Edit: Thanks for the responses everyone. Would just like to clarify though, my interest is less so about the presence of open ports, but more so that: if all data is being forwarded from a VPS to the home network, why would the presence of a tunnel make things more secure? Surely in both situations, a vulnerable application at the ‘listening end’ is the only factor, regardless of if communications to it took place in a tunnel or not.
Hi everyone!
I’ve been reading up on how to securely deploy public facing services on your self hosted machines and a common suggestion appears to be
VPS -->(Wireguard/VPN tunnel) → home machine.
The benefits of this appears to be that you do not have to expose ports for applications that may be insecure, though my question is, to use Wireguard, you open a port, and if all you are doing is forwarding every request from the public facing VPS to the home machine (through wireguard) doesn’t that mean any ‘unsecured application’ receiving those requests through the local Wireguard interface is a vulnerability?
As a result, I don’t really see the benefit of using tunneling in a situation where you are forwarding all data through a VPS to your home network.
So you’re right in the regard that tunneling through a VPS isn’t much more secure than just opening a port on your own network and using a reverse proxy. They’re practically the same thing although you can limit the accessible IPs for the Wireguard tunnel so there would need to be a vulnerability for the application to get access to your home network. It also obfuscates your home network’s IP address so there is some security in that but not a ton.
Basically use a big name reverse proxy (NGINX, Traefik, Caddy, etc.) that has a pedigree of security and then in addition to that employ some kind of authentication layer (Authelia, Keycloak, Authentik, etc.) to be about as good as you can get security wise. Tunneling from a VPS has some benefit but not a ton compared to the other two steps.
Wireguard utilizes UDP as its port forwarding protocol. As a result, it won’t communicate with any attempts to reach it unless the communicator’s public and private keys match. This makes it virtually impossible for malicious actors to even determine if the port is open - let alone find a way to compromise it.
Wireguard also uses public and private keys to encrypt the content being communicated, which makes it difficult for someone in between to intercept and peek at the traffic.
Unless the developers explicitly state it, I wouldn’t trust any of your self-hosted applications to implement a similar level of security and at the very least would stick them behind a reverse proxy rather than opening the ports directly to the application. This also means you can (for the most part) trust the security of your VPS/home machines that are using Wireguard to communicate.
I’ve wondered the same thing. I imagine people are thinking about the convenience of having a static IP. And maybe they imagine that there will be a reverse proxy in the mix to potentially be better than simply port forwarding directly to a service.
But yeah, if the VPS is just accepting all connections and piping them into your LAN, I don’t see this as a security feature.
That assumes the Wireguard server is on the machine at home. You can also put it on the VPS and connect to that from the home machine, meaning no open ports on the home network.
I just have a small Linode VPS acting as a ZeroTier controller.
Everything is firewalled off from it except for the ZT 9993 UDP port.
All the servers/services on my home network are accessible from that second, encrypted network which also has PiAlert sitting there watching it and will alert me via Telegram and email if it detects a new IP address popping up on it. My Macbook, Lenovo Legion laptop, Shield TV, and Home PC are all on that same ZT network.
From there I just need to know the ZT IP addresses of my Homepage which has links to all my services over that same ZT encrypted network. I have one main Homepage and a backup copy running on the VPN itself in case the main ever goes down.
Meh, it works for me, is more than secure enough, and I don’t have to deal with opening firewall ports at home or reverse proxies /Caddy/Traefik/NGINX or cloudflare tunnels or any of that other stuff.
It’s been rock solid for about a year now and I can securely access all my home stuff from anywhere I have internet access.
I do keep a single Wireguard VPN account at the firewall just in case everything fails but I haven’t had to use it since setting this stuff up long ago. It just works.
The main advantages of restricting access to your home network to something like WireGuard, OpenSSH, or Caddy are:
Your most critical security is controlled in a single place. It’s easiest to monitor, update, and configure.
The developers expect these programs to be facing the internet.
They have all been designed, coded, and are maintained with security in mind.
They have been used and audited by many people and lots of bugs have been found.
Theres lots of information about how to best configure them with security in mind.
Their bugs are found and patched quicker and provide a layer of protection in from of less well designed and coded applications.
They can provide a single place to manage and enforce usernames and passwords.
In theory you could have equally good security while exposing everything directly to the internet, but in practice that’s not usually how it works out.
Personally I don’t see that a VPN offers much more security than openssh or caddy, eg. I’d rather run openssh/caddy than OpenVPN. (Unless you have some reason to be concerned about your origin IP being discoverable.)
protect applications. Instead of exposing applications to the internet anywhere, you install a VPN client on your devices and VPN server on your network edge. Traffic is encrypted end to end and there is no way to connect to the application without your keys. VPS not required. Most secure but only you can use the services (can be both an upside and a downside depending on the nature of the service)
to either hide their public IP or work around (CG-)NAT. Some people don’t want services they host to give away their home IP address and they are using a VPS as a mask. This does basically nothing for application security. Alternatively people don’t have a public IP with open ports to host anything from, which they can work around by setting up a VPN server externally and initiating the connection from their home network. This way they’re actually making their network more open than their ISP allows or supports
You can also use something like cloudflare tunnel is free, you install an agent on one of your servers and from there you set a https site to any of your local apps without exposing any of your ports. I published https://ombi.graphenetechlabs.com
I agree reverse proxy + auth/ limiting IPs would provide more security though I think in this circumstances it wouldn’t be applicable.
(I should clarify, I was referring to things such as websites / game servers which would have to accept connections from anyone)
A different commenter mentioned the possibility of tunnelling into a device which is then placed in a DMZ as means of protecting the rest of the network, though again, I don’t think a tunnel is necessary for this either.
UDP plays no part in the security features of Wireguard. User Datagram Protocol is a transport layer protocol (OSI layer 4) which encapsulates Wireguard packets. UDP has no security features on its own. You could theoretically configure your firewall to only accept connections to the UDP port of Wireguard from the IP of the VPS, that could act as a security feature.
A reverse proxy does not necessarily protect poorly secured web applications which sit behind it. Some reverse proxies have capabilities to detect commonly known malicious connection attempts and block them. All other requests are simply forwarded.
The major security advantage of routing through a VPS is not directly exposing your home IP to all Internet traffic. The same could be accomplished with CloudFlare if you trust them.
Yes, but this use case (VPS forwarding all requests to home network) invalidates this public/private key reasoning, as an attacker would not need the correct private key to send a request to the public facing VPS (who possesses the correct keys) which would then forward it to the home network.
As the VPS is still the ingress to the tunnel, and is open to everyone, this wouldn’t stop an attacker.
Well, you’ve still opened a point of ingress and egress should the security of the WireGuard tunnel get compromised. Granted, the likelihood of that happening is low.
Sorry, I don’t understand, where would the ingress into the home network be then? The purpose of the tunnel is to redirect traffic from/to the VPS to/from the home network as the home network will be hosting the server
Yeah in the situation where you need to allow anyone at any time I would isolate that server as much as possible from any other servers it doesn’t need to talk to. Preferably physical isolation and a separate network but if that isn’t possible you can do a DMZ or VLANs with particular firewall rules, etc. Tunneling through a VPS isn’t necessary but does provide certain benefits if you want them (hiding data from ISP, hiding your home IP from your clients, etc.)