Hello everyone ñ
I can only find similar discussions from several years ago so I thought I’d ask for the current POVs…
Right now I have a VPN set up on my Fritzbox router (Wireshark) through which I connect to my NAS services when needed. 99% of these connections happen from my phone (to retrieve a file, play a movie when out etc).
Would it be better to opt for a reverse proxy solution? I understand that the benefit is you don’t need to set up the VPN on the initiating device, but that’s a non-issue for me. Are there any other benefits, especially security-wise?
Thanks!
As for security, stick with a VPN, there is nothing more secure.
If you want flexibility, like streaming through a browser via Plex, then open necessary ports?
If you want to access files via Nextcloud or use homeassistant on the go, reverse proxy might be a thing.
There are also tons of other solutions like tailscale, cloudflare tunnels, it always depends on your needs.
“Never change a running system” I would stick to that, if there is a specific use case you need to rethink the way you want to do it.
I personally did go with a combination of reverse proxy (+ Cloudflare WAF + Cloudflare IP List (only these IPs are allowed to connect to port 443/80)) and VPN.
How many and what services are you considering reverse-proxying?
I reverse proxy things that multiple people should have access to, and VPN for things that only I need. Examples of reverse proxies include; Kavita, Overseerr, HomeAssistant. VPN only; File access, databases, appdata.
Just do both. I have a Nginx Proxy Manager LXC thats also a TailScale exit node that using Cloud Flare with split DNS. Check out Alex’s vid for the full breakdown. Check out Alex’s video https://www.youtube.com/watch?v=Uzcs97XcxiE the setup is pure magic
Use an overlay network like tailscale far superior IMHO and much easier to manage, especially if you are only using for a single end user device. I believe there is now a direct plugin to make it even easier.
I have tailnet and also warp+ setup because I run commercial services via CF and warp+ allows me to have multiple trust zones (tailscale does also but it is far more rudimentary). For your use case and plugin simplicity I would favor tailscale.
The only downside is if you use a jumpbox (from router) to remotely reboot/etc if you have IPMI or the like. You could setup tailnode also too dep upon the router. You could keep the VPN in place for this situation, and move forward w/ and overlay for the rest.
You do not need a reverse proxy as you would be in trusted enclave w/ the overlay.
Flexibility is not really an issue since just going through the VPN allows me to do pretty much everything, including watching content from my Jellyfin (no Plex here) container.
I tend to agree with the “never change a running system”, but my main question (which I pretty much failed to state out loud) had to do with security best practices; so if a VPN is still the preferred solution, security-wise, I guess I’ll stick to it! I just thought I’d ask because I see more and more talk about reverse proxies 
No other people apart from me access the NAS from outside the LAN, actually!
Thanks, already opened and watching the vid! But, what would the benefit be if implementing both solutions?
You’ll hear a variety of responses from people, and they will vary depending on their use case.
Pretty please listen to this piece of advice though, if it’s a single user, just use a VPN for both security and ease-of-access sake.
Please let me know if you need a hand with this!
Since I’m the only user from outside our LAN (when at home it’s also used by our son and my wife, but never when outside), that was my thought, too. If the only reason for reverse proxies (about which I’m hearing more and more lately, hence my OP) is to facilitate entry for multiple users/devices, then I guess there’s not much meaning to it - at least that’s my understanding from the comments here.
Thanks for your input!!! Also thanks for the offer, thankfully my VPN works without a hitch whatsoever
