Hi guys,

Just wanted to see why people would expose services either through a reverse proxy or normally, if technology like WireGuard and OpenVPN exist?

Convenience would probably be the top answer, but is it really worth the risk?

Thanks

  • flossraptor@alien.topB
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    They want to serve more than one or two people, and they want to be able to do so with a simple user/pass scheme.

  • msg7086@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Performance is a concern for me. My router is not powerful enough to do VPN and NAT and the same time. Another concern is WG cannot do multiple peers without assigning each peer a unique key, so when I need to spin up dozens of servers I couldn’t connect them to my router using one key pair. OpenVPN can so this, but then there’s performance issue again.

  • ConfusionSecure487@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    They make the local device setup more complicated and in some networks, you don’t have a chance to connect.

    I like to go with HTTPS and mTLS. On mobile and in general browsers, you can easily install them and the I can access them everywhere HTTPS is allowed.

    • hi65435@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Can you though? I used to do exactly these things and either on Android or iOS I had trouble installing a certificate. Well, in a way it’s not a a big issue anyway, probably it’s smart to go with public domains anyway (even for private resources)

      • ConfusionSecure487@alien.topB
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        I have no issue at all on Android. I don’t use iOS, so I cannot verify on there.

        But I meant client certificates in this context. What I do:

        1. Use a public domain, pointing A and AAAA *.domain.tld to an traefik lb/reverse proxy. I use it on Kubernetes.
        2. use LE for that *.domain.tld, instead of direct domain certs to be more private (as all public CAs disclose the signed certs (https://crt.sh/))
        3. create a own CA for Client authentication
        4. set the own CA as trust anchor for clients in traefik for domains which require authentication
        5. create client certificates + keys for my users. (I don’t use the CSR way, as that makes it complicated for them). I use the pfx format, as this widely accepted by the browsers and systems. p12 should also work
        6. Add the client certificate on the devices. But I don’t but the CA as trust anchor on them. This would lead to warnings on the devices, as that would allow MITM attacks.
        • hi65435@alien.topB
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Ah ok that’s smart, so you don’t have to mess with installation and still can manage your own CA from the *.domain.tld. I just double-checked, I’m very sure it was on iOS but some years ago. Apparently it’s possible to install custom certs there as well but it’s a little painful

          edit: ok I think the general problem on iOS is to install custom certs globally, e.g. to use for the calendar I guess

          Personal Certificates can only be installed in Safari.
          NO other browsers are supported.

          https://kb.mit.edu/confluence/display/mitcontrib/Installing+Root+and+Personal+Certificates+on+iOS

  • metalwolf112002@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I would say assumed complexity. Most people think vpns are complicated, so they don’t even try.

    This irritates me. My first steps into running a VPN was with an Asus router running merlin-wrt. It took a few minutes and I had separate profiles for my laptop, my phone, etc.i have since upgraded past this router so I now run openvpn on a vm so I don’t have to reconfigure everything next time I upgrade my router.

  • ReneGaden334@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Simple. If services are only accessible through VPN I can’t easily use multiple services at different locations at the same time. Another reason would be that I can’t just use another device to access my service without installing VPN, importing the connection settings and putting a valid logon profile on a device I don’t control.

    My work laptop has 6 or 7 different VPN clients to connect to customers networks. That’s nothing I want to have on my private PC or phone. And if I sit at home and the customer uses Cisco AnyConnect like my company it would be hard to access work resources when working on a client. Services published through accessible gateways (with encryption and authentication) don’t have these problems.

    If you just want to access your own services from your own devices and don’t want to publish it to strangers a VPN is all you need.

  • jbarr107@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    This is the policy I follow:

    Public access to a service: Cloudflare Tunnel

    Restricted access to a service: Cloudflare Tunnel and Application

    Restricted access to specific devices: Tailscale (or Wireguard)

  • RealPjotr@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Keep it like that until you need to expose something. I expose jellyfin (via reverse proxy) to get Chromecast working and to have family use it.

    • ztasifak@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      This is what I like about plex. No need to open any ports. it just works (for me, for additional users), no matter where I am.

      • ProbablePenguin@alien.topB
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        This is what I like about plex. No need to open any ports.

        You get super limited quality though since it proxies through their servers.

        Plex also uses UPnP to automatically open ports on your router, so unless you’ve disabled that service on your router it’s likely you do have ports open.

      • metalwolf112002@alien.topB
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Same. I run plex on a VPS behind openvpn. Plex’s indirect access makes it really easy to access the media on it even though I can’t open ports across the VPN.