this post was submitted on 17 Dec 2023
17 points (87.0% liked)

Selfhosted

39937 readers
400 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
17
submitted 10 months ago* (last edited 10 months ago) by [email protected] to c/[email protected]
 

I run a load of containers on a NAS, and reverse proxy them through synology's inbuilt reverse proxy settings.

Essentially, I'd like to harden my security, and not really sure how best to do it.

Seeing people recommend nginx proxy manager, I've tried to set this up but never managed to get the certificates to work from letsencrypt ("internal server error" when trying to get one). When I finally got it working a while ago (I think I imported a cert), any proxy I tried to setup just sent me to the Synology login page.

I've tried to setup the VPN that comes with Synology (DSM 7+), but I must have set it up using the local IP address. It only works when I'm on my LAN, and not from an external network. Which is kind of the point, lol. I would like to use VPN to access the home network when out and about.

I've set random, long, unique passwords for everything I want to access, but I am guessing this is not the most secure, after seeing so many people use and recommend vpns.

I have tailscale, which is great for ssh-ing onto my Nas from the outside world. But to access my services, is a VPN the best way to do it? And can it be done entirely myself, or does it require paying for a service?

I've looked at authentic - pretty confusing at the outset, and Isee few evenings of reading guides ahead of me before I get that working. Is that worth setting up?

Does anyone have any advice/guides/resources that might help?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 2 points 10 months ago* (last edited 10 months ago) (1 children)

If you are just looking for a way to SSH into your machines from outside your network, you can setup a more recent VPN or Wireguard yourself. If you have a Raspberry Pi lying around, using PIVPN makes things super easy. You can have both OpenVPN as well as Wireguard running if you want, using the same script. If that is the only thing you like to do, then there is no need to reverse proxy your servers and expose them. Just having a VPN or Wireguard connection should be enough to access your servers when outside of your network. It is recommended to have a fixed IP btw, to find your VPN/Wireguard server easily.

Also, you can leave all your servers locally (and not exposing them) when you can reliably setup a VPN/Wireguard connection. That is the most secure I guess.

[–] [email protected] 1 points 10 months ago (2 children)

Yeah, I definitely like the idea of leaving all services running locally, and connect to my VPN when needing to tinker/access.

I do have a couple of raspberry pi's, but I prefer to run stuff on the Nas, I only use the pi's as clients to stream from.

I'm gonna go lookup the difference between openvpn and wireguard :) And I have a dynamic DNS setup, that's basically the same as a fixed IP, right?

Thanks!

[–] [email protected] 2 points 10 months ago

I setup openvpn on my network originally + duckdns on a dynamic IP in 2021/2022. It's an "older" protocol but I felt it was easier to setup since it's been around longer and the tools just make it easy.

Wireguard has speed advantages but being newer, takes more work to see those speed advantages. There's a docker container called wg-easy that I've heard mixed things about (speed in a docker container vs easy to setup).

I used tail scale when I rebuilt my VPN server because I was originally using Oracle Linux (wanted to learn it more but went back to Ubuntu).

If you can get certificates working, wireguard shouldn't be too difficult. I prefer VPN over exposing multiple ports/protocols for a family or small userbase. If you're sharing libraries or other services with extended family, I'd probably expose those to the Internet and work on hardening/having that server in a demilitarized zone + certificate based authentication and MFA on any public admin accounts.

[–] [email protected] 1 points 10 months ago (1 children)

Fyi, you don't need a raspberry pi to use PiVPN, it actually works on all Ubuntu based distros and even Alpine Linux, you can just install it in a VM on your NAS.

[–] [email protected] 1 points 10 months ago* (last edited 10 months ago) (1 children)

Ah. VMs. I (stupidly?) set my storage array to use ext4, and apparently it needs to be a btrfs to be able to use VMs. I cba to rebuild it at the moment.. so I just use docker for everything

[–] [email protected] 1 points 10 months ago

Ext4? What do you run on your NAS?