I have some ideas for how to securely access home network, but could use more experienced comments on the designs.
Background:
The network is Ubiquiti based - EdgeRouter X + couple of Unifi switches + Unifi APs.
We have an RPi4 and Synology as the main resources (what I’d want to access remotely).
The main use case is being able to self-host files and security cam with Synology Drive + Synology Surveillance. I’d access from iPhone and laptop.
One consideration is I’d ideally like HTTPS even on the local network - and I have a domain prepared with Cloudflare for this.
The options I’m aware of to access this from outside the network:
VPN - Synology can natively stand up an OpenVPN server. Nothing else is exposed to internet.
Reverse Proxy - I’d expose select apps to internet.
Some combination - where most apps are only accessible behind VPN, but I can stand up trusted apps to to reverse proxy.
Some preliminary thoughts:
It seems VPN is the simplest approach, but I probably wouldn’t want to be permanently in a VPN tunnel for my phone and laptop - maybe I’d try to do a split-VPN? Are there other downsides?
I have an assumption that putting everything behind OpenVPN is “more secure” than reverse proxy. Is this a reasonable assumption? Instead of worrying about securing each app, it seems I’m just leaning on the strength of OpenVPN implementation.
How difficult is it to just grab a Let’s Encrypt certificate for the pure VPN approach? I heard Traefik can manage all that, but if I wanted to have internal-only services, I’d want to have HTTPS for those even internally.
Appreciate any comments, either directly or tangentially related! I’m also curious to hear what others do for these use cases? It seems like a pretty common use case, and there’s a lot of how-to guides for setting it up; but there’s not a lot of discussion of the security merits of the options.
Well, if you expose your applications through reverse proxy, security flaws in the apps themselves could be exploited by an attacker. This includes any weak passwords, enabled guest accounts, default passwords, security vulnerabilities in the service itself, etc.
Regarding letsencrypt - this is not a problem as long as you have access to a domain and dns. Then you need to use dns-01 validation to confirm ownership of the domain. I use letsencrypt for one of my local network resources myself.
IMHO VPN is the way to go. It is more secure than other options. For your local services, you can still have your own cert for your local services. You just have to install the root cert on all your devices which might not be that tedious.
The best option is to not expose your system to the public internet at all. use DDNS and a firewall rule based on the source IP address defined by the DDNS entry. Use something like twingate which uses outbound connections to a third party to proxy traffic to your internal LAN. Use a cloud based VPN provider with a static IP address so that you can again create a firewall rule for only this source IP address.
If you have to use a VPN, something like Tailscale makes for a good option.
I use nginx reverse proxy with vouch auth proxy and google sso for most apps aka zero trust.
For game streaming servers, I have WireGuard vpn - too lazy to open ports.
I also work in web security department for a big internet company, so I tend to think that I know what I’m doing. Your own mileage may vary
It sounds like Twingate and Tailscale are very similar to standing up a VPN server. For my home use case, is this mostly a convenience option? From Twingate docs, the notable differences are:
simpler setup than VPN
per-resource access control
decentralized trust (vs central VPN server)
Is this system and protocol reliable? One thing VPN has going for it is that it is relatively mature tech and common-place.
Thanks - from the other answers it seems like I might not have the expertise to properly secure reverse proxy . I don’t even know what most of those terms mean
The big difference on Twingate is that there’s no incoming open port. You have an outgoing connection going to Twingate similar to how Logmein, Anydesk, and other remote options work but Twingate will literally proxy every TCP/UDP port if you desire. The security setup is very flexible and very secure but it does have a dependency on a server at Twingate itself.
Tailscale is using Wireguard VPN’s to get the work done with centralized management that’s not necessary for communication once the VPN is setup. Less to go wrong but it requires a client on every workstation or a dedicated gateway. Having used both, I think Twingate is better.
