I’m in the process of setting up homelab stuff and i’ve been doing some reading. It seems the consensus is to put everything behind a reverse proxy and use a vpn or cloudflare tunnel.
I plan to use a VPN for accessing my internal network from outside and to protect less battle tested foss software. But I feel like if I cant open a port to the internet to host a webserver then the internet is no longer a free place and we’re cooked.
So my question is, Can I expose webserver, SSH, WireGuard to the internet with reasonable safety? What precautions and common mistakes do I need to watchout for.
SSH is almost always a terrible idea to open on the internet. It’s just not worth the risk for the slight convenience. Web, VPN, etc… go for it. Just make sure you take appropriate precautions, fail2ban, geoip blocks and keep your exposed software patched. Use something like hostedscan to make sure you don’t have any known vulnerabilities exposed to the internet or obvious misconfigurations.
I additionally use crowdsec on my webserver it functions as a slightly more intelligent fail2ban. It rarely triggers but it’s a nice additional layer. My fail2ban triggers several times a day. I’ve got it following my default virtual host and banning anyone that hits it (if you don’t at a minimum know my external hostnames then you have no business accessing my ports).