAID 1 mirrors data and cuts usable capacity in half, and RAID 10 requires at least four drives but only gives you 50% usable capacity — making RAID 5 the most capacity-efficient redundant option.
04 / 8Security

Why is it considered a bad practice to run all your home server services as the root user?

Correct! The principle of least privilege dictates that services should only have the permissions they need to function. If a service running as root is exploited, the attacker inherits root access to your entire system — meaning they can read, modify, or delete anything.
Not quite. The correct answer is that a compromised root-level service gives an attacker full system control. This is why best practice is to run each service under its own limited user account, containing the damage if something goes wrong.
05 / 8Hardware

When choosing hardware for a 24/7 home server, which factor is most important for long-term cost efficiency?

Correct! A server running around the clock means electricity costs add up fast. A machine drawing 10 watts versus 100 watts at idle can make a significant difference on your annual electricity bill. Platforms like Intel N-series or older Xeon-D chips are popular precisely because of their efficient idle power draw.
Not quite. Low idle power consumption is the most important factor for a 24/7 machine. High core counts, gaming GPUs, and massive RAM are rarely needed for typical home server workloads, and they dramatically increase the electricity cost of running your server year-round.
06 / 8Software

What is the key advantage of running home server applications inside Docker containers rather than installing them directly on the host OS?

Correct! Docker containers package each application with its own dependencies, preventing version conflicts between services and keeping your host OS clean. If a containerized app breaks or becomes compromised, the damage is largely contained to that container rather than spreading to the whole system.
Not quite. The key advantage is isolation — containers bundle their own dependencies and are separated from the host OS and each other. Docker doesn't inherently make apps faster, back up your data, or encrypt storage; those are separate concerns you need to handle yourself.
07 / 8Networking

What does the '3-2-1 backup rule' recommend, and why is it relevant to home server owners?

Correct! The 3-2-1 rule is a foundational data protection strategy. Three copies means one failure doesn't wipe everything out, two media types protect against format-specific failures, and one offsite copy guards against physical disasters like fire or theft at your home.
Not quite. The 3-2-1 rule means three copies of your data, stored on two different media types, with one copy kept offsite. It's one of the most widely recommended backup strategies because it protects against hardware failure, accidental deletion, and physical disasters all at once.
08 / 8Software

Which of the following is a critical mistake many home server owners make that can leave their system permanently inaccessible after an update?

Correct! Automatic updates can occasionally break kernel modules, networking drivers, or critical services — and on a headless server you access remotely, a broken update can lock you out entirely. Best practice is to review updates, test on non-critical systems first, and always have a way to access the server physically if something goes wrong.
Not quite. The dangerous mistake is applying automatic OS updates without testing them first. A bad update on a headless remote server can break SSH access, networking, or boot entirely — leaving you locked out with no easy way back in. Static IPs and SSH key auth are actually good practices, not mistakes.
Challenge Complete

Your Score

/ 8

Thanks for playing!

Between my iPhone, Android, MacBook, and Windows PC, I was spread across two ecosystems. I used Google One for storing and sharing photos from my Android device and, at the same time, Google Drive for file services on my Windows PC. I was paying around $2.99/month for the 200 GB plan. And Apple One for storing photos and videos from my iPhone. I have a MacBook Pro with 256GB storage; Apple One was a non-negotiable subscription for me. Even though I could just buy iCloud+, I was used to Apple TV+ and Apple Music, and I shared it with my family, so Apple One felt right for me. I was paying around $25.95/month.

Once the Plex replacement worked for me, I immediately replaced both Google One and Apple One with Immich and Nextcloud. I won’t pretend that these matched Apple or Google polish, but for a free alternative, they were more than enough. And when I factor in the privacy gains alongside the $30 a month I was saving, the tradeoff was obvious.

Among the three, the experience wasn't uniform. Immich didn’t feel like a free app, and with features like automatic photo uploads, timeline view, and face recognition, it gave a competitive edge over Apple and Google Photos. Jellyfin and Nextcloud worked as expected. Jellyfin had a bunch of open-source contributions that made the experience better — Fladder being one of them.

The real challenge wasn't running them. It was accessing them reliably from anywhere.

Pangolin made them feel like real cloud services

The part that actually changed things

Jellyfin worked. Immich worked. Nextcloud worked. But they mostly felt like services tied to my home network. As a homelab enthusiast, Cloudflare was the obvious first choice. But I was already deep into the Cloudflare ecosystem, and I didn’t want to depend on one company for almost all of my homelab needs. So I skipped Cloudflare Tunnel and tried self-hosting Pangolin on my own rented server instead. Why a rented server? Both my ISPs were behind CGNAT and Pangolin required a true static IP address to work.

I had already set up Pangolin and migrated a few services on it, so adding these services as a resource was a few minutes' work. The process was simple enough that it didn't become a weekend project. I created a new resource for each service, added subdomains, and pointed each one to the local server IP and port, and it was running within a few minutes. Immich and Jellyfin worked on the first load, but Nextcloud complained a bit. It wasn’t a Pangolin issue; Nextcloud required a trusted domain to be set in the config file before it would load. So once I added the subdomain as a trusted domain, it was flawless after that.

Once everything was configured, it finally started to feel like a cloud service. Watching media away from home felt no different than being on my local network. I could easily grab files from a browser when I was away from my desktop, or pull article screenshots from my MacBook. The Immich transition was hassle-free, and it never felt like I moved from a paid service. The photos were backing up automatically even when I was not home. Features like timeline and AI face recognition never felt like they were running on my old home server. I could share photos and videos without relying on Google Photos.

Once remote access became reliable, the stack finally felt comparable to the cloud services it had replaced. But self-hosting still comes with costs that subscriptions quietly absorb for you.

What you give up when you self-host all of it

Nothing is free

Deploying the services and making them feel like cloud alternatives was one thing, and keeping them running was a different story. We pay for Plex, Google Photos, and iCloud not just for storage and access; we also pay for the convenience and the experience. For example, the trusted domain issue I mentioned earlier was something I wouldn't expect from Google Drive or iCloud.

I used my Synology NAS as block storage mounted on my home server. All my data, photos, videos, and media were stored on my NAS. So, any of these services depended on my home server as well as my NAS to work properly; if any of them were down, the service would become unreachable. On top of that, I was also responsible for updating containers and watching for breaking changes.

Occasional troubleshooting came with the territory. I had to do it every once in a while. Not because it was difficult, but because it's the kind of thing cloud services hide from users. When Google changes something, Google fixes it. When Nextcloud changes something, I fix it.

Then there were the backups. The data lived on my own hardware, which also meant protecting it was my responsibility. If the server failed, recovery depended on whatever backups I had maintained. So, backups were an important part of the whole infrastructure. I was saving on recurring subscription costs and storage upgrades, but when I weighed it against the time spent on maintaining services, troubleshooting, and monitoring, it felt balanced.

“The savings are real, but they're not free.”

Ownership has a different kind of cost

The biggest lesson from this setup wasn’t that self-hosting is always better than commercial services. I own the data, the access layer, and the infrastructure, but that ownership comes with maintenance overhead, updates, backups, and occasional evenings troubleshooting something that broke randomly. I replaced Plex, Google Photos, and iCloud with Jellyfin, Immich, and Nextcloud. It worked for me because the subscription costs outweighed the added responsibilities. If you are ready to accept the overhead and are already running hardware, you can do the same; otherwise, commercial services exist for a reason.

Pangolin

Pangolin is an open-source, identity-based remote access platform built on WireGuard.