I currently have a home server which I use a lot and has a few important things in it, so I kindly ask help making this setup safer.

I have an openWRT router on my home network with firewall active. The only open ports are 443 (for all my services) and 853 (for DoT).

I am behind NAT, but I have ipv6, so I use a domain to point to my ipv6, which is how I access my serves when I am not on lan and share stuff with friends.

On port 443 I have nginx acting as a reverse proxy to all my services, and on port 853 I have adguardhome. I use a letsencrypt certificate with this proxy.

Both nginx, adguardhome and almost all of my services are running in containers. I use rootless podman for containers. My network driver is pasta, and no container has “–net host”, although the containers can access host services because they have the option “–map-guest-addr” set, so I don’t know if this is any safer then “–net host”.

I have two means of accessing the server via ssh, either password+2fa or ssh key, but ssh port is lan only so I believe this is fine.

My main concern is, I have a lot of personal data on this server, some things that I access only locally, such as family photos and docs (these are literally not acessible over wan and I wouldnt want them to be), and some less critical things which are indeed acessible externally, such as my calendars and tasks (using caldav and baikal), for exemple.

I run daily encrypted backups into OneDrive using restic+backrest, so if the server where to die I believe this would be fine. But I wouldnt want anyone to actually get access to that data. Although I believe more likely than not an invader would be more interested in running cryptominers or something like that.

I am not concerned about dos attacks, because I don’t think I am a worthy target and even if it were to happen I can wait a few hours to turn the server back on.

I have heard a lot about wireguard - but I don’t really understand how it adds security. I would basically change the ports I open. Or am I missing something?

So I was hoping we could talk about ways to improve my servers security.

  • sugar_in_your_tea@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    16 hours ago

    Is a vpn always safer then a reverse proxy?

    Depends on what you trust, I guess.

    A reverse proxy on a standard cert is a bigger target for automated scripts than a reverse proxy on a non-standard port. A VPN runs through the VPN’s authentication, whereas a reverse proxy relies on whatever that app’s authentication is. So whether it’s secure enough depends on the VPN configuration, what you’re hosting, etc.

    I’m behind CGNAT, so I have limitations you don’t, but here’s my setup:

    • VPS at the edge for my public services - basically the same as a reverse proxy because the application is directly exposed
    • self-hosted VPN at VPS to facilitate reverse-proxy - I could shut down public access any time and just login w/ the VPN
    • static DNS entries on my router so I can use my domains inside my network (TLS also works properly)

    I like this approach because I can eat my cake (nice domain names instead of IPs and ports) and have it too (fast connection inside LAN, can disable reverse proxy if I want better security). You could get the same w/o the VPS, and if you require WireGuard VPN access outside the LAN, you get better security than a public-facing service.

    • miau@lemmy.sdf.orgOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      12 hours ago

      I didnt mention on my original post but I do have a virtual machine on gcp, which I use to run mongodb. I didnt mention it because I am not too concerned with it, but mostly it follows the same practices, with the exception being that ssh is open and it has no private data in it.

      But I suppose I could do something similiar to what you mentioned. The ideia of having and eating the cake is very nice. And if something goes wrong I could turn of public access and have the vpn still working.

      I will consider implementing something like that as well, thanks a lot for sharing your thoughts!