…and even wondering if I really need to. I am often guilty of making that “one tweak too many”, breaking a nice, working system in the process!
I have everything set up according to the best walk-throughs I can find. Have dockerized containers for Nginx Proxy Manager, Authentik and a ton of the standard *arr apps and tools (using OMV as a NAS). Have my own domain name, hosted on Cloudflare, with CNAMES set up, proxied through Cloudflare, pointing back to my main record. I can do full domain name resolution inside my home network, with working HTTPS connections to all my app web GUIs. I also have the ability to private VPN into my home network, using Wireguard, OpenVPN or IPsec.
I would probably be happy to continue to use my VPN connection to the home network when I am remote, BUT… I really would like to give Overseerr access to a couple of remote family members that have access to my Plex library (populated by Sonarr/Radarr). My finger often hovers over the Port Forwarding option on the router, but I ultimately chicken out. Am I being paranoid?? Should I just educate my family members on how to connect to my network via VPN? Anyone else made this choice? Looking for success (and maybe horror) stories before I potentially proceed.
VPN and sleep peacefully knowing you can skip a month of patches without thinking about it.
life’s too short to worry about exposed services. Just set up the remote VPN clients so only traffic meant for your network is tunneled and your family will never even know it’s there.
Why don’t you give Cloudflare tunnels a try? It means you don’t have to open ports and you can put Cloudflare’s WAF in front of it too.
Thanks - will look into this.
You’ll be fine. It’s exactly what I do. Just keep any exposed services up to date. NPM also has a very rudimentary blocker that mostly relies on UA and bad strings getting passed through. You can turn that on. Open up only services that need to be exposed e.g. don’t expose sonarr/radarr unless there’s a good reason for it. Make sure anything you expose that doesn’t have any sort of authentication can have it implemented in nginx or you can use an SSO solution.
I expose strictly needed services while everything else is just internal. Exposed services include jellyfin, jellyseer (jellyfin version of overseerr), and nextcloud.
That is almost exactly what I would like to do, but with Plex/Overseerr. I am curious, do you run any type of intrusion detection s/w, or have you set up fail2ban?
I have fail2ban for SSH but I haven’t tuned it for nginx yet. I’ve worked with OSSEC which has a fork called Wazuh which I’ve been wanting to set up.
If the service is strictly only for you: don’t. Use VPN to access your service remotely. If its a service for everyone (like a blog or such) there is no way around it. It does not break any security, but you should make sure that the containers/servers exposing this service are secured as much as possible.
I made a different setup due to my old ISP who give only CGNAT IP. I’ve used an VPS who’s host an Wiregaurd Sever and made a port forwarding rules to redirect port to my local machine (or other machine connected to this VPS via VPN). That a good method when you have a CGNAT IP and/or when you don’t want to give your residential IP (or want to host some thing in an IP and other in another IP has my provider sell them for 2.5 bucks one time). Now I have a full V4 IP, but I don’t switch to it has I find it more convenient to stay with that. A little plus, is if you torrenting your favorite free and legal movie your IP is hide too. The two bad thing so : latency is augmented (by 1 or 2 ms), network speed can be reduced compared to a direct connection but for plex for exemple it work like a charm.
Depends on how confident you are in the security of the apps you’re hosting.
If you’re proxying through Cloudflare, though - isn’t that already effectively exposing your apps publically anyways?
Yes, the CNAME record via Cloudflare does not leave a lot to the imagination as to what app it is pointing to, but I have not opened port 80 or 443 on my firewall, so the firewall is bouncing any probes.