📚 Securely hosting Home Server
💡 Newskategorie: IT Security Nachrichten
🔗 Quelle: reddit.com
I have been toying with the idea of hosting my own server at home for a while now. Its main purpose would be hosting groupware such as Nextcloud for use as a file server. However, while thinking about it, I started adding some more things to the original idea such as a Gitlab server. I got pretty excited by all the possibilities, but securing this system has been holding me back. Don’t get me wrong, I know there is no such thing as 100% security, but I wanted to get to a level that I feel comfortable with. Through this post, I would like to get some feedback on the security of my current idea for the setup.
The rig
I have a desktop computer that can be used as a server, which would run a headless OS such as Ubuntu server or something similar (maybe just plain Debian). This OS will have all incoming ports closed and will host Docker containers.
Backend Services
On the host PC, I’m planning to run a few services in Docker containers. These would be containerized versions of Nextcloud, Gitlab and a database for use with Nextcloud. These containers will be networked together, but can only acces the ports on other containers that are needed, and nothing more.
Connecting to the Server
OpenVPN
To be able to reach the system, I want to use OpenVPN inside of a separate Docker container. This container will have access to the services in the backend, and will be set up to use a split-tunnel connection. That means only the requests for endpoints behind the VPN are routed through the VPN, and all other network traffic of the client goes through the normal internet connection of that client.
I want to use this VPN solution for added security. This way, I only have one port open on which clients can probe the system, instead of having each separate service public.
Ngrok
I have read about having your own IP exposed when using services such as a dynamic DNS. To mitigate this, I would like to use Ngrok. Ngrok is a service which lets you expose a tcp port on your localhost to their servers through a reverse tunnel. In turn, they will generate a unique url (for instance: hdjekndk.ngrok.io), which you can use to connect to your own localhost. I want to use Ngrok to expose the OpenVPN server so I don’t have to use my public IP, but I can just connect to the Ngrok link. Ngrok cannot see my data either, because it’s all encrypted VPN traffic. I also don’t have to open ports, because Ngrok tunnels from inside my network to their servers.
Summary (tl;dr)
In summation, I want to use Ngrok to connect to an OpenVPN server at my home. This VPN connection will be a split tunnel, so it only serves as a connection to backend services that run behind it. These backend services would be Nextcloud, a database and Gitlab.
I would like to know if anyone uses this, thinks it’s secure or not, or perhaps sees a privacy related issue. All feedback is very much appreciated.
[link] [comments] ...