Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
24.1 Legacy Series
»
Alternative to using a reverse proxy and port forwarding
« previous
next »
Print
Pages: [
1
]
Author
Topic: Alternative to using a reverse proxy and port forwarding (Read 993 times)
jata
Newbie
Posts: 14
Karma: 1
Alternative to using a reverse proxy and port forwarding
«
on:
June 11, 2024, 02:10:59 am »
Hello,
This is my first post/question and I am new to opnsense so please go easy :-)
Very happy with opnsense by the way!
I have just rebuild my home network using opnsense on a mini-pc. All working well (so far) and I have more or less setup my network in the same way as my previous setup using asus router.
For a few key services such as home assistant (that I need to work both in the lan and over the wan when away from home), I use swag + reverse proxy in a docker with a wildcard ssl cert linked to my duckdns DDNS domain. It all works fine but I need to open and port forward 443 to my server that is hosting these services.
I wanted to get some advice on whether this setup is a good idea (security v. ease of use) or if there are other more secure configurations that I should look into now that I have opnsense.
Thanks!
Logged
newsense
Hero Member
Posts: 986
Karma: 74
Re: Alternative to using a reverse proxy and port forwarding
«
Reply #1 on:
June 11, 2024, 05:17:02 am »
A VPN to your FW would void the need to expose any other services on the WAN.
Logged
jata
Newbie
Posts: 14
Karma: 1
Re: Alternative to using a reverse proxy and port forwarding
«
Reply #2 on:
June 11, 2024, 06:11:34 am »
Thanks.
Yes I have been thinking about using a VPN server on opnsense but it is an extra step on all my devices (and family) that I am hoping to avoid.
Anything else you can think of?
I was thinking about running some sort of authentication (authelia / authentik) in front of all of the services that I reverse proxy. Would this reduce the risk of my port forward setup enough to make it worthwhile?
Logged
Monviech
Hero Member
Posts: 1407
Karma: 163
Re: Alternative to using a reverse proxy and port forwarding
«
Reply #3 on:
June 11, 2024, 07:03:52 am »
If you want inbound traffic to hit a specific service, you have to open ports. Either directly on the firewall, or with a port forward.
A vpn also works by opening their port, too.
A VPN would be used for authentication, confidentiality and integrity.
Authentication: You could also use client certificates, basic auth or a provider like authelia/authentik
Confidentiality: Thats what HTTPs already does with encryption
Integrity: Also done by HTTPs by using a message authentication code.
So in summary, make sure you always patch your stuff at home, secure everything with HTTPs and use some authentication, either in the app you reverse proxy or some sort of service before it.
You can also run a reverse proxy directly on the opnsense, for example Caddy (search for os-caddy in plugins). It supports duckdns, dynamic dns, automatic lets encrypt, basic auth and crowdsec integration, making it very good and easy to secure a home setup with.
https://docs.opnsense.org/manual/how-tos/caddy.html
«
Last Edit: June 11, 2024, 07:07:41 am by Monviech
»
Logged
Hardware:
DEC740
jata
Newbie
Posts: 14
Karma: 1
Re: Alternative to using a reverse proxy and port forwarding
«
Reply #4 on:
June 11, 2024, 07:10:39 am »
Thank you. Very helpful input.
I will continue to use my reverse proxy approach as I only open up to a few key services that are all up to date and each has authentication.
My reverse proxy is using subdomains to identify/map services so I guess this adds some protection as the subdomains are only known my me...
Logged
connervt
Newbie
Posts: 14
Karma: 0
Re: Alternative to using a reverse proxy and port forwarding
«
Reply #5 on:
June 11, 2024, 12:23:35 pm »
I picked up a cheap domain and use Cloudflare Tunnel in front of my reverse proxy (NPM).
Some additional benefits using free Cloudflare services are you can also do geo-blocking, get some threat/bot protection, and user authentication.
Logged
jata
Newbie
Posts: 14
Karma: 1
Re: Alternative to using a reverse proxy and port forwarding
«
Reply #6 on:
June 12, 2024, 12:53:28 am »
Thanks for this. Good suggestion.
Do I need to buy a domain to use this setup or can I continue to use my duckdns DDNS service?
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
24.1 Legacy Series
»
Alternative to using a reverse proxy and port forwarding