I'm kinda weirded out by all the people suggesting a VPN here.
Like -- if you're hosting Nextcloud, Jellyfin, etc and you want friends/family to use it, having them VPN into shit is a hurdle that none of them are going to overcome.
You need to make sure you're not behind CGNAT first, if not, don't use Nextcloud on port 80, put it on another port, and then open that port to the outside world.
Just be aware, you REALLY want these things to be isolated from your home environment if you're going to host them, and you NEED to be on some sort of CVE notification list for the software you currently use. Not all CVEs are "YOU MUST UPGRADE NOW", but some of them can be pretty severe.
I've set up fail2ban on my isolated network, and it does a pretty good job of banning any IPs that are probing for things. So much so that I've accidentally locked myself out of my own network a few times, lol
IF you ARE behind a CGNAT - what you'll want to do is likely rent the cheapest VPS you can find, and then set up a VPN not on the VPS, but on your home network, and have the VPS be your public entry point to the network, as it will have a public facing IP and can mask your home IP address. -- https://github.com/fractalnetworksco/selfhosted-gateway
Edit: THEN - once you've accomplished all that, you'll probably want to buy a domain name, and reverse-proxy subdomains to forward to the services on specific ports.
I think opening a tunnel and forwarding the port through it and opening a port forward directly have about the same security implications. Both end up opening the same port and forwarding the same packets to the same computer. The only difference is with a tunnel there is an extra step in between that slows things down. In some edge cases it may be nice if people can't directly see your IP but just the one from the tunnel. But that doesn't matter if it's only for you and your friends. Might be a concern though if you're a big live-streamer and fear people DDoSing you. But then there are better alternatives. (for example paying $8 a month for a small VPS.) So I think a tunnel makes perfect sense if you can't get the port forward running. It just doesn't add anything to security.
Cloudflare might be a different deal though. They include DDoS protection and filter some attacks. I don't like cloudflare so I don't really know the specifics. I think it's bad for the internet that a good share of the overall traffic is tunneled over a single company's servers. And I myself don't need a middleman in my own services. But they certainly must have something to offer or they wouldn't be as popular as they are...
having them VPN into shit is a hurdle that none of them are going to overcome.
If you have a lot of people connecting, then that's fair. But setting up a VPN for one or two households isn't hard. Even easier if you use Tailscale (apparently, never tried it myself).
How have you tested this? You need to use the external IP address of your router (public ip) to open it. And you need to test that from another internet connection. Also make sure the browser is actually trying to open an http connection to port 80. Some modern browsers / addons try to prefer https on port 443 instead and that wouldn't be reachable. Does a ping work? What's the exact error message? The port forward could be wrong. Needs to be port 80 (TCP) towards the internal device where nextcloud runs, to the port where it runs on that machine (could be 80, too). It could also be blocked by your provider, or your specific provider doesn't allow port forwards. Or you ran into issues with the shift to IPv6 addresses. Maybe your provider has some strange setup. Try if you can ping your router from external first. And try the canyouseeme.org mentioned in the other comment. That's good advice.
Sorry, 10.x.x.x is a private IP address range. That can't be reached from the internet.
Maybe try one of the services that display your IP like https://www.showmyip.com/ or the one mentioned earlier: canyouseeme.org , that one also shows your IP.
I have little info to work on. There are many different providers around the world with very different setups. Some are suitable for port forwarding, some arent. (You could sit behind a Carrier Grade NAT, which makes port forward difficult to impossible.) But you need to figure out your IP first.
All I can say, I run something like you describe... Nextcloud, a reverse proxy and a few other services. I did some port forwards, got a domain that points to my IP and it works fine.
Edit: I use YunoHost on my computer. Its a Linux distribution for selfhosting. I think its a good choice to get your feet warm or if you want a low maintenance setup. It includes Nextcloud and many other services.
But you have to figure out how to access your computer from outside. Either you get your IP and the port forward running, or you have to use a service like pagekite.net or you get a VPN running like almost everyone else here wants to convince you to use. I don't think a VPN is a good idea except if you only want to use it by yourself and not use all the collaborative features of nextcloud.
Absolutely do not expose your server on port 80. Http is unencrypted, you'd be sending your login credentials in plaintext across the open internet. That is Very Bad™. If you own a domain name, you can set up a letsencypt cert fairly easily for free. Then you could expose 443 and at least your traffic will be encrypted in transit. It won't solve the other potential issues of exposing your instance like brute force or ddos attacks, but I'd consider it a bare minimum.
If you use a VPN like many others are suggesting it won't matter as much because the unencrypted traffic never leaves your local network.
As a side note: you not technically need a domain or a let's encrypt certificate to enable https. As a test you can create your own certificate, and use that for https (snake-oil certificate).
This is not appropriate for longer-term usage.
