Hi, I know this topic has been talked about 70 thousand times but I’m still not sure.
I have home server on an intel NUC behind the ISP router. On it I have the standard arr apps, jellyfin, pi-hole etc etc. I would like to access them through a domain rather than an IP. So I set them up in docker, behind traefik, behind authelia and behind cloudflare. I am the only one that uses it.
Now, I’m worried about the security of it all. I’ve been searching here and there and I’ve read about cf tunnels, wireguard server, vps, vlan, OPNsense etc etc. I still don’t know what would be the most secure. Should I just stay with what I have?
EDIT: I’m not behind CGNAT
Check out Tailscale. They have 20 machine limit on the free plan. It runs on wireguard and is pretty secure.
Tailscale Free has a 100 device limit.
Virtually its only limitation against the paid plans is the user limit. (3 users)
And network logging because it’s heavy on their servers.
Also the user limit only applies to your account. You can share devices/etc with other accounts, as many others as you like.
Tailscale is awesome, and super easy to set up. I think the free tier allows up to 100 devices now!
And there’s an OSS control plane replacement called Headscale although I don’t know what’s involved in using it. Researching and implementing it is my backup plan for when Tailscale turns to shit.
E: Just briefly parsed their docs, deployment and usage seem pretty trivial. There’s no need to use forks of the clients either. You can give your Headscale url to the Tailscale clients on login and you’re good to go.
I am big into self-hosting and would be happy to run my own Headscale server (I have actually) but imo it’s not worth the effort.
It can be done but it requires a lot of effort and consideration to ensure the relays and routing work for when your clients are in challenging NAT scenarios. And the user experience is not as good.
Instead what I do is continue to use Tailscale but I use the Tailnet Lock feature to give signing authority to my own specified devices so any new devices must be signed off by one of those other devices.
This effectively eliminates the last point of trust where you had to trust tailscale’s servers to manage authorization. The result is you don’t have to worry about trusting tailscale at all, the entire system is zero trust.
The catch is if you lose those devices and the recovery keys you lose the ability to trust or add to your tailnet and your only real option is to delete all the devices and start fresh.
They also have the option to send a recovery key to their servers when you enable Tailnet Lock so support can rescue you in that scenario, but I think if you are using this feature on the first place it’s because you don’t want to do that so I imagine most choose not to lol
I linked to their blog post above because I think it explains the feature well. If you just want the docs they are here
Setting up headscale isn’t too hard. But last time I tried, connecting the clients to it didn’t work properly (on mobile). Since they are using the regular tailscale clients, they don’t have much control over that.
I gotta try. I’m planning to switch to it anyways. The Android client is open source so if something has to be changed it can be contributed or forked if the contribution isn’t accepted.
Install tailscale from F-Droid not Google Play. I had trouble setting up custom server with Google Play version.
Wireguard itself works software far, thanks anyway :)
Tailscale is amazing, I work with a small company and we were battling with our IT contractor to have a VPN running for remote work.
After a while of things not working as it should I just set up tailscaled because I was using it with my home server and it just works.
We are now on a paid plan and everyone else is using it when working remotely.
I use Tailscale with their DDNS feature that generates you a domain that resolves each of your Tailnet devices when connected. You can even run a command that generates an SSL cert for your given node and you can use that to further secure it with TLS in case you don’t want to deal with untrusted cert warnings.
This is especially useful for iPhones because they won’t keep your Tailscale VPN always on, but you can configure it so that requests to specific domains will activate and use your Tailscale VPN, which you just set to that generated one.
I was about to ask why you’d need DDNS for Tailscale, had no idea about iOS issues. Thanks!
Because even when you have static IPs it’s still nice to just use a host name, and to properly secure things with a certificate. It’s not really DDNS as much as it is plain old DNS, but it works without configuration on your part. Once you enable it, whatever the tailnet name of your device is, becomes ‘device name.yourdomain.ts.net’.
Duckdns will give you a free domain name. Run wireguard on the machine to connect remotely. Only allow WG port for remote access. Optional limit app access in your webserver to your VPN and lan ips. You can also run something like adguard home to get ad blocking. In that case set your wg server ip as the dns server ip eg 10.0.0.1 and add your ddg domain name in adguard so it will resolve without having to do an external lookup when on the lan or vpn.
I’ve had really poor results with duckdns recently - it seems propagation flakes out every 2-3 months. Wrote to them about it but never had a response.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters CF CloudFlare CGNAT Carrier-Grade NAT DNS Domain Name Service/System HTTP Hypertext Transfer Protocol, the Web HTTPS HTTP over SSL IP Internet Protocol NAS Network-Attached Storage NAT Network Address Translation NUC Next Unit of Computing brand of Intel small computers SSH Secure Shell for remote terminal access SSL Secure Sockets Layer, for transparent encryption TLS Transport Layer Security, supersedes SSL UDP User Datagram Protocol, for real-time communications VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting)
[Thread #319 for this sub, first seen 1st Dec 2023, 09:55] [FAQ] [Full list] [Contact] [Source code]
Why so complicated? Why not just SSH? Put it on some random port, make it public key login only, and you’re done.
