this post was submitted on 17 Dec 2023
17 points (87.0% liked)

Selfhosted

40954 readers
859 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
17
submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/selfhosted
 

I run a load of containers on a NAS, and reverse proxy them through synology's inbuilt reverse proxy settings.

Essentially, I'd like to harden my security, and not really sure how best to do it.

Seeing people recommend nginx proxy manager, I've tried to set this up but never managed to get the certificates to work from letsencrypt ("internal server error" when trying to get one). When I finally got it working a while ago (I think I imported a cert), any proxy I tried to setup just sent me to the Synology login page.

I've tried to setup the VPN that comes with Synology (DSM 7+), but I must have set it up using the local IP address. It only works when I'm on my LAN, and not from an external network. Which is kind of the point, lol. I would like to use VPN to access the home network when out and about.

I've set random, long, unique passwords for everything I want to access, but I am guessing this is not the most secure, after seeing so many people use and recommend vpns.

I have tailscale, which is great for ssh-ing onto my Nas from the outside world. But to access my services, is a VPN the best way to do it? And can it be done entirely myself, or does it require paying for a service?

I've looked at authentic - pretty confusing at the outset, and Isee few evenings of reading guides ahead of me before I get that working. Is that worth setting up?

Does anyone have any advice/guides/resources that might help?

all 24 comments
sorted by: hot top controversial new old
[–] [email protected] 2 points 1 year ago (2 children)

Tailscale is (like) a VPN, but traffic will go through their servers. If you setup your own VPN server then traffic will remain between your client and your own server.

Did you setup port forwarding and routing tables when you installed your VPN server?.

The Synology VPN package is lacking behind a lot, so you could be missing some security updates.

If you use a VPN to hide your services, you reduce your attack/risk. Since there is only one package/software suite which could've vulnerabilties. And VPN's are focussed on security. If you expose all your hosted stuff, all those programs need to be secure to prevent abuse. And not everybody is as skilled to build it securily.

I would recommend, for you, to use something like tailscale. Since you seem like someone at the beginning of their safety journey. With setting up a VPN server, you need to know a little bit what your doing to make it secure and work. And you could invest time to learn it all, or you could use something that does it for you. Another, not so wise, advise could be to use a docker container to host the VPN. Most containers have all settings correctly setup and have guides to make it secure. But that means you don't know what you installed and that could be a bad thing as well. Furthermore, docker adds to the complexity of making it work.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

Tailscale is (like) a VPN, but traffic will go through their servers.

That's wrong. In a peer to peer VPN the traffic should not pass Tailscale infrastructure.

See their docs: https://tailscale.com/kb/1094/is-all-traffic-routed-through-tailscale

[–] [email protected] 1 points 1 year ago (2 children)

I definitely didn't set up any port forwarding or routing tables when setting up the inbuilt VPN.

Tailscale is great, and very handy to edit my compose files from, for example, work. But I didn't think I could use it to access my services?

I've become pretty familiar with docker over the years, so I'm tempted to spin up a container just to see how it works.

I currently expose around 20 services through the reverse proxy, but only those ones that I can set a user/password for.

I don't mind investing the time to learn more about all this. Networking stuff has always been akin to dark magic for me, it's time to jump in..

Thanks!

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Tailscale is great, and very handy to edit my compose files from, for example, work. But I didn’t think I could use it to access my services?

Tailscale has two features that, when enabled, will let you exit the tailnet through a node to a LAN (subnets) or to the Internet (exit node).

You can use the subnets feature. You can install a Tailscale container on the NAS, mark it as using the subnets feature, and then you have two options:

  1. Use the "host" network mode on the Tailscale container, which will give it access to your NAS machine's host network interfaces, and set up the subnet mask to your LAN's subnet. You will be able to access your services on the NAS's LAN IP and whatever service ports you expose to the host, just as if you were on the LAN.
  2. You leave the Tailscale container to use a private docker network, you create a "tailscale" docker network, you declare the Tailscale subnet as the docker network subnet, and you connect to it the Tailscale container plus any other containers that you want to access (in their docker compose files). This is more secure (in the absolute, abstract sense) because Tailscale traffic doesn't pass through the LAN, and you only expose a short explicit list of containers to Tailnet. On the other hand you have to juggle container network names, and it just makes things more complicated.
[–] [email protected] 1 points 1 year ago (1 children)

In that case, enjoy! It's a great feeling when you get it working.

If you're going to do it on your synology, see if you need to fix the TUN error. Also, you need to add ip routes to your synology to have the IP's from your VPN on docker forwarded to docker. Make sure these are persistent or added on every startup.

Make sure you allow the VPN to work by adding it to the synology firewall.

You need to setup port forwarding on your router. It needs to point to your synology to the port which is linked to the docker container. You also need to add the route to your router to be able to access your network. For instance, if your VPN has 10.0.3.* and your LAN uses 10.0.0., your LAN/router won't know where to send the response packets to the VPN network. So when connected to your VPN you will never be able to load stuff. If you add that 10.0.3. needs to route to your synology, and your synology knows that range needs to be routed to the Docker VPN container everybody knows where it needs to go.

[–] [email protected] 1 points 1 year ago

Brilliant, many thanks!

