I am relatively new to self hosting and am trying to decide if it’s feasible for me to expose a nextcloud instance to the internet. I have read a lot of stuff and the general consensus everywhere is that a VPN is inherently safer than a reverse proxy.
My genuinely noob-question is: why? In both cases I open a single port in my firewall, both are equally encrypted (assuming I only use SSL for the proxy which I would of course do) and both rely on the software to be properly configured and up to date.
Edit: the proxy will of yourself also run an authentication layer of some sort. Sorry for the confusion.
Both use an encrypted transport, but only the VPN is also cryptographically authenticated. If someone connects to your VPN, you know that it’s a legitimate user whom you’ve given out the credentials (or the VPN has a zero day exploit).
With just SSL the server will happily communicate with anyone who asks and will use encryption to make sure nobody in-between can understand what is happening.
With a VPN the server will only communicate with people that speak the magic words - otherwise (depending on the vpn) it looks like there is nothing there. If you know the magic words you still get your reverse-proxied ssl-encrypted services, but wrapped in another encryption tunnel unique to you and the server in that instance.
Most (good) VPN services are lightweight services with a small set of libraries and they get reviewed regularly for security flaws.
Applications like Nextcloud are whales. They have a huge code base with tons of libraries included. The chance of a vulnerability presenting in Nextcloud is much greater. Also, let’s say you add additional services like Jellyfin or some game servers etc. If you continue to publish services on the internet you’re just increasing your attack surface.
Just to clarify, I’m not saying a reverse proxy is bad, I’m just pointing out the advantages of a VPN.
Some VPNs (cough WireGuard) are way easier to setup than the equivalent reverse-proxy-plus-reverse-proxy-level-authentication and way harder to screw up. Admittedly I do the second option because it’s way nicer (SSO is awesome, and phones being stupid and not letting you run multiple VPNs non-rooted at the same time makes VPN-only a non-starter for me).
Arguably reverse proxy authentication is actually a bit more secure in at least one sense: VPNs (generally) only support device-to-device authentication, whereas reverse proxies can do application-level authentication (example: rogue Android application can access the VPN like anything else running on your phone, but it can’t actually do anything with the reverse proxy because those creds are in the browser and Android doesn’t let apps read each other’s private data. Same is generally true of other websites running in the same browser!).
I think there is a lot of misunderstanding. People mostly compare using authentication via VPN to no authentication at all, and this is apples to oranges comparison.
There are always corner cases and special uses, but for most web based self hosted apps, reverse proxy seems better imo.
VPN, especially as a service, introduces another trust assumption, and if any of trusted devices is compromised, they get unlimited access to your home network, which is very, very bad. Possibility of exposing all ports/traffic/apps via VPN is in my opinion the biggest risk you can get. If this is not your use case, avoid it.
On the other hand, if you open only a single port, and validate all the traffic via high-grade authentication service (e.g. keycloack), you expose only this. And if for whatever reason this gets breached (like your local device gets hacked) you still expose only web services behind a proxy. And of course, these are running in containers as non root users, right? So full separation.
You can add 2FA, and if you’re really paranoid, some hardware key authentication (e.g. yubikey), and you’re golden.
Unless you’re somehow pulling the ire of nation-state threat levels, you are PROBABLY not doing anything anywhere near the level warranting anyone trying to breach your reverse-proxy.
There comes a point where more security is not actually giving you a tangible benefit.
VPNs are secure, reverse-proxies are secure. Both can be made insecure.
But when you compare a VPN to a reverse-proxy from a security value perspective, you NEED to consider what kind of security threat you actually are going to encounter.
Again, if you have no reason to think a nation-state threat actor is coming for you, then you will not notice any tangible difference in security between a well set up VPN and a well set up reverse-proxy.
So, considering that, I would recommend a reverse-proxy over a VPN for web services because it will be substantially more convenient for you without compromising security in a way that matters to you.
Has anyone in this thread actually been in the room during a nation-state breach of a $majorEntity? I doubt it, but I have. And let me tell you, understanding the difference is worth it. And none of the people here probably are worth the time of nation-state threat actors.
Proxies use TCP, which is easy to detect, while VPNs use UDP, which has a more difficult port scanning requirement, so detecting them is hard and DDoSing them is hard. Scanning open TCP ports is very easy. Can be done in like a few minutes.
A VPN encrypts all traffic, no exception (obviously depends on how you configure it), while a proxy may skip the encryption of DNS, and may even not encrypt your traffic if you mess up your SSL/TLS configuration.
VPNs only connect with those who are allowed to connect to them, while proxies will connect with anyone and route traffic, which means that the security of your application will be at the application layer, instead of the networking layer. Application layer security is questionable most of the time, because the subset of people who know how to code and know how to write secure code is smaller than the people who can only code with no regard to security
And besides safety, VPNs have the advantage that they give you raw network access to the VPN server and its network, while a proxy is just for one application/port (multiplexed with the reverse proxy, possibly), and trying to use it for other things will most likely require tcp with tcp wrapping (like in the case of tunneling SSH through SSL), which is very inefficient.
A lot of people here have put the arguments very well and very succinctly; and in summary both are good solutions but what you lose in security by doing a reverse proxy, you gain in convenience and features. That’s a pretty classic security conversation.
