Selfhosted

42763 readers

931 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

Are there any security concerns I need to know about before exposing everything with wireguard? (lemmy.blahaj.zone)

submitted 6 days ago by lilith267@lemmy.blahaj.zone to c/selfhosted@lemmy.world

3 comments fedilink hide all child comments

Right now I have everything except wireguard setup on my old Thinkpad. I'm planning on hosting a minecraft server, forgejo, jellyfin, and fediverse instances. Before I expose everything to the open web I'd be grateful if someone could look my setup over and tell me if this is secure enough I can just update containers when they need and forget about security

top 3 comments

sorted by: hot top controversial new old

[–] sxan@midwest.social 11 points 6 days ago

Nope! No security concerns!

But, seriously, if one machine in the Wireguard network is compromised, attacks can be launched on any other machine in that Wireguard subnet. At that point, whether you're running Wireguard or not is irrelevant.

For your specific setup, the weak point is the VPS. Everything is good, but if someone successfully beaks into an account on your VPS with access to the Wireguard device (and almost nobody goes through the effort of constraining network devices by account, and of course there's always root) they can launch attacks on any machine in the WG subnet.

It's a little better if you're running containers and they're secure, but even then there are security considerations with containers. Still, that's about the best you're going to get: anything listening to any external internet port is running in a container with no resource runtime, and those ideally each only have limited access to the ports in the WG subnet that they need. Eg, something like:

In your diagram, your VPS is just a gateway. If the only way to log into the VPS is over WG; and if the reverse proxy is running in a locked-down container; then this is about a secure as you can make it and still allow public access.

Or: if the only way your VPS is at all accessible is over WG -- all clients have to be connected to it via VPN -- then it's reasonably secure as long as no client is compromised. Then your remote devices become the weak points.

[–] 0x0@programming.dev 4 points 6 days ago (1 children)

Which old Thinkpad handles all of that?

[–] sunstoned@lemmus.org 1 points 4 days ago

For that workload? I quite literally run more than that on a (le)potato