[–] faethon 2 points 1 year ago* (last edited 1 year ago) (1 children)

If you are just looking for a way to SSH into your machines from outside your network, you can setup a more recent VPN or Wireguard yourself. If you have a Raspberry Pi lying around, using PIVPN makes things super easy. You can have both OpenVPN as well as Wireguard running if you want, using the same script. If that is the only thing you like to do, then there is no need to reverse proxy your servers and expose them. Just having a VPN or Wireguard connection should be enough to access your servers when outside of your network. It is recommended to have a fixed IP btw, to find your VPN/Wireguard server easily.

Also, you can leave all your servers locally (and not exposing them) when you can reliably setup a VPN/Wireguard connection. That is the most secure I guess.

[–] [email protected] 1 points 1 year ago (2 children)

Yeah, I definitely like the idea of leaving all services running locally, and connect to my VPN when needing to tinker/access.

I do have a couple of raspberry pi's, but I prefer to run stuff on the Nas, I only use the pi's as clients to stream from.

I'm gonna go lookup the difference between openvpn and wireguard :) And I have a dynamic DNS setup, that's basically the same as a fixed IP, right?

Thanks!

[–] habitualTartare 2 points 1 year ago

I setup openvpn on my network originally + duckdns on a dynamic IP in 2021/2022. It's an "older" protocol but I felt it was easier to setup since it's been around longer and the tools just make it easy.

Wireguard has speed advantages but being newer, takes more work to see those speed advantages. There's a docker container called wg-easy that I've heard mixed things about (speed in a docker container vs easy to setup).

I used tail scale when I rebuilt my VPN server because I was originally using Oracle Linux (wanted to learn it more but went back to Ubuntu).

If you can get certificates working, wireguard shouldn't be too difficult. I prefer VPN over exposing multiple ports/protocols for a family or small userbase. If you're sharing libraries or other services with extended family, I'd probably expose those to the Internet and work on hardening/having that server in a demilitarized zone + certificate based authentication and MFA on any public admin accounts.

[–] Presi300 1 points 1 year ago (1 children)

Fyi, you don't need a raspberry pi to use PiVPN, it actually works on all Ubuntu based distros and even Alpine Linux, you can just install it in a VM on your NAS.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

Ah. VMs. I (stupidly?) set my storage array to use ext4, and apparently it needs to be a btrfs to be able to use VMs. I cba to rebuild it at the moment.. so I just use docker for everything

[–] Presi300 1 points 1 year ago

Ext4? What do you run on your NAS?

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
IP Internet Protocol
NAS Network-Attached Storage
SSH Secure Shell for remote terminal access
VPN Virtual Private Network
nginx Popular HTTP server

6 acronyms in this thread; the most compressed thread commented on today has 12 acronyms.

[Thread #361 for this sub, first seen 17th Dec 2023, 21:45] [FAQ] [Full list] [Contact] [Source code]

[–] brygphilomena 1 points 1 year ago

This comes into the design and requirements for your services.

If they need to be public ally available to more than just you, you'll want a reverse proxy and appropriate firewall rules. You'll also need to make sure things stay updated and security hardening is done on the servers and the proxy.

If you just need yourself to access things and they don't need full access from public internet, you want a VPN. Tailscale is pretty easy. Wireguard is a bit of work to set up, but can make for a good always on VPN for your devices to connect back into your home network to access what you want.

There are certain things like SSH that you really don't want publically accessible over the internet. Even with fail2ban and all the security hardening, it's just a headache and pointless traffic you'll deal with as people try to get in anyway.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Tailscale allows you to access your lan. You should be able to do anything you can do on lan...? Right? Maybe it's set up wrong somehow?

[–] [email protected] 1 points 1 year ago

I always highly recommend Twingate.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Seeing people recommend nginx proxy manager, I’ve tried to set this up but never managed to get the certificates to work from letsencrypt (“internal server error” when trying to get one). When I finally got it working a while ago (I think I imported a cert), any proxy I tried to setup just sent me to the Synology login page.

I think WebStation is causing this. I just investigated my Synology NAS and discovered that the default web portal is redirecting ports 80 and 443 to the synology login portal (which lives in ports 5000 and 5001 depending on whether you use SSL or not.)

[–] thelittleblackbird 0 points 1 year ago (1 children)

From your text I understand you are not a really tech savvy person and yiu are really struggling with all the service and configuration involved.

If you want a simple tip, stick to tailscale, it is a vpn and will protect all your services because you will not have access from internet. It is pretty safe and the configuration is trivial.

The obvious drawback is that you won't have internet access without installing the vpn, which depending the use case can be a deal breaker.

Honestly, a proper configured nginx with certificates and strong password are reasonable secure when there is not any misconfiguration. But if you are in doubt stick to tailscale.

Good luck :)

[–] [email protected] 2 points 1 year ago (2 children)

I'm... a little offended by that! 🤣

[–] daed 2 points 1 year ago* (last edited 1 year ago)

Lmao I would be too! You're self hosting services behind a reverse proxy and familiar enough with docker to set that up, but you're clearly not a very tech savvy person...! Haha. There's levels to everything, I guess. Weird gatekeep though, perhaps lost in translation

[–] thelittleblackbird 1 points 1 year ago

Oooops, that was not certainly the intention.

Clearly I need to work in my communication skills. My apologies if I really upset you

[–] [email protected] -1 points 1 year ago

I don't like Tailscale. Use a reverse proxy (nginx proxy manager makes this simple) and secure your services with fail2ban and/or crowdsec. This way you do not have to rely on Tailscale relay or their clients to connect to your services from anywhere.