I’m in the process of setting up homelab stuff and i’ve been doing some reading. It seems the consensus is to put everything behind a reverse proxy and use a vpn or cloudflare tunnel.
I plan to use a VPN for accessing my internal network from outside and to protect less battle tested foss software. But I feel like if I cant open a port to the internet to host a webserver then the internet is no longer a free place and we’re cooked.
So my question is, Can I expose webserver, SSH, WireGuard to the internet with reasonable safety? What precautions and common mistakes do I need to watchout for.
You can. I recommend making sure you have logging in place so you know what’s going on. This could include not just service logs but firewall logs as well. You might want to rate limit the connection attempts for SSH and WireGuard and consider Fail2Ban or something similar.
Fail2ban is useless for a wireguard endpoint. Wireguard never sends a response unless there’s a valid signed handshake request. It’s basically a blackhole.