Alternative to using a reverse proxy and port forwarding

Started by jata, June 11, 2024, 02:10:59 AM

Previous topic - Next topic
Hello,

This is my first post/question and I am new to opnsense so please go easy :-)

Very happy with opnsense by the way!

I have just rebuild my home network using opnsense on a mini-pc. All working well (so far) and I have more or less setup my network in the same way as my previous setup using asus router.

For a few key services such as home assistant (that I need to work both in the lan and over the wan when away from home), I use swag + reverse proxy in a docker with a wildcard ssl cert linked to my duckdns DDNS domain. It all works fine but I need to open and port forward 443 to my server that is hosting these services.

I wanted to get some advice on whether this setup is a good idea (security v. ease of use) or if there are other more secure configurations that I should look into now that I have opnsense.

Thanks!


A VPN to your FW would void the need to expose any other services on the WAN.

Thanks.

Yes I have been thinking about using a VPN server on opnsense but it is an extra step on all my devices (and family) that I am hoping to avoid.

Anything else you can think of?

I was thinking about running some sort of authentication (authelia / authentik) in front of all of the services that I reverse proxy. Would this reduce the risk of my port forward setup enough to make it worthwhile?

If you want inbound traffic to hit a specific service, you have to open ports. Either directly on the firewall, or with a port forward.

A vpn also works by opening their port, too.

A VPN would be used for authentication, confidentiality and integrity.

Authentication: You could also use client certificates, basic auth or a provider like authelia/authentik
Confidentiality: Thats what HTTPs already does with encryption
Integrity: Also done by HTTPs by using a message authentication code.

So in summary, make sure you always patch your stuff at home, secure everything with HTTPs and use some authentication, either in the app you reverse proxy or some sort of service before it.

You can also run a reverse proxy directly on the opnsense, for example Caddy (search for os-caddy in plugins). It supports duckdns, dynamic dns, automatic lets encrypt, basic auth and crowdsec integration, making it very good and easy to secure a home setup with.

https://docs.opnsense.org/manual/how-tos/caddy.html
Hardware:
DEC740

Thank you. Very helpful input.

I will continue to use my reverse proxy approach as I only open up to a few key services that are all up to date and each has authentication.

My reverse proxy is using subdomains to identify/map services so I guess this adds some protection as the subdomains are only known my me... 

I picked up a cheap domain and use Cloudflare Tunnel in front of my reverse proxy (NPM).

Some additional benefits using free Cloudflare services are you can also do geo-blocking, get some threat/bot protection, and user authentication.

Thanks for this. Good suggestion.

Do I need to buy a domain to use this setup or can I continue to use my duckdns DDNS service?