This may be a simple question, but I could not find resources on that. Does creating a VPN into my home network using my router increase my attack surface? What are the security implications of that in general?

  • Atemu@lemmy.ml
    link
    fedilink
    English
    arrow-up
    0
    ·
    6 months ago

    If you’re worried about that, I can recommend a service like Tailscale which does not require permanently open ports to the outside world, offering quite a bit more security than an exposed traditional VPN server.

    • rmstyle@feddit.deOP
      link
      fedilink
      English
      arrow-up
      0
      ·
      6 months ago

      Huh, never heard of it! from what I gathered from the website its a central VPN? Wouldn’t that be overkill for a homelab scenario? Thanks for your response!

  • TCB13@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    6 months ago

    Does creating a VPN into my home network using my router increase my attack surface?

    Yes, but it also provides the ability to access any resource in your network in a secure way.

    It is typically less safe to expose 3 or 4 different services you want remote access than a single VPN daemon that is actually designed for that specific scenario and has mitigations for common attacks built in.

    To make your setup secure you can consider a few steps:

    • Use Wireguard: don’t be afraid to expose the Wireguard port because if someone tries to connect and they don’t authenticate with the right key the server will silently drop the packets. An attacker won’t even know there’s something listening on that port / it will be invisible to typical IP scans / / will ignore any piece of traffic that isn’t properly encrypted with your keys;
    • Use a 5-digit port for your VPN - something like 23901 (up to 65535) will be way harder to find than typical ports like the default 51820 or 443;
    • Go full paranoid and use a firewall to restrict what countries or even days, hours access your server is allowed. Eg. only allow incoming connection from your country (https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching). Be aware of what happens when you’re abroad;
    • Don’t port forward IPv6 if you don’t need it. Might be easier than dealing with a dual stack firewall and/or other complexities.

    In a side note: a VPN doesn’t mean full access to your network either. You can setup a VPN endpoint that only allows access to a few specified services running on specific machines instead of the entire network. This will give you extra security if you’re into that.

    • rmstyle@feddit.deOP
      link
      fedilink
      English
      arrow-up
      0
      ·
      6 months ago

      Thank you for not only taking the time to answer but also adding quite useful resources. I will look into it!