this post was submitted on 22 Apr 2024
25 points (96.3% liked)

Selfhosted

40261 readers
1194 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

This may be a simple question, but I could not find resources on that. Does creating a VPN into my home network using my router increase my attack surface? What are the security implications of that in general?

you are viewing a single comment's thread
view the rest of the comments
[–] TCB13 31 points 7 months ago* (last edited 7 months ago) (1 children)

Does creating a VPN into my home network using my router increase my attack surface?

Yes, but it also provides the ability to access any resource in your network in a secure way.

It is typically less safe to expose 3 or 4 different services you want remote access than a single VPN daemon that is actually designed for that specific scenario and has mitigations for common attacks built in.

To make your setup secure you can consider a few steps:

  • Use Wireguard: don't be afraid to expose the Wireguard port because if someone tries to connect and they don’t authenticate with the right key the server will silently drop the packets. An attacker won't even know there's something listening on that port / it will be invisible to typical IP scans / / will ignore any piece of traffic that isn’t properly encrypted with your keys;
  • Use a 5-digit port for your VPN - something like 23901 (up to 65535) will be way harder to find than typical ports like the default 51820 or 443;
  • Go full paranoid and use a firewall to restrict what countries or even days, hours access your server is allowed. Eg. only allow incoming connection from your country (https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching). Be aware of what happens when you're abroad;
  • Don't port forward IPv6 if you don't need it. Might be easier than dealing with a dual stack firewall and/or other complexities.

In a side note: a VPN doesn't mean full access to your network either. You can setup a VPN endpoint that only allows access to a few specified services running on specific machines instead of the entire network. This will give you extra security if you're into that.

[–] [email protected] 5 points 7 months ago

Thank you for not only taking the time to answer but also adding quite useful resources. I will look into it!