ultrafud Posted July 20, 2020 Share Posted July 20, 2020 Hi guys, I've been watching SpaceInvaderOne videos like a convert the last few days and tried following along, but anything beyond his initial guides really stumps a massive noob like me. I'm struggling to figure out what are the different use cases for VPNs versus reverse proxies for certain tasks, and whether I am leaving myself vulnerable to attack on my server? So far today I set up an OpenVPN, which I managed to get working. I followed that up by setting up a Nextcloud server to auto-backup my phones photos, however I wanted to be able to back up when not on my home network. SIO suggested that a reverse proxy is better for accessing something like Nextcloud over the web than OpenVPN? I tried following the reverse proxy guide, even buying my own domain, but basically I just got completely lost when trying to set up subdomains (the Google domain service is much more confusing than his example!) I'm really confused about which way to access my server remotely is the best, and whether all these different methods conflict with each other at all? Any help clarifying is much appreciated - because as fantastic as SpaceInvaderOne videos are, as soon as you go off-piste as a complete amateur, you get lost almost immediately. Quote Link to comment
testdasi Posted July 20, 2020 Share Posted July 20, 2020 1 hour ago, ultrafud said: Hi guys, I've been watching SpaceInvaderOne videos like a convert the last few days and tried following along, but anything beyond his initial guides really stumps a massive noob like me. I'm struggling to figure out what are the different use cases for VPNs versus reverse proxies for certain tasks, and whether I am leaving myself vulnerable to attack on my server? So far today I set up an OpenVPN, which I managed to get working. I followed that up by setting up a Nextcloud server to auto-backup my phones photos, however I wanted to be able to back up when not on my home network. SIO suggested that a reverse proxy is better for accessing something like Nextcloud over the web than OpenVPN? I tried following the reverse proxy guide, even buying my own domain, but basically I just got completely lost when trying to set up subdomains (the Google domain service is much more confusing than his example!) I'm really confused about which way to access my server remotely is the best, and whether all these different methods conflict with each other at all? Any help clarifying is much appreciated - because as fantastic as SpaceInvaderOne videos are, as soon as you go off-piste as a complete amateur, you get lost almost immediately. A VPN and reverse proxy serve different purposes so it's not an A vs B but rather your needs would dictate what to use. Think of connecting to your home VPN like plugging the connecting computer directly to your router LAN port (or like connecting to your home Wifi). Everything on the network is available to you through the VPN connection (unless you specifically set things up to block stuff, usually not the most straight-forward thing to do). A typical reverse proxy only redirect web-based services on your network (through http / https). So typically only stuff that you access through a browser would be available through the reverse proxy. At a high level, it's more restrictive than a VPN. So use file-sharing as an example. Nextcloud has a web interface and thus can be set up using reverse proxy (or VPN). SMB wouldn't work through a reverse proxy because it's not web-based so need to be connected through VPN Important note: Unraid GUI is web-based but it should never be exposed to the Internet through a reverse proxy. With both kinds, you need to first be sure that your ISP doesn't block incoming connection through WAN (either deliberately or just by design e.g. double NAT problem). If that's ok then you need to open some ports on your router (Port Forwarding section - different depending on router). You should NEVER create a DMZ unless you know exactly what you are doing. Then you need to understand if your IP is static or not. If you have static IP then set up an A record ("Custom resource records" section, Name = @, Type = A, TTL = 1h, Data = your IP). If you don't have static IP then you need to set up Dynamic DNS (Synthetic records section -> google will create a subdomain + username + password for your DDNS software, usually built into the router). If your router doesn't support Google domain then I think you can setup a free Cloudfare account and use the API with the Cloudfare docker on the Apps store. An alternative is to use popular DDNS service like DuckDNS. If connecting through VPN, that should be all you need i.e. just point OpenVPN to domain:port and it should work. With a reverse proxy, you also need to setup CNAME. It's in the "Custom resource records" section with Google Domain and the content is simiilar to what SIO shows. Let's say you have domain example.com and you need to setup nextcloud.example.com With static IP, then Name = nextcloud, Type=CNAME, TTL=1h, Data=example.com With DDNS, your IP would point to a subdomain instead of the root domain (e.g. it would point to ddns.example.com instead of example.com) then your CNAME record would be Name = nextcloud, Type=CNAME, TTL=1h, Data=ddns.example.com Quote Link to comment
ultrafud Posted July 21, 2020 Author Share Posted July 21, 2020 (edited) Thanks for that response! I think it will take me a while to take it all in and I'll definitely be giving it several reads to try and put it all together in my head. I guess the big question overall is am I putting myself at any abnormal risk trying to set this up? The worst thing I'd want is to leave gaping holes in my security. I'm assuming OpenVPN and Nextcloud respectively have their own defenses, but I'm just looking for some reassurance. Again, I really appreciate the time you took to respond to me. Edited July 21, 2020 by ultrafud Quote Link to comment
testdasi Posted July 21, 2020 Share Posted July 21, 2020 7 hours ago, ultrafud said: I guess the big question overall is am I putting myself at any abnormal risk trying to set this up? The worst thing I'd want is to leave gaping holes in my security. I'm assuming OpenVPN and Nextcloud respectively have their own defenses, but I'm just looking for some reassurance. First note that as long as you expose yourself to the Internet, getting the attention of hackers is a sooner or later and not a yes or no. No amount of assurance will change that fact. The most annoying problem with being exposed to the Internet is actually DDOS attacks that will cripple your home internet. That will 100% definitely happen at one point so keep that in mind. OpenVPN is rock solid if set up right (i.e. follow the guide properly and you should be fine). Even if OpenVPN is hacked, there are a lot bigger fish out there than a small time home user. According to my own reading, it looks like successful hacks on VPN typically involve improper config (including poor password!) and/or social engineering. Nextcloud is also solid, especially if set up correctly in a docker e.g. don't map your entire /mnt/user to it, no privilege mode etc.. So even if it's hacked, the worst that would happen is you lose whatever is mapped to it. It's very difficult to escape the container into the host (similar to OpenVPN, if someone is able to do that, there are bigger fish to fry than a home user). Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.