Hey guys,

Currently im just running calibre and nextcloud docker containers over the web, with a ddns from noip and a cloudflare domain. But i also want to setup a vaultwarden container too, so now i need to really consider the security of my server. What are the main things to watch out for? Calibre and nextcloud are just using subdomains, is it okay to have a subdomain to connect to vaultwarden? Am i better off just trusting bitwarden and sticking with them?

Thanks!

  • gobbling871@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    3
    ·
    1 year ago

    I always see guys swearing by Wireguard for VPN access as a security measure and seems to me like if someone unauthorized gets your public key, they have access to the kingdom.

    • Scholars_Mate@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      It’s your private key, but yes, you would need to keep it secret just like you would an SSH key.

      The benefits of a VPN are that you don’t need to open ports up to the internet and rely on your individual services to be secure. Your VPN would authenticate users and ensure that the communication over the tunnel is encrypted (useful if you don’t want to set up SSL/https). They can also hide what services you are hosting or even hide the fact that you are even running a VPN.

      Private keys are going to be far more secure than passwords since you really can’t brute force them in the same way you can passwords. Getting ahold of someone’s private key is probably going to be far more difficult than guessing their password. Even if an attacker were to get ahold of your private key, they would still need to contend with the security of your service, e.g. logging into it, which would be no worse than not having a VPN.

      • gobbling871@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        You don’t get any network isolation with this approach vs a service running in its own dedicated virtual network. Just for this reason, I think Wireguard as a VPN access to other local services is insecure.

        • hungover_pilot@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          Just because your using a VPN doesn’t mean you can’t isolate hosts to a separate network. I keep my services in a different VLAN and I can route/firewall traffic between that network and anywhere else as I please.