Hey guys,

Currently im just running calibre and nextcloud docker containers over the web, with a ddns from noip and a cloudflare domain. But i also want to setup a vaultwarden container too, so now i need to really consider the security of my server. What are the main things to watch out for? Calibre and nextcloud are just using subdomains, is it okay to have a subdomain to connect to vaultwarden? Am i better off just trusting bitwarden and sticking with them?

Thanks!

  • gaylord_fartmaster@lemmy.world
    link
    fedilink
    English
    arrow-up
    19
    ·
    1 year ago

    Is there a reason you can’t just VPN in and expose only the VPN gateway? My preferred security is not exposing a bunch of random applications to the internet and hoping each doesn’t ever have any vulnerabilities.

    • 🅱🅴🅿🅿🅸@sh.itjust.worksOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Yeah i could definitely do that, however would that cause much trouble regarding using the nextcloud android app, or my ereader which uses OPDS to get books from calibre? I get thatd id have to sign into the VPN, but i already use mullvad on everything.

      Sorry, just dont know much about personal VPNs

      • gaylord_fartmaster@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        As long as you’re connected to the VPN it probably shouldn’t. I use the automate app on my phone to automatically connect to my home wireguard server whenever I’m off my wi-fi, and it works great.

        You’re going to run into an issue of only being able to have one VPN connected on Android at a time though if you’re already running mullvad on it, but as long as you have a decent connection at home and no data cap, you could just route all of your traffic through your home network, and then split tunnel your private IPs to connect directly, and anything else through mullvad.

      • PriorProject@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        Head scale would be a self-hosted way of doing this as well.

        • You’d install headscale publicly accessible on your VPS or port-forwarded server.
        • You’d configure your phone and any laptop you travel with using the tailscale apps with the special hidden setting to use your custom control-server.
        • Now any apps you want to access yourself but not for the public unauthenticated internet to see, you bind to tailscale/headscale interfaces rather than public interfaces.
        • Anything you DO want publicly accessible (for example immich for image sharing to friends who aren’t on your tailscale network) you host the normal way by binding to a public interface.

        You could also do this with regular tailscale and cut the self-hosted headscale out of the picture.

        But by doing this or another private VPN setup, you take the listeners for some of your apps off the internet and reduce your attack-surface. It obviously doesn’t help for WordPress or other stuff you actually want to share publicly, but it can give some peace of mind for personal services like bitwarden or Jellyfin.