+-----------------+
| . local server |
+-.---------------+
< . >
< . >
< . >
< . >
< . >
+-.-----------------------+
| . serveo/localhost.run |
+-.-----------------------+
< . >
< . > +----------------------+
< . > | . raw data |
< . > | < . > encrypted data |
< . > +----------------------+
+-.----------+
| . clients |
+------------+
hellow,
i wanna host things (nextcloud, bin, syncthing) myself but im under cg nat so i cant do it the regular way. i have to tunnel my way out. the only concern is that, the raw data is readable by the ssh server (ie. serveo/localhost.run), but i dont anyone elses eyes on my data
sorry for my broken english.
edit:
- syncthing (solved): https://docs.syncthing.net/users/untrusted.html
- bin (solved): https://github.com/HemmeligOrg/Hemmelig.app?tab=readme-ov-file#features
- nextcloud: ???
please clarify me.
if i setup a vpn which provides encryption on my local server, can i go like this
+------------------+
| . local server |
+-< . >------------+
<< . >>
<< . >>
<< . >>
<< . >>
<< . >>
+-< . >----------------------+
| < . > serveo/localhost.run |
+-< . >----------------------+
<< . >>
<< . >> +-------------------------------------+
<< . >> | . raw data |
<< . >> | < . > vpn encrypted data |
<< . >> | << . >> vpn encrypted data over tls |
<< . >> +-------------------------------------+
+-< . >-------+
| . clients |
+-------------+
sorry i dont know how to express this in words
The short answer is: you can’t do this.
The long answer is: you need to go through the process of getting a server you own and have provisioned installed at some colocation/datacenter place. It will be expensive to buy the server, expensive to buy rack space, and you will need to go through significant background and security checks in order to be allowed by the company to do this.
If that sounds terrible, and it is, you can use an overlay network like nebula. It still requires that you have a “server” somewhere, but you can use a $10/yr vps to host that. Your “server” is, in nebula’s terminology, the “lighthouse” node. All it does is punch through nats so people who connect to your overlay vpn are able to see each other.
Your vps provider can still see your data on the lighthouse though, so don’t keep your root certificate on it and use unique credentials. Traffic doesn’t flow through the lighthouse, so you don’t need to worry about snooping, but it’s possible for the vps provider to add themselves to the trusted certificate and get on your vpn. So you have to have good security on your internal network.
thanks for both answers. the second option, one i cant afford.
i did some research, the first the answer is partilly correct ig. for example syncthing offers password protection (https://docs.syncthing.net/users/untrusted.html) and for the bin, it provides client side encryption (https://github.com/HemmeligOrg/Hemmelig.app?tab=readme-ov-file#features) which will protect me even over plain http connection ig. please correct me if im wrong
these are product specific feature, so generally, as you said, no is the answer ig. i wish nextcloud offers something like. thanks again