Hi, I know this topic has been talked about 70 thousand times but I’m still not sure.

I have home server on an intel NUC behind the ISP router. On it I have the standard arr apps, jellyfin, pi-hole etc etc. I would like to access them through a domain rather than an IP. So I set them up in docker, behind traefik, behind authelia and behind cloudflare. I am the only one that uses it.

Now, I’m worried about the security of it all. I’ve been searching here and there and I’ve read about cf tunnels, wireguard server, vps, vlan, OPNsense etc etc. I still don’t know what would be the most secure. Should I just stay with what I have?

EDIT: I’m not behind CGNAT

  • bless@lemmy.world
    link
    fedilink
    English
    arrow-up
    42
    ·
    1 year ago

    I would go with wireguard VPN or something like cloudflare tunnels or tailscale. With wireguard you’ll need to open up an external port and forward to your VPN host, but wireguard uses UDP so no one can probe it for responses. CF tunnels and tailscale you don’t have to open up holes in your firewall which is nice.

    You also have the option of using a proxy and opening up 443 publicly on your firewall, but unless you know what you’re doing I’d leave that closed until you learn more.

    • Footnote2669@lemmy.zipOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      Mmmmmm, tunnels sound boring haha I might try figuring out wireguard. Do you have any trusted guides on it? Or should I just google :P

      • bless@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Good thing about wireguard is it’s really simple. Google should get it done, if you get stuck send me a DM. I started with basic wireguard, I now run firezone in docker as I like the frontend.

        • Footnote2669@lemmy.zipOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          (I’m gonna copy what I said in another comment lol)

          I don’t know if I’m shooting myself in the foot by trying to do in docker for now or not, but I’d rather do that before I do it on bare metal. It seems to work already, as I can see that my IP changes on my phone when I access it. Hell, I can even access my routers’ dashboard. However, I still can’t access the services on the server (by IP, like 192.x.x.x:8989), which I can access if I’m on Wi-Fi. So I’m trying to figure that out. Any ideas?

          • bless@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            Hmm do a traceroute and see where it’s dying. Can you ping inside IP of the tunnel on the wireguard server? What about outside?

            What did you deploy in docker, firezone or basic wireguard?

            Does your phone say connected and you see both incoming and outgoing packets? Is there a firewall in place on the wireguard host (ufw maybe)?

            If you have nmap available you can also check port status.

            • Footnote2669@lemmy.zipOP
              link
              fedilink
              English
              arrow-up
              2
              ·
              edit-2
              1 year ago

              Yup, run journalctl and I can see ufw blocking requests. Now just need to figure out how to allow it

              EDIT: Adding a rule “ufw allow from 192.x.x.x/24” fixed it, just need to find out if THAT’s secure now lmao

              • bless@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                ·
                edit-2
                1 year ago

                You can bound ufw rules to interfaces, so you can allow in only on the wg0 interface and not eth0 interface.

                Glad it’s working! I love wireguard!

                • Footnote2669@lemmy.zipOP
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  1 year ago

                  I couldn’t use the interface, as wg is in a docker container, but I used the container IP, and it seems to be working. Huge thanks! Now I can get rid of Cloudflare and related containers :D (just need to fix the homepage first, I’m not using IPs for services lol)

      • sunbeam60@lemmy.one
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Honestly it couldn’t be simpler. Look at wg-easy docker container. You’ll be up and running in 10 minutes.

  • JoeKrogan@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    1 year ago

    Duckdns will give you a free domain name. Run wireguard on the machine to connect remotely. Only allow WG port for remote access. Optional limit app access in your webserver to your VPN and lan ips. You can also run something like adguard home to get ad blocking. In that case set your wg server ip as the dns server ip eg 10.0.0.1 and add your ddg domain name in adguard so it will resolve without having to do an external lookup when on the lan or vpn.

    • sunbeam60@lemmy.one
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I’ve had really poor results with duckdns recently - it seems propagation flakes out every 2-3 months. Wrote to them about it but never had a response.

  • Wander@yiffit.net
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    I’d say to start with CF tunnels unless you need non-web based applications. Cloudflare tunnels require you to have a domain, though.

    It has the added benefit that you have network monitoring, logging and some filtering for security that they do on top and you get to manage everything from their web interface.

    be warned that the first time can be a bit confusing, but since it’s done using their web interface it’s easier than if you have a problem making wireguard work.

