This may be a simple question, but I could not find resources on that. Does creating a VPN into my home network using my router increase my attack surface? What are the security implications of that in general?
Increase the attack surface compared to what? If you don’t allow/enable any access to services inside your network from outside, then by definition you have fewer attack surfaces than if you add a VPN to that empty list.
So trivially the answer is “yes, it adds an attack surface”.
But what are the alternatives? If you directly expose each individual service on a dedicated port, for example, then you’d add many more (and usually less well hardened) attack surfaces instead.
So if the comparison is “expose 5 web-based services directly” vs. “expose one VPN like wireguard”, then the second option is almost always the clear winner when it comes to security (and frequently also when it comes to ease of setup as well as comfort).
If you’re worried about that, I can recommend a service like Tailscale which does not require permanently open ports to the outside world, offering quite a bit more security than an exposed traditional VPN server.
I would suggest trying wireguard first as it’s much less complex to set up. Once you have a handle on that, you might consider moving to a mesh network. I personally would love to use a mesh network, but have not been able to get it configured correctly the few times I’ve tried.
TS is a lot easier to set up than WG and does not require a publicly accessible IP address nor any public whatsoever. It’s not really comparable to setting WG up yourself; especially w.r.t. security.
Agreed. Tailscale is very easy to setup.
I’ve have made a lot of progress with Tailscale once I learned how to set up an “Exit Node” which is done in the Tailscale admin page. You set up Tailscale on your network and sign in, then set it as an exit node. Then (on android at least) you open the app and hit the 3 dots and pick “use exit node” then type the IP of your service into your browser and it’s magically usable.
There’s also Tailscale on YouTube which has walk through a for attaching Tailscale to Docker containers, allowing access to those containers without an exit node. I’ve successfully done this with Audiobookshelf so I just turn on Tailscale out of the house and open the Audiobookshelf app and it connects to my private instance at home.
Huh, never heard of it! from what I gathered from the website its a central VPN? Wouldn’t that be overkill for a homelab scenario? Thanks for your response!
It’s a virtual mesh network.
I’ve used it to:
Access a single machine (one client on a machine at home, one client on my laptop)
Connect multiple machines on disparate networks to each other (each machine has a client and is joined to my TS network)
Enable complete access to my home network using Subnet Routing (one machine at home has the TS client, with subnet routing enabled)
Provide access to a single service for anyone using Funnel (one machine at home running TS client, with Funnel configured for a specific service)
It all depends on how you configure it. I find running Tailscale on a Raspberry Pi with Subnet Routing configured provides most of what I need:the ability to access any device on my home network (including printers, digital photo display, TV, router, etc), from anywhere I install the TS client.
I’ve tried Nebula before but couldn’t get it running properly on all devices. How is Tailscale in terms of compatibility and can you also use wireguard simultaneously? Mesh networks are great for connecting my own devices and servers, but I still need a wireguard interface for certain servers to provide public access through a public router. I also ran into a major issue setting up Nebula on my laptop in which it couldn’t be used without disabling my VPN. Is any of that a problem with Tailscale? Also, is Tailscales coordination server self hostable or do you have to use theirs? That seems like a dealbreaker if you’re forced to use a third party coordinator
It’s a central server (that you could actually self-host publicly if you wanted to) whose purpose it is to facilitate P2P connections between your devices.
If you were outside your home network and wanted to connect to your server from your laptop, both devices would be connected to the TS server independently. When attempting to send IP packets between the devices, the initiating device (i.e. your laptop) would establish a direct wireguard tunnel to the receiving device. This process is managed by the individual devices while the central TS service merely facilitates communication between the devices for the purpose of establishing this connection.
Does it increase your attack surface? Yes. With proper precautions is this level of risk negligible? Also yes.
You will be opening a port to the outside world. Anyone can try to use it. But if you are using key authentication it will be fine.
Opening any service / port has a impact to security in your network. Vpns are meant to be exposed and are generally secure. As long as your router updates and fixes security issues there shouldn’t be an issue with the router providing the VPN.
deleted by creator
Does creating a VPN into my home network using my router increase my attack surface?
Yes, but it also provides the ability to access any resource in your network in a secure way.
It is typically less safe to expose 3 or 4 different services you want remote access than a single VPN daemon that is actually designed for that specific scenario and has mitigations for common attacks built in.
To make your setup secure you can consider a few steps:
- Use Wireguard: don’t be afraid to expose the Wireguard port because if someone tries to connect and they don’t authenticate with the right key the server will silently drop the packets. An attacker won’t even know there’s something listening on that port / it will be invisible to typical IP scans / / will ignore any piece of traffic that isn’t properly encrypted with your keys;
- Use a 5-digit port for your VPN - something like 23901 (up to 65535) will be way harder to find than typical ports like the default 51820 or 443;
- Go full paranoid and use a firewall to restrict what countries or even days, hours access your server is allowed. Eg. only allow incoming connection from your country (https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching). Be aware of what happens when you’re abroad;
- Don’t port forward IPv6 if you don’t need it. Might be easier than dealing with a dual stack firewall and/or other complexities.
In a side note: a VPN doesn’t mean full access to your network either. You can setup a VPN endpoint that only allows access to a few specified services running on specific machines instead of the entire network. This will give you extra security if you’re into that.
- https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-debian-11 (skip IPv6)
- https://github.com/ngoduykhanh/wireguard-ui - good UI to manage wg
- https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes
- https://tadeubento.com/2024/nftables-country-geo-blocking/
Thank you for not only taking the time to answer but also adding quite useful resources. I will look into it!