I will note also though that there are ways to help secure your Nextcloud in the event that you do the reverse proxy. Things like using 2FA for all your accounts are obvious. Using a real SSL cert helps a lot. You can also lock Nextcloud itself away in a Docker container so that an exploit in Nextcloud has less chance of affecting the rest of your network. Things like that.
You can gain a lot of functionality and convenience that way too. I have my Nextcloud setup through a reverse proxy because I find it useful to be able to share folders with people even if they’re unauthenticated guests where only the person with the link has access. It’s also handy to me to be able to have registration setup so that I can have people set up an account on my Nextcloud… I’ve got some family and friends using it for storage, backups and sharing.
I will note though that I do keep the number of public services on my network to a minimum and I do have a VPN for all the non-public stuff.
I run my exposed services over SSL with client certificates. I don’t see how a VPN would add meaningful security to that (though it may make it easier to evade some network restrictions - or the opposite, because a VPN may be blocked while my HTTPS just goes on through).
This requires bi-directional authentication; even a very strong password may work, but that’d open you up to exploits in the authentication step of whatever service you deploy.
And if the VPN is the only safety layer you rely on, those also have had security issues in the past.
It’s not “inherently” safer, it depends on more factors.
Really it comes down to how secure the reverse proxy or vpn end points authentication is. At the end of the day you have to expose a port somewhere on the internet. That endpoint can be exploited. VPN endpoints can be enumerated and if not patched or poor auth they can get in. Like scanning your firewall. You reverse proxy say the end point is hosted by cloudflare same thing but the attacker would need the dns name. I recommend you monitor and alert yourself if something successful connects to either in real time. Sign up for security alerts of whatever you’re exposing.
VPN solutions you would monitor for security issues and unexpected authentication.
Reverse proxy whatever application you are exposing will need to be harden and monitor for unexpected authentications.
If you’re only exposing nextcloud and setting up mTLS certificates it’s going to be very similar. Something like wireguard (UDP) on a rando port slightly more secure I guess since at that point you don’t even appear to be running anything at all, but probably an immaterial difference.
It is such a different thing that it is hard to compare. A reverse proxy depends on whatever the authentication layer is between you and the proxy or with the applications themselves. However, it can potentially expose much less than a VPN. Some VPNs are indetectable (i.e wireguard based) while a proxy will be found. There are many types of VPNs and some are comparable to a properly used proxy verifying a client certificate.
I use them both together. That way I only have to open one port.
I use Traefik as my reverse proxy with CloudFlare Tunnels (the VPN). Ease of adding multiple domains as Traefik uses tags on the Docker containers that are running to route the traffic. I had ChatGPT create the docker compose file for Traefik for this setup and made me a compose file for the first app. So easy to just keep adding to it.
Go with a VPN if you can. Exposing a collection of services to the public also means you’re exposing a collection of possible zero-days that you’re vulnerable to.
I initially had everything on the actual internet. And it made incredibly uncomfortable, the security risks were just too high. I tried direct port forward, CF tunnels, none of it was good enough. Nextcloud will be holding your personal data, enough to steal your identity, blackmail you, and plenty other terrible things. It will also mean exposing your router with a beacon that 443 and 80 are open for business. Unless you use a CF tunnel which is messy with NC and depending on use case breaks their tos.
Self hosted wireguard if you query the port it will appear closed, it only responds if given a valid key, everything is end to end I’m encrypted. I still use a domain and SSL but it only resolves on the intranet.
Wireguard can also be dialed in really tight. You chose which IPs go through the VPN, I have a unique subnet range I don’t imagine ever encountering out in the wild, so my wireguard just keeps chugging along unimpeded. On my phone it’s split tunneled by IP AND App. So only my self hosted service related apps ever use it.
For public sharing I have a second NC instance. You can have multiple NC profiles in the apps. So if I want to share an album or something I share the files to that instance and only those files, and generate whatever share link I want. The original data source is not available on the public instance so no risk to my actual data. I chose NC for the public share since it can do a bit of anything. Photos, documents, even have an onlyoffice for Collab editting on there.
In short, with reverse proxy, you’re still exposing a service to the internet - the proxy. It’s much safer than exposing every individual service, but it DOES also provide a single point of failure - and attack.
Since you don’t need any authentication to connect to the proxy itself, you’re relying on it being secure against anything the internet throws at it. With a VPN, step 0 is authenticating yourself before being allowed to do anything. As long as the authentic method (typically public-key cryptography though you could have other methods) is secure and not vulnerable, you are fine.
That said, people IMO tend to be overly cautious in this sub. As long as you aren’t doing anything stupid, your services are updated and use secure passwords (and preferably 2-factor authentication for anything sensitive), reverse proxy should be just fine for a home lab. I doubt anyone is seriously trying to hack your personal photo service. Mostly it’s automated scanning for known exploits and vulnerabilities because it only makes sense to do these things automated when the target is of no known value.
But that said, a VPN is really useful because there are a lot of services you really don’t need or want exposed to the internet - NAS storage, hypervisor UI, home automation stuff, security footage etc.
And in the end, consider worst-case, weighed against convenience. A service is only useful if you can… use it. But IF it is exploited, what is the worst case and can you recover from that?