    1. Create a tunnel with a public hostname that will be the url to access that service. During the creation of the hostname specify you want it protected by L7 application firewall.
    2. Create a new self-hosted application in cloudflare application section and for starters use the default login email and in rules specify the list of emails that are allowed to login

    you should now be able to access your application from anywhere.

    Alternatively, if you have a DNS server in your home network you can add a private IP range to your tunnel. Let’s say 192.168.0.0/24. Then when you connect with their pseudo-VPN (cloudflare warp or cloudflare ONE) you can directly use your home network’s ip address from that device. If you tell your device to use a local DNS server that resolves your internal services, you’ll be able to connect to them that way.

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    8
    ·
    edit-2
    1 year ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    CF CloudFlare
    CGNAT Carrier-Grade NAT
    DNS Domain Name Service/System
    HTTP Hypertext Transfer Protocol, the Web
    HTTPS HTTP over SSL
    IP Internet Protocol
    NAS Network-Attached Storage
    NAT Network Address Translation
    NUC Next Unit of Computing brand of Intel small computers
    SSH Secure Shell for remote terminal access
    SSL Secure Sockets Layer, for transparent encryption
    TLS Transport Layer Security, supersedes SSL
    UDP User Datagram Protocol, for real-time communications
    VPN Virtual Private Network
    VPS Virtual Private Server (opposed to shared hosting)

    [Thread #319 for this sub, first seen 1st Dec 2023, 09:55] [FAQ] [Full list] [Contact] [Source code]

  • psion1369@lemmy.world
    link
    fedilink
    English
    arrow-up
    18
    arrow-down
    2
    ·
    1 year ago

    Check out Tailscale. They have 20 machine limit on the free plan. It runs on wireguard and is pretty secure.

    • Avid Amoeba@lemmy.ca
      link
      fedilink
      English
      arrow-up
      7
      ·
      edit-2
      1 year ago

      And there’s an OSS control plane replacement called Headscale although I don’t know what’s involved in using it. Researching and implementing it is my backup plan for when Tailscale turns to shit.

      E: Just briefly parsed their docs, deployment and usage seem pretty trivial. There’s no need to use forks of the clients either. You can give your Headscale url to the Tailscale clients on login and you’re good to go.

      • uzay@infosec.pub
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Setting up headscale isn’t too hard. But last time I tried, connecting the clients to it didn’t work properly (on mobile). Since they are using the regular tailscale clients, they don’t have much control over that.

        • Avid Amoeba@lemmy.ca
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          I gotta try. I’m planning to switch to it anyways. The Android client is open source so if something has to be changed it can be contributed or forked if the contribution isn’t accepted.

          • axzxc1236@lemm.ee
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            Install tailscale from F-Droid not Google Play. I had trouble setting up custom server with Google Play version.

    • BastingChemina@slrpnk.net
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Tailscale is amazing, I work with a small company and we were battling with our IT contractor to have a VPN running for remote work.

      After a while of things not working as it should I just set up tailscaled because I was using it with my home server and it just works.

      We are now on a paid plan and everyone else is using it when working remotely.

  • Nyfure@kbin.social
    link
    fedilink
    arrow-up
    3
    ·
    1 year ago

    If its only you and you want best security, setup a VPN system. (Tailscale, Netbird, or others are quite easy)
    If someone else should also, and you dont want everyone to have to use a VPN, then you can expose some services directly. Of course behind CGNat you need some third-party system to allow this (e.g. cloudflare or a rented server).

    I am not a big fan of cloudflare, they are a huge centralized company, easily allowing tracking across websites with clear-text access and kinda discouraging learning how to secure things yourself (which you have to do anyways, because you are a service provider and only cloudflare is not enough if its still publicly accessible though them)
    But in the end its your choice. They easily allow you as service provider to protect yourself from DDoS attacks or allowing IPv4 access when you are behind CGNat, things you just cannot easily do yourself, certainly not without costs.

  • h3ndrik@feddit.de
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    1
    ·
    1 year ago

    Make your services password protected and have some software like fail2ban that blocks people from brute-forcing passwords.

    Keep your software up to date.

