Is using a VPS with WireGuard really more secure for hosting web services?

[toparity]

For exposing your self-hosted web services to the internet, a lot of people seem to suggest a variation of "hire a VPS and use WireGuard", so you would have a reverse proxy on your VPS and you don't actually need to open any ports on your home network. The VPS acts as a stepping stone, clients connect to your web services through the VPS, which forwards the connections via WireGuard to your home network.
That seems nice for hiding your home IP address, but people seem to tout this as if it more secure for hosting web applications such as Jellyfin. If your VPS provider has DDoS protection, you also benefit from that, but it doesn't actually seem to make my home network more secure, no?

People keep talking about using whitelisting IPs, geo-blocking IPs, using fail2ban, and setting up a reliable and mature reverse proxy on the VPS. That's all great, but I can just run all of that on my home server? Surely someone is just as likely to bypass security measures on my VPS as they are on my home network directly, and if they manage to get onto my VPS they then have access to my home network anyway?
The only additional service that I would actually be running, if I were to use a VPS rather than doing everything directly on my home server, is WireGuard. Is there something about WireGuard that would actually prevent an attacker on the VPS from accessing the home network? At that point, they have the public key associated with my home server, and they can send whatever they want.

If someone tries to brute force my Jellyfin accounts, for example, a VPS does absolutely nothing to prevent this. WireGuard will happily route all those attempts to exactly the right place. It doesn't seem like a VPS with WireGuard makes it any harder for someone to access my home network.

Just for clarification, I'm happy with how to secure my network, but I'm asking what additional security WireGuard + a VPS actually offers. It basically just seems to mask my home IP at the cost of latency and an additional failure point.

Is there something I am misunderstanding here?

[34626]

As you mention, people can setup a lot of things, i dont know what services / features a VPS offers, i'd say:
Dont use default ports
Only use https
fail2ban is good for general security and not just for Jellyfin
A secure OS
Dont allow your admin account to access the server from remote
Run Jellyfin in a docker and only allow read only on your medie folder destinations.

[TheDreadPirate]

No single aspect of computer security is invulnerable.  You achieve "good enough" security by adding as many layers as you're comfortable with that meet for your needs and are appropriate for your application.  Using a VPS is a layer in this metaphoric onion of security.

For exposing your self-hosted web services to the internet, a lot of people seem to suggest a variation of "hire a VPS and use WireGuard", so you would have a reverse proxy on your VPS and you don't actually need to open any ports on your home network. The VPS acts as a stepping stone, clients connect to your web services through the VPS, which forwards the connections via WireGuard to your home network.
That seems nice for hiding your home IP address, but people seem to tout this as if it more secure for hosting web applications such as Jellyfin. If your VPS provider has DDoS protection, you also benefit from that, but it doesn't actually seem to make my home network more secure, no?

The security to your home network is that extra hop a hypothetical hacker would need to make.  Access to the VPS does not grant it unrestricted access to your home network.  Or even the server on the other end of the wireguard tunnel.

People keep talking about using whitelisting IPs, geo-blocking IPs, using fail2ban, and setting up a reliable and mature reverse proxy on the VPS. That's all great, but I can just run all of that on my home server? Surely someone is just as likely to bypass security measures on my VPS as they are on my home network directly, and if they manage to get onto my VPS they then have access to my home network anyway?
The only additional service that I would actually be running, if I were to use a VPS rather than doing everything directly on my home server, is WireGuard. Is there something about WireGuard that would actually prevent an attacker on the VPS from accessing the home network? At that point, they have the public key associated with my home server, and they can send whatever they want.

You, 100%, can just run all those apps on your home network.  Most people run those services either on the same host running Jellyfin or on another PC they have.  I run all my services on the same machine as jellyfin.  From anecdotal experience, a large percentage of VPS users also rely on the anonymity it grants for "acquiring" their media.  Wireguard does not do anything other P2P VPNs don't also do.  It is just built into the Linux kernel and is using the latest and greatest encryption and is super fast and lightweight.

If someone tries to brute force my Jellyfin accounts, for example, a VPS does absolutely nothing to prevent this. WireGuard will happily route all those attempts to exactly the right place. It doesn't seem like a VPS with WireGuard makes it any harder for someone to access my home network.
Just for clarification, I'm happy with how to secure my network, but I'm asking what additional security WireGuard + a VPS actually offers. It basically just seems to mask my home IP at the cost of latency and an additional failure point.

Is there something I am misunderstanding here?

There are two things to mitigate this.  1) Check "hide this user from the login screen" in the Users dashboard so you aren't giving hackers a starting point and 2) setup fail2ban so that after X number of failures you block them at the firewall level.

This is why it is important to create as many layers as possible.  While using a VPS does give you a minor security boost, the main advantage is anonymity.

[Jonasanas]

If someone gets into your VPS, they could still use the WireGuard tunnel to poke around your home network. WireGuard’s encryption is great for keeping data private, but it won’t stop someone from brute-forcing stuff like Jellyfin if they find a weak spot.Personally, I’d rather beef up security on my home setup. Stuff like fail2ban, IP whitelisting, and geo-blocking does the job pretty well without adding the hassle of a VPS or dealing with extra latency. If you want a bit more control or separation for certain tasks, you could look into tools to manage your connections better, like Buy Private Proxy from LightningProxies.

[TheDreadPirate]

The level of access gained from a hypothetical exploit would determine what they can do afterwards. This is the reason that Jellyfin runs as its own user for direct Linux installs and our documentation recommends running a docker container as your user instead of as root. Because a hypothetical exploit in Jellyfin while it is running as root would grant an attacker significantly more access than an unprivileged user.

Even then, not all exploits would grant an attacker unfettered access to the system or resources on remote systems networked to it. Perhaps it would only give them access to the contents of memory, they can't write to disk to make their access persistent.

Having said that, a random attacker is very very very unlikely to want to expend that kind of effort on someone's Jellyfin server and home network. If they have the skill to find and exploit a, probably, zero-day vulnerability they're going after someone they can actually get a big pay day from.