This is what I do and I’ve wondered why people always shill for tailscale or cloud flare tunneling, seems like way too much extra bs for the same thing
I’ve beeb looking into a similar setup and I didn’t know SSH could do this kind of tunneling. Thanks for the tip! I’m going to consider using it.
I’m not sure what you mean by tunnel, but SSH allows a “secure shell” aka an encrypted connection to a shell on a device. Tailscale, Headscale, and others are VPNs, which means they allow making it seem as if your computer is in the same (private) network as that of the server - but in order to have a shell on the server, you’ll still need SSH.
To my knowledge, adding a VPN to open a secure shell on the server is unnecessary and has no security benefits.
Cloudflare is just so nice. Handles ssl for all your sites automatically.
First off, don’t expose anything that doesn’t need exposed. If your the only one using it you could use a VPN or ssh.
Second off, make sure you isolate everything with firewalls. Your reverse proxy should only have access to each service and each service should only have access to the reverse proxy. You should also block non essential ports.
For the services themselves, make sure you use strong passwords and keep them updated. For docker you can use watchtower to automatically pull and deploy software.
Make your services password protected and have some software like fail2ban that blocks people from brute-forcing passwords.
Keep your software up to date.
They are password protected. Plus, behind 2FA authelia. Plus Crowdsec (which originally made me make this post, cos I can see http probing etc on it)
Alright. I wouldn’t worry too much, then. If you set it up correctly and you keep it up to date so there aren’t any security vulnerabilities, you should be okay.
Of course there are arbitrary, more strict approaches. You could do monitoring. Or restrict the IP addresses the server answers to. Or put everything behind a VPN and not have it exposed in the first place. But I also have my NAS and a few internet services like Nextcloud and it’s been fine, similar to this, for years.
Same, have had a few select services exposed to the internet, behind very, very complex passwords or keys, with fail2ban etc. never had an incidence.
If its only you and you want best security, setup a VPN system. (Tailscale, Netbird, or others are quite easy)
If someone else should also, and you dont want everyone to have to use a VPN, then you can expose some services directly. Of course behind CGNat you need some third-party system to allow this (e.g. cloudflare or a rented server).I am not a big fan of cloudflare, they are a huge centralized company, easily allowing tracking across websites with clear-text access and kinda discouraging learning how to secure things yourself (which you have to do anyways, because you are a service provider and only cloudflare is not enough if its still publicly accessible though them)
But in the end its your choice. They easily allow you as service provider to protect yourself from DDoS attacks or allowing IPv4 access when you are behind CGNat, things you just cannot easily do yourself, certainly not without costs.My advice: only forward ports 8080 and 443, then make sure that you have fail2ban or crossed properly set up on your reverse proxy. After that, you are pretty much fine as long as you keep on top of updating your containers.
I would be careful about which apps you proxy. Idk why you need to access the admin portal for pi hole worldwide. If you really want to do that, you should set up a vpn.
If you are behind CGNAT, this might help you understand things a little better.
Yeah, I looked it up and checked and I’m not behind CGNAT
Since you aren’t behind CGNAT you can go full self-hosted! Don’t bother with Tailscale or Cloudflare Tunnel or other VPN services that connect through third parties if you can help it.
Here’s something to get you started with setting up a wireguard server on your NUC. https://github.com/Nyr/wireguard-install
I’d say to start with CF tunnels unless you need non-web based applications. Cloudflare tunnels require you to have a domain, though.
It has the added benefit that you have network monitoring, logging and some filtering for security that they do on top and you get to manage everything from their web interface.
be warned that the first time can be a bit confusing, but since it’s done using their web interface it’s easier than if you have a problem making wireguard work.
- Create a tunnel with a public hostname that will be the url to access that service. During the creation of the hostname specify you want it protected by L7 application firewall.
- Create a new self-hosted application in cloudflare application section and for starters use the default login email and in rules specify the list of emails that are allowed to login
you should now be able to access your application from anywhere.
Alternatively, if you have a DNS server in your home network you can add a private IP range to your tunnel. Let’s say 192.168.0.0/24. Then when you connect with their pseudo-VPN (cloudflare warp or cloudflare ONE) you can directly use your home network’s ip address from that device. If you tell your device to use a local DNS server that resolves your internal services, you’ll be able to connect to them that way.
This is he best Cloudflare guide I’ve seen so far. Thank you!