Why VPN tunnels are safer than opening a port on my router? (programming.dev)

submitted 5 months ago* (last edited 5 months ago) by cheddar@programming.dev to c/selfhosted@lemmy.world

35 comments fedilink hide all child comments

Hi!

I often read suggestions to use something like Tailscale to create a tunnel between a home server and a VPS because it is allegedly safer than opening a port for WireGuard (WG) or Nginx on my router and connecting to my home network that way.

However, if my VPS is compromised, wouldn't the attacker still be able to access my local network? How does using an extra layer (the VPS) make it safer?

you are viewing a single comment's thread
view the rest of the comments

[-] jubilationtcornpone@sh.itjust.works 5 points 5 months ago* (last edited 5 months ago)

This is a pretty good summary. In enterprise networking, it's common to have the 'DMZ', the network for servers exposed to the internet, firewalled off from the rest of the system.

If you have a webserver, you would need two sets of ports open, often on two separate firewalls. On the WAN firewall, you would open ports 80/443 pointing to the webserver. On the system firewall, between the DMZ and LAN, you would open specific ports between the webserver and whatever internal resources it needs; a database server for example.

This helps limit the damage if a malicious actor hacks into your webserver by making sure they don't also have unrestricted access to other parts of your system. It's called a layered security approach.

However, someone self hosting may not have the expertise or even the hardware to set up their system like this. A VPS for public facing services, as long as it's configured properly, can be a good alternative. It also helps if you have a dynamic WAN IP address and/or are behind CG-NAT.

Edit: maybe good to mention that securing your local network behind a VPN, even one hosted on your local network, is more secure than allowing public facing services. Yes, it means you still have to open a port. But that's useless to a malicious actor without the encryption keys. Whereas, if you have a webserver exposed publicly, malicious actors already have some level of access to your system. More than they would if that service didn't exist anyway. That's not inherently bad. It comes with the territory when you're hosting public services. It is more more risky though. And, if the exposed server is compromised, it can potentially open up the rest of your system to compromise as well. Like the original commenter said, it's about managing risk and different network configurations have different levels of risk.

this post was submitted on 27 May 2024

48 points (94.4% liked)

Selfhosted

39677 readers

357 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz