Hi guys,
Just wanted to see why people would expose services either through a reverse proxy or normally, if technology like WireGuard and OpenVPN exist?
Convenience would probably be the top answer, but is it really worth the risk?
Thanks
They want to serve more than one or two people, and they want to be able to do so with a simple user/pass scheme.
Performance is a concern for me. My router is not powerful enough to do VPN and NAT and the same time. Another concern is WG cannot do multiple peers without assigning each peer a unique key, so when I need to spin up dozens of servers I couldn’t connect them to my router using one key pair. OpenVPN can so this, but then there’s performance issue again.
Yeah that makes sense. Thanks for the insight.
Some things don’t play nice with a VPN, like wireless android auto.
They make the local device setup more complicated and in some networks, you don’t have a chance to connect.
I like to go with HTTPS and mTLS. On mobile and in general browsers, you can easily install them and the I can access them everywhere HTTPS is allowed.
Can you though? I used to do exactly these things and either on Android or iOS I had trouble installing a certificate. Well, in a way it’s not a a big issue anyway, probably it’s smart to go with public domains anyway (even for private resources)
I have no issue at all on Android. I don’t use iOS, so I cannot verify on there.
But I meant client certificates in this context. What I do:
- Use a public domain, pointing A and AAAA *.domain.tld to an traefik lb/reverse proxy. I use it on Kubernetes.
- use LE for that *.domain.tld, instead of direct domain certs to be more private (as all public CAs disclose the signed certs (https://crt.sh/))
- create a own CA for Client authentication
- set the own CA as trust anchor for clients in traefik for domains which require authentication
- create client certificates + keys for my users. (I don’t use the CSR way, as that makes it complicated for them). I use the pfx format, as this widely accepted by the browsers and systems. p12 should also work
- Add the client certificate on the devices. But I don’t but the CA as trust anchor on them. This would lead to warnings on the devices, as that would allow MITM attacks.
Ah ok that’s smart, so you don’t have to mess with installation and still can manage your own CA from the *.domain.tld. I just double-checked, I’m very sure it was on iOS but some years ago. Apparently it’s possible to install custom certs there as well but it’s a little painful
edit: ok I think the general problem on iOS is to install custom certs globally, e.g. to use for the calendar I guess
Personal Certificates can only be installed in Safari.
NO other browsers are supported.https://kb.mit.edu/confluence/display/mitcontrib/Installing+Root+and+Personal+Certificates+on+iOS
This is the way
I would say assumed complexity. Most people think vpns are complicated, so they don’t even try.
This irritates me. My first steps into running a VPN was with an Asus router running merlin-wrt. It took a few minutes and I had separate profiles for my laptop, my phone, etc.i have since upgraded past this router so I now run openvpn on a vm so I don’t have to reconfigure everything next time I upgrade my router.
Simple. If services are only accessible through VPN I can’t easily use multiple services at different locations at the same time. Another reason would be that I can’t just use another device to access my service without installing VPN, importing the connection settings and putting a valid logon profile on a device I don’t control.
My work laptop has 6 or 7 different VPN clients to connect to customers networks. That’s nothing I want to have on my private PC or phone. And if I sit at home and the customer uses Cisco AnyConnect like my company it would be hard to access work resources when working on a client. Services published through accessible gateways (with encryption and authentication) don’t have these problems.
If you just want to access your own services from your own devices and don’t want to publish it to strangers a VPN is all you need.
This is the policy I follow:
Public access to a service: Cloudflare Tunnel
Restricted access to a service: Cloudflare Tunnel and Application
Restricted access to specific devices: Tailscale (or Wireguard)
Keep it like that until you need to expose something. I expose jellyfin (via reverse proxy) to get Chromecast working and to have family use it.
This is what I like about plex. No need to open any ports. it just works (for me, for additional users), no matter where I am.
This is what I like about plex. No need to open any ports.
You get super limited quality though since it proxies through their servers.
Plex also uses UPnP to automatically open ports on your router, so unless you’ve disabled that service on your router it’s likely you do have ports open.
Same. I run plex on a VPS behind openvpn. Plex’s indirect access makes it really easy to access the media on it even though I can’t open ports across the VPN.