2024-02-22, 03:25 PM
(This post was last modified: 2024-02-22, 07:53 PM by toparity. Edited 1 time in total.)
For exposing your self-hosted web services to the internet, a lot of people seem to suggest a variation of "hire a VPS and use WireGuard", so you would have a reverse proxy on your VPS and you don't actually need to open any ports on your home network. The VPS acts as a stepping stone, clients connect to your web services through the VPS, which forwards the connections via WireGuard to your home network.
That seems nice for hiding your home IP address, but people seem to tout this as if it more secure for hosting web applications such as Jellyfin. If your VPS provider has DDoS protection, you also benefit from that, but it doesn't actually seem to make my home network more secure, no?
People keep talking about using whitelisting IPs, geo-blocking IPs, using fail2ban, and setting up a reliable and mature reverse proxy on the VPS. That's all great, but I can just run all of that on my home server? Surely someone is just as likely to bypass security measures on my VPS as they are on my home network directly, and if they manage to get onto my VPS they then have access to my home network anyway?
The only additional service that I would actually be running, if I were to use a VPS rather than doing everything directly on my home server, is WireGuard. Is there something about WireGuard that would actually prevent an attacker on the VPS from accessing the home network? At that point, they have the public key associated with my home server, and they can send whatever they want.
If someone tries to brute force my Jellyfin accounts, for example, a VPS does absolutely nothing to prevent this. WireGuard will happily route all those attempts to exactly the right place. It doesn't seem like a VPS with WireGuard makes it any harder for someone to access my home network.
Just for clarification, I'm happy with how to secure my network, but I'm asking what additional security WireGuard + a VPS actually offers. It basically just seems to mask my home IP at the cost of latency and an additional failure point.
Is there something I am misunderstanding here?
That seems nice for hiding your home IP address, but people seem to tout this as if it more secure for hosting web applications such as Jellyfin. If your VPS provider has DDoS protection, you also benefit from that, but it doesn't actually seem to make my home network more secure, no?
People keep talking about using whitelisting IPs, geo-blocking IPs, using fail2ban, and setting up a reliable and mature reverse proxy on the VPS. That's all great, but I can just run all of that on my home server? Surely someone is just as likely to bypass security measures on my VPS as they are on my home network directly, and if they manage to get onto my VPS they then have access to my home network anyway?
The only additional service that I would actually be running, if I were to use a VPS rather than doing everything directly on my home server, is WireGuard. Is there something about WireGuard that would actually prevent an attacker on the VPS from accessing the home network? At that point, they have the public key associated with my home server, and they can send whatever they want.
If someone tries to brute force my Jellyfin accounts, for example, a VPS does absolutely nothing to prevent this. WireGuard will happily route all those attempts to exactly the right place. It doesn't seem like a VPS with WireGuard makes it any harder for someone to access my home network.
Just for clarification, I'm happy with how to secure my network, but I'm asking what additional security WireGuard + a VPS actually offers. It basically just seems to mask my home IP at the cost of latency and an additional failure point.
Is there something I am misunderstanding here?