    • Footnote2669@lemmy.zipOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      They are password protected. Plus, behind 2FA authelia. Plus Crowdsec (which originally made me make this post, cos I can see http probing etc on it)

      • h3ndrik@feddit.de
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 year ago

        Alright. I wouldn’t worry too much, then. If you set it up correctly and you keep it up to date so there aren’t any security vulnerabilities, you should be okay.

        Of course there are arbitrary, more strict approaches. You could do monitoring. Or restrict the IP addresses the server answers to. Or put everything behind a VPN and not have it exposed in the first place. But I also have my NAS and a few internet services like Nextcloud and it’s been fine, similar to this, for years.

        • sunbeam60@lemmy.one
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          Same, have had a few select services exposed to the internet, behind very, very complex passwords or keys, with fail2ban etc. never had an incidence.

  • taladar@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    6
    ·
    1 year ago

    It largely depends on what you mean by ‘anywhere’, in particular if you only want to access it from your own devices or also other people’s you can only access for a minute or two and where you can’t install anything.

    Of course there is also the question which services you want to access, e.g. just Websites and -Applications over HTTPS or do you also want e.g. the pi-hole’s DNS service to be available.

  • pimeys@lemmy.nauk.io
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    1 year ago

    As said in the thread, you need some kind of tunnel that stays up and doesn’t need to be fixed if the internet goes down.

    Wireguard, or if wanting super easy setup, Tailscale version of Wireguard is great for this. Now you have a private IP address in your VPN network to your home server, that stays up and answers to HTTP. Next thing you need is a cheap VPS somewhere with a public IP address. When that is running, and is in the Wireguard network so you can access your home server from the VPS, you need a Nginx proxy in the public server. Either do it by hand, or use a service such as the Nginx Proxy Manager to handle the proxy setup.

    How it basically works is you register a domain name (A, CNAME) to the public VPS service, then with Nginx you setup that anything coming in to the domain X should be proxied to the VPN IP address Y and port Z. Now you can add HTTPS to this domain and get a Let’s Encrypt certificate for it. You can, again, do this manually with Nginx, or let Nginx Proxy Manager handle it for you.

    Finally. Stay safe. If you really open services to public internet from your home, be very sure to have all the latest updates and use strong passwords in all of them. Additionally, you can use the home services directly from the Wireguard/Tailscale network by accessing them using the private IP addresses. Your computer should just be in the same network with them.

  • onlinepersona@programming.dev
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    3
    ·
    1 year ago

    Why so complicated? Why not just SSH? Put it on some random port, make it public key login only, and you’re done.

    • ExploratrixLunae@kbin.social
      link
      fedilink
      arrow-up
      0
      ·
      1 year ago

      I’ve beeb looking into a similar setup and I didn’t know SSH could do this kind of tunneling. Thanks for the tip! I’m going to consider using it.

      • onlinepersona@programming.dev
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        I’m not sure what you mean by tunnel, but SSH allows a “secure shell” aka an encrypted connection to a shell on a device. Tailscale, Headscale, and others are VPNs, which means they allow making it seem as if your computer is in the same (private) network as that of the server - but in order to have a shell on the server, you’ll still need SSH.

        To my knowledge, adding a VPN to open a secure shell on the server is unnecessary and has no security benefits.

  • Encrypt-Keeper@lemmy.world
    link
    fedilink
    English
    arrow-up
    7
    ·
    edit-2
    1 year ago

    I use Tailscale with their DDNS feature that generates you a domain that resolves each of your Tailnet devices when connected. You can even run a command that generates an SSL cert for your given node and you can use that to further secure it with TLS in case you don’t want to deal with untrusted cert warnings.

    This is especially useful for iPhones because they won’t keep your Tailscale VPN always on, but you can configure it so that requests to specific domains will activate and use your Tailscale VPN, which you just set to that generated one.

    • BearOfaTime@lemm.ee
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I was about to ask why you’d need DDNS for Tailscale, had no idea about iOS issues. Thanks!

      • Encrypt-Keeper@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Because even when you have static IPs it’s still nice to just use a host name, and to properly secure things with a certificate. It’s not really DDNS as much as it is plain old DNS, but it works without configuration on your part. Once you enable it, whatever the tailnet name of your device is, becomes ‘device name.yourdomain.ts.net’.