If I understand correctly, there are three main ways of accessing my selfhosted services from outside my home: VPN, Reverse proxy, and Direct (by direct I mean passthrough directly to my service without jumping through extra hoops).
What are the tradeoffs I am looking at here? In terms of convenience, privacy, performance, etc. Also, configuring a domain name is an orthogonal issue, right? Any of the three options could be used with/without a domain name?
Thanks!
I used to just do things direct and it was ok, but going the reverse proxy route has been much more convenient. Don’t have to remember port numbers, several reverse proxies automatically get and renew let’s encrypt certs (I’m using caddy), and on my dns server I can point all my subdomains at the reverse proxy as well and don’t have to remember/lookup their IP.
I see no difference in performance direct vs proxied.
For services I don’t want to expose to the internet, I VPN in to use when away from home.
You can do VPN+Proxy. Where VPN is required for any access, and the reverse proxy only listens on LAN. That way you have VPN privacy with easy to remember server names.
I use an Nginx reverse proxy just because it simplifies accessing them by putting things behind easy to remember subdomains. If you had something you wanted to have more secure then that is what I would access through a VPN only.
VPN: most privacy, medium performance, least convenient
Reverse proxy: medium privacy, good performance, most convenient
Direct: least privacy, best performance, moderately convenient.
You’re correct that the domain name is a totally separate issue. You can use direct and VPN without a domain name, but a reverse proxy usually epends on host name to determine the service to route to so you’d probably need a domain and/or sub domains. It’s pretty easy to set up.
Details: VPN requires some form of authentication which is less convenient. It can also be tricky to set up and some workplaces/hotspots will either block ports or certain packets preventing access. You also need a client software. Performance depends on which flavor you use but throughout can be limited which would mainly impact download speeds. Privacy is the best because no traffic is visible to the outside.
Reverse proxy: pretty easy to set up. Super convenient because you don’t need to remember port numbers or ip addresses. You can just have different sub domains (like nextcloud.domain.com bitwarden .domain.com etc). Privacy is pretty good because you’ll be using ssl. The only “leak” so to speak is the host names which are visible when you make the dns request (but they usually get cached after the first request). Performance is close to as good as direct since its mostly just forwarding packets. There is some overhead when you do things like rewrite cookie domains.
Direct: less convenient because you have to use port numbers and do a lot of forwarding. It’s the least private since every request is visible by way of port number. Performance is the best since there’s no middle man.
In terms of security, VPN is good because it’s a single point of entry to your network. Reverse proxy is also good because same thing but also because you can set all your services to only listen for requests from the localhost (assuming the proxy is on the same machine). Direct exposes a lot of attack vectors
VPN: Assuming you’ve set it up correctly, this way provides the ultimate privacy/security but the trade off is that it’s more inconvenient to use.
Reverse proxy: pretty much the perfect mix of security and convenience. You don’t have to remember port numbers and such. Just connect and be done with it. It does, however require some setup but the setup is less than what a VPN requires.
Direct: this isn’t even worth the trouble. You’ll have to remember the port numbers you are exposing various services on and it’s just a huge mess.
My recommendation: reverse proxy with caddy. It will handle free let’s encrypt certs for you and handle the renewals. Super simple to configure. A reverse proxy with certs can be set up in < 10 lines in a config file.
Check out ZeroTier! It’s the best for this. If you remember Hamachi, same idea kinda
You can connect from mobile, and you can put your private IPs under public DNS entries for each access from any connected device
A reverse proxy only adds security if it’s an authenticated reverse proxy, or if it’s also an IDS/IPS at that layer. Directly exposing something carries with it the risk of a buffer overflow attack being successful against the endpoint. A VPN is the most secure, but least convieient option.
Personally, I have a very extensive home lab. Everything is behind an authenticated reverse proxy using certificate based authentication. I carry a flashdrive on my keys with a .pfx password protected with an easy to remember password.
I use VPN to access Netdata but the actual apps I self host are reachable from the Internet directly so I can use them from multiple devices easily. They are behind Cloudflare and I use two factor authentication for almost everything.
A good reverse proxy like nginx or traefik or caddy should not cost you any performance.
You can skip getting a domain with a dynamic dns. I use afraid.org 's DNS system for free dyndns
Also: if you rent a cheap 5$ VPS and configure it as a reverse proxy you can hide your servers real IP
For services I don’t want to expose to the internet, I VPN in to use when away from home.
I’m interested in this solution, but I don’t know how to setup a VPN server. Do you have any resources to share ?
You can double up using zerotier as a vpn into you network without open ports.
The external server would reverse proxy into those zerotier clients (or bridge).
My setup uses haproxy on a cheap openvz $15/year server, zerotier vpn connection to my docker host vm on my home server.
Docker serves multiple sites on their own ports, haproxy would reverse proxy that to serve them as subdomains with https letsencrypt on 443.
Out of curiosity, which reverse proxy do you use and how did you set it up?
I will be messaging you on [2019-03-11 08:32:13 UTC](http://www.wolframalpha.com/input/?i=2019-03-11 08:32:13 UTC To Local Time) to remind you of this link.
[CLICK THIS LINK](http://np.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=[https://www.reddit.com/r/selfhosted/comments/azh5dv/vpn_vs_reverse_proxy_vs_direct/] RemindMe! 14 hours) to send a PM to also be reminded and to reduce spam.
^(Parent commenter can ) [^(delete this message to hide from others.)](http://np.reddit.com/message/compose/?to=RemindMeBot&subject=Delete Comment&message=Delete! ei80ekt)
| ^(FAQs) | [^(Custom)](http://np.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=[LINK INSIDE SQUARE BRACKETS else default to FAQs]%0A%0ANOTE: Don’t forget to add the time options after the command.%0A%0ARemindMe!) | [^(Your Reminders)](http://np.reddit.com/message/compose/?to=RemindMeBot&subject=List Of Reminders&message=MyReminders!) | ^(Feedback) | ^(Code) | ^(Browser Extensions) |
|---|
PiVPN makes the process of setting up an OpenVPN server incredibly simple. It’s designed for Raspberry Pis but can run on much more. When I set mine up it didn’t work on Ubuntu Server 18.04 but works fine on 16.04 (not sure if they’ve fixed that since I set it up).
what provider is your haproxy on?
I basically do the same thing this guy does.
https://www.ssltrust.com.au/help/setup-guides/client-certificate-authentication
I use gestiondbi.com and caught it on sale, you’ll most likely have to wait till the next sale holiday to pick up a really good deal. Running 2cpu 2GB for that price.