Why is a VPN more secure than opening your nextcloud instance to the Web?

From all the security posts I’ve read it seems people favour using a VPN over opening ports 80 and 443 and having nextcloud open to the Internet. I don’t understand why as using a VPN still requires opening ports.

Would a nextcloud open to the Web with ssl, a strong password, 2 factor authentication, fail2ban and geoblocking be just as secure?

Edit: Thank you for all your responses, they were really insightful! I’ve decided to go VPN as it was very easy to set up and I am the sole user, at least for anyway. Thanks!

I’m going to preface this by saying you’re safe/good hosting a fully patched public facing Nextcloud instance as you described.

That being said, the concern here isn’t ports being open rather than the service behind the ports. Let’s say you opt put all your services behind something like a WireGuard VPN server. The only thing that touches the internet is WireGuard whose sole purpose is encryption/authentication. If it doesn’t do those things well, it’s useless.

If you then looking at Nextcloud, you have potential security issues in nginx/Apache, OpenSSL, PHP, Nextcloud, and user passwords. There are way more places to have security vulnerabilities and misconfigurations.

Because VPNs were built for exactly this reason: to provide security.

So, a properly secured VPN (openvpn, wireguard etc) will not even show up on port scans, will not respond at all to any unauthenticated inquiries. Basically if you don’t have your certificate issued by the vpn server to sign your packets you send to it, it will just ignore you (and use udp to be able to really ignore you). So no chance for password spraying or anything.

Second, vpn encryption schemes are designed to really protect the traffic and constantly checked (i’m talking about security conscious vpns).

And third the vpn server is a gateway. Let’s say someone sneaks in (basically he has to steal your certs and other required login information if any). He’ll be able to only try to log into the web server in this case. Or any other service. A properly secured inner network isn’t easy to crack.

In contrast, we have the web server. By design it is a chatty chap. So you can gather some info about it without even having to try to authenticate in the underlying app. And because web servers are meant to give info out, security bugs happen and sometimes someone can crack it wide open if the server itself has some bug or the underlying application does. Fail2ban &co are reactionary mechanisms. If someone can exploit some vulnerability in the web server or app chances are that fail2ban will not detect it.

Edit: to be clear: if someone pawns your web server/app, will have direct access to your data in one go.

And besides security, a vpn can provide all kinds of perks such as using your own dns server securely, access your network’s devices remotely, not only the Nextcloud service etc.

Both SSL and VPNs have security issues if configured incorrectly. Neither is inherently safer than the other and both have different considerations and use cases.

VPN is a tunneled approach that connects two end points using encryption to keep the wider internet at bay. If you’re not at the end of either side of the tunnel, you’re not going to see what’s going on in the tunnel.

SSL (commonly known as TLS) is a technology built on top of HTTP. HTTP sends information back and forth, HTTPS combines SSL and HTTP - so this bidirectional transfer is now secured using an SSL encryption layer, which is not tunneled. This could be intercepted by a third party. Now if your SSL library is up to scratch and your ciphers are unbroken, it doesn’t really matter who gets their hands on this as they can’t read it.

So on the face of it, VPN and SSL are not exactly fairly comparable. Some VPN implementations can actually use SSL, resulting in a layered system.

Implementing a VPN or SSL as a security solution depends on where you want the security to lie. SSL is configured at the application level whereas VPN is configured on your operating system itself (which arguably is a larger attack vector than an application alone).

A VPN requires significantly more overhead to operate (in terms of system resources) than an SSL solution by the nature of having to keep the tunnel ready to connect to at all times. SSL of course only operates in the browser so is much more lightweight.

In the plainest terms your suggestion is not really better or worse than a VPN. Assuming you’ve taken all reasonable and appropriate measures to harden your sever (firewall configuration, SSH tuning etc) your approach will be fine. To go one step further you could simply ban all IPs and only allow those that you know you will be connecting with, assuming this is a small, personal Nextcloud instance!

I run my Nextcloud via a reverse proxy. VPN is overkill IMHO.

I leave everything behind a VPN and didn’t open any other ports. Primary reason for me to do that is the lack of understanding regarding security on a public facing instances. Our phones autoconnect to home VPN when leaving home network.

The only complain I have is with my service provider only giving 5 Mbps of upload speeds which is frustrating and waiting to switch to a provider that offers higher upload speeds.

My thoughts:

Nextcloud was built to be internet facing. So it is secure as other web facing solutions. Maybe because it’s open source and free people don’t trust it as much as let’s say google or Dropbox. But I would trust my data/info with a Nextcloud instance that I host far more than google/Dropbox.

I have a Nextcloud server sitting in a DMZ on my network. It’s https, runs fail2ban, and my logs don’t show anything unusual.

I have a vpn to get into my network remotely, but I couldn’t imagine connecting to a vpn everytime I wanted to view or upload a file. I feel it’s just paranoia. I trust my Nextcloud instance. Especially with the data I put in it. If you have highly sensitive data, it shouldn’t be accessible by the internet no matter how you access it.

Those are my thoughts.

Why would someone have their PHP public on the web… major security hole, or having to use a good password on the internet. PHP should only be connected to by the server itself

This is very true. I know from experience this method is used in industry and security wise it’s the best solution. Just a thought for the OP of this question: you see a lot of tutorials or videos which tell you how to setup nice services like Nextcloud on your device, and usually they go about it rather quickly. However, these sources are often incomplete and hosting your own internet facing services is a serious matter. Before you do such a thing, you should know a lot about what you are doing. My advice is to read up on the tech that is mentioned in these comments and do some more research of your own. There are also people who take these matters more lightly, but in my mind I always come back to the same thing: if it was all that easy and safe out there and we could all do it, why would companies hire sysadmins, pentesters and so on to work on their systems?

Buut SSL exposes significantly more information, and on unsecured wifi someone can just sniff the IP address and port right from the air

How does the reverse proxy improve your security?

(Spoiler: it doesn’t)

How you do the autoconnect part? I was trying to do that with Tasker but I was not really successful.

You really want a symmetric connection, or just high upload, which is not offered by most/all ADSL or fibre to the cabinet connections. The best options for internet look like fibre and possibly even starlink

I don’t disagree, but your premis does have a flaw. Google/Dropbox have a team of people 24 hours a day specifically concerned with intrusion detection and prevention. You have you.

Also, unknown bugs in Google/Dropbox get fixed internally without fanfare. Nextcloud bugs by definition need to be reported on before everyone installs the fixes.

Just use an always on vpn. I have on all my devices, laptops, phones and it’s just seamless.

Dangerous thoughts they are. It is always better to leave fewer or no ports open, and those should be the most secure. A VPN is always preferable over other less secure services. That is why the fast and easy wireguard VPN is all the rage.

I didn’t say it did. But a VPN is still overkill for something that’s designed to be Internet facing.

Is there any benefit in using reverse proxy when all your http services run on the same host? Because otherwise I could simply forward ports 80/443

Openvpn has great instructions to integrate with Tasker. I was told WG too has it on iPhone by default

I agree they both have resources beyond us as individuals to constantly monitor security flaws, etc… However, I as an individual have more data privacy concerns than google especially. I am not bashing any service as I also use google drive as well as Dropbox. I am just annoyed by how much data is collected for ad revenue. Don’t you just hate looking for something on the internet, one time, and receiving ads about it?

I have run enough tests against my instance to feel confident in the security and privacy of my data as a self hosted solution. To the point I don’t feel it necessary to constantly be connected to a vpn.

Don’t get me wrong, I run services that I will ONLY vpn into, but in my use case, Nextcloud is not one of them.