Running a TrueNAS Scale server with Jellyfin and planning to add Nextcloud. How would I be able to access these services from outside my network? I have heard portforwarding is unsafe and a VPN seems inconvenient to me.
You must log in or register to comment.
Port forwarding is unsafe, but even crossing the road is unsafe. Do you cross the road without watching? In the same way, you just don’t let a published server online without doing regular updates. You set up docker, run nextcloud (docker) behind nginx proxy manager, and have watchtower update them regularly. You can also setup 2fa in docker, and pair it with fail2ban.
Every port open widens the attack surface, but those services are made to be published, so there are mitigations against the risks.
and have watchtower update them regularly
Does this help with Nextcloud on docker?
If you use the linuxserver.io image, as of last month yes. They migrated to everything updated through the docker container.
Now you make a good point, you also have to perform the update within the app in nextcloud. I use a custom image so I have to do it anyway, I haven’t realised that.
But I guess npm is the one that needs to be updated automatically to avoid most of the attacks on the web
I’ve said this many times before, but it seems relevant here, too. Using a reverse proxy is a good step for security, but you will still want to block certain incoming connections on your firewall. I block everything except for our cell phone provider, my partner’s employer, and my employer. We will never be accessing my network from any other source. At the very least, block everything and whitelist your own country; this will prevent a lot of illegitimate connections. If you’re using pfSense, the pfBlockerNG plugin makes this very easy to do.
Yeah, absolutely good point, it’s something that can be done in opnsense as well. Certainly blocking any bloc outside your country (or region maybe in Europe) makes sense. I block everything outside RIPE, and also China and Russia.
I’d suggest port forwarding. Opening a port on your firewall just says “there’s a service running on this port” but the software will have it’s own “risk mitigation” to prevent intrusion.
Additionally, if you own a domain with someone such as GoDaddy, you can leverage their API to script IP updates (quick google search can walk you through options; cron, powershell, etc) so you can always access your nextcloud instance with a friendly name.
Either you need to expose those two services to the Internet or use a VPN. You mention vpns are inconvenient but have you checked out tailscale? The free account does your needs and it’s by far the easiest one I have set up. You can also look into a cloudflare tunnel but you would need a domain name for that
What’s so inconvenient about a VPN?
It’s literally takes 2 clicks to tunnel via a VPN
Setting up, configuring and maintaining it is kind of a pain. I am unware of a 2 click option. I put my whole network on a self hosted VPN so I was probably doing it in a more complicated way than I needed
Not to mention that not every client has software available.
That’s true. I only use my vpn when I’m out of the house. And the only devices I have with me are my phone/laptop which both have official apps.
In android, for the wireguard/openvpn apps, you can add a button to your swipe down menu (where you toggle on/off wifi, flashlight, etc).
VPN is the best way but it is kind of a pain in the ass yeah. I had it set up that way for a while but I gave up, I just don’t use it enough outside of the home to justify it.
