Hello peoples,
I am looking for tips on how to make my self-hosted setup as safe as possible.
Some background: I started self-hosting some services about a year ago, using an old lenovo thin client. It’s plenty powerful for what I’m asking it to do, and it’s not too loud. Hardware wise I am not expecting to change things up any time soon.
I am not expecting anyone to take the time to baby me through the process, I will be more than happy with some links to good articles and the like. My main problem is that there’s so much information out there, I just don’t know where to start or what to trust.
Anyways, thank you for reading.
N
I don’t mean to take issue with you specifically, but I see this stated in this community a lot.
For newbies I can agree with the sentiment “generally” - but this community seems to have gotten into some weird cargo-cult style thinking about this. “Port forwarding” is not a bad idea end of discussion. It’s a bad idea to expose a service if you haven’t taken any security precautions for on a system that is not being maintained. But exposing a wireguard service on a system which you keep up-to-date is not inherently a bad thing. Bonus points if VPN is all it does and has restricted local accounts.
In fact of all the services homegamers talk about running in their homelab wireguard is one of the safest to expose to the internet. It has no “well-known port” so it’s difficult to scan for. It uses UDP which is also difficult to scan for. It has great community support so there will be security patches. It’s very difficult to configure in an insecure way (I can’t even think of how one can). And it requires public/private key auth rather than allowing user-generated passwords. They don’t even allow you to pick insecure encryption algorithms like other VPNs do. It’s a great choice for a home VPN.
You make a great point. I really shouldn’t contribute to the boogeyman-ification of port forwarding.
I certainly agree there is nothing inherently wrong or dangerous with port forwarding in and of itself. It’s like saying a hammer is bad. Not true in the slightest! A newbie swinging it around like there’s no tomorrow might smack their fingers a few times, but that’s no fault of hammer :)
Port forwarding is a tool, and is great/necessary for many jobs. For my use case I love that Wireguard offers a great alternative that: completes my goal, forces the use of keys, and makes it easy to do so.
Glad you didn’t take my comment as being “aggressive” since it certainly wasn’t meant to be. :-)
Wireguard is a game-changer to me. Any other VPN I’ve tried to setup makes the user make too many decisions that require a fair amount of knowledge. Just by making good decisions on your behalf and simplifying the configuration they’ve done a great job of helping to secure the internet. An often overlooked piece of security is that “making it easier to do something the right way is good for security.”
Right!! Just like anything there’s a trade-off.
Glad you phrased the well-intentioned (and fair) critique in a kind way! I love it when there’s good discourse around these topics