If you want to run websites on the Internet long-term, you should buy a domain and get a lets-encrypt certificate.
Please set up Tailscale or a Wireguard VPN before you start forwarding ports on your router.
Your configuration as you have described it so far is setting yourself up for a world of hurt, in that you are going to be a target for hackers from literally the entire world.
Don't you mean instead of? If all the OP wants to do is access next cloud, they can do it over the VPN without forwarding ports. What you're suggesting doesn't solve the problem of port 80 being an attack vector, and adds yet another attack vector (the VPN itself)
Realistically, yes. But it’s a phrase and it’s important that they start doing that first. Maybe it’s their intention to do it publicly.
Also, sure, but a Wireguard installation is going to be much more secure than a Nextcloud that you aren’t sure if it’s configured correctly. And Tailscale doubly so.
Wireguard installation is going to be much more secure than a Nextcloud
I understand that, and it's a good suggestion and a better solution if it fits the OPs use case. I don't understand suggesting they do both. Either VPN or port forwarding solve the problem, doing both seems unnecessary.
You can run clients on all your devices. Or if you want easier access, use the Funnel feature.
Tailscale Funnel lets you expose a local service, file, or directory to the entire internet, using what is effectively a VPN, except they don't have to use a VPN (TS hosts an endpoint they connect to, then encrypt that traffic into your Tailscale network).
To be honest, I would advise against opening your home network like that at all. A VPN would be much safer. If you use something like Tailscale it would be much easier as well and doesn't need opening any ports at all.
Attack surface is the ports and services you are exposing to the internet. Keep this as small as possible to reduce the ways your setup can be attacked.
Network topology is the layout of your home network. Do you have multiple vlans/subnets, firewalls that restrict traffic between internal networks, a DMZ is probably a simple enough approach that is available on some home grade routers. This is so if your server gets breached it minimises the amount of damage that can be done to other devices in the network.
If you don't understand these terms, you probably shouldn't be exposing any kind of port on your router. Seriously, not being snarky.
I used to teach multiple levels of Cisco classes, and I wouldn't expose a port these days, I don't know enough.
Instead, I'd recommend using Tailscale on a home machine and your mobile devices.
Using Tailscale, you can also selectively expose a service to the wider world (not just devices running Tailscale), using the Funnel feature.
I'd say it's your safest intro to accessing self-hosted resources from just about anywhere.
Edit: a couple years ago I opened a port helping a friend test something, I forget what. Within hours I was getting hammered with thousands of requests per hour, people trying to break in.
I wasn't worried because of the security we had, but it was annoying, and potentially a massive risk.
i would need to open a port even if i were to use a domain name correct? would hiding the ip behind a reverse proxy be enough? is nextclouds brute force protection not enough?
A reverse proxy helps, a LOT, like practically eliminating the issue because authentication happens at the proxy, not your port. I've never set one up, but I think your local system makes an outbound connection to the proxy, creating the tunnel. In this way no one ever knows what they're really connecting to - the proxy appears to be the endpoint.
Which is essentially what Tailscale Funnel does - they expose an interface, then encrypt a tunnel between your Tailscale network and that "proxy".
Same concept, just all rolled in to one thing, a check box and a little config info. TS Funnel will create the url to access your service. I suppose you could create another domain/url and have it redirect (or use a link shortener) to make it easier to share. I think by default it uses your Tailscale network name as the domain, and adds to it to define the service.
When you do something like Reverse Proxy or Tailscale, your devices make an outbound connection to the Reverse proxy (or with Tailscale it goes to their auth/directory service) using UPnP.
UPnP is standard protocol these days, and how pretty much any communication or gaming app works. The port opening is performed dynamically by the router, the port number is different every time an outbound connection is made, and it's ephemeral (both in the range and that the port closes after the session is complete). This isn't something that's typically blocked or disabled, as it would break all sorts of things.
I may have misstated exactly how it works - I studied it when it was released, it became ubiquitous and always works, so I haven't stayed current or reread anything for a while. It just works (and man has it saved me a ton of manual port config).
The fact, that I have to enable it on a device by device basis on my router speaks to the opposite. You shouldn't let some app open random ports on your router and you didn't need to do so for years
It's an extra layer of security. Your nextcloud instance won't be reachable from anybody who isn't on your vpn, if a bug which allows unauthorized access gets discovered you will be protected, if they steal your nextcloud credentials you will be protected, but if you're on a device without the vpn you won't be able to access nextcloud.
As for the domain you can buy a random xyz for a couple of bucks per year so just do it
Sure, you can use a VPN if you want to spin up the instance and connect to it without having a domain. You can always open the instance of Nextcloud to the internet later, when you buy a domain.
Get a cheap .XYZ domain if you just want to experiment with spinning up a reverse proxy.
kbin.social
Active