How do you port forward safety?

Hello everyone. Sorry, I’m pretty new to self server hosting, but I have a spare PC to use as a dedicated server PC, which, of course, is going to have NextCloud. I havent installed anything and am still researching all of the rules and limitations to this, but by my understanding I have to enable port forwarding in my WiFi router’s settings if I want to access my NextCloud outside of my home internet, and I wanted to ask you guys if you could further explain how port forwarding works and how to do it safely.

I get that its basically opening a 2-way door fron your home network and the public internet where anyone can cross it, but is there not a way to like “white-list” it so that only I and my devices are allowed to cross it? If the cons outweigh the pros, then I’d rather just has NextCloud as a home NAS service.

Ant input is appreciated. Thank you in advance!

Ways to white list your devices are fallible. If you really want to do it, I would connect your next cloud server to a VPN service that your devices can also talk to. The authentication to connect to the VPN should keep it safe.

However, I’m not sure which VPN retail services offer this, instead of one -device-per-network for the more common uses of secure browsing and country -shifting, because I work in IT and have servers I can use to host temporary VPNs as needed.

Port forwarding will never be 100% safe. IMO safest way is to use cloudflare tunnel, but then you have to be okay with the privacy implications, as cloudflare can see all your traffic then.

Also install ufw firewall and allow only out going connections and you should be fine

You *could set up a vpn on your router and dial in to use it on local lan via the vpn. Secure the vpn with ssl. That would do the job. But tbh I have no problem at all leaving 443 open and only secured by the login. You can install the brute force app which guards against that. And i don’t store my bank details on my nextcloud. Even if it did get hacked, it’s got my work and all my photos and random notes, there will be nothing of any value to them. All of it backed up on separate hardware. If you are port forwarding for the first time, you should put your seatbelt on lol installing the app is just the beginning. It took me months to get it running properly. Although Im no expert, had to learn all of it from tutorials and forums. Good luck!

I’m a network security technician, and can say you are getting confused advice.

There are only two ways, that are feasible for your project.

  1. VPN (no not a VPN provider), but hosting a VPN server on your own Network. If you’re familiar with Docker, there tons of containers, that serve as VPN. What you want to avoid is portforwarding Nextcloud directly on your router/firewall, because you’ll be subject to the security if Nextcloud. VPN’s are very very hard to breach.

  2. Portforward anyways and disregard #1. Two things here. Pick a port that is nonstandard. So if nextcloud runs on port 443, then forward it to something like port 65433. Why because we can see that highrange ports are more rarely scanned, than low range (1-1023). Your portforward should (ideally) only allow the IP of your device. Its hard/impossible to get fixed IP on mobile devices, due to carrier grade NAT’ing. So this is where you could use an external VPN provider, because they usually give you a fixed IP/range. This IP/range should be allowed in your port fowarding rule. And not ANY SOURCE.

If you can, go with #1. Else #2. Dont just port-forward. As soon as there is a zeroday vulnerability i NextCloud. You can bet all your files will be encrypted by some ransomware attack.

And always keep a “weekly” backup of your files. Why weekly? Because if your files are encrypted, and your backup runs, then it backs up the corrupted files. There are many things to unpack about the backup, but this was just one way. The best way is a compressed full backup every day, with a 7-day rotation.

It is quite easy to setup Wireguard VPN Server under docker. If you have already been using docker to run your Nextcloud, setting up addtional docker for Wireguard VPN server is a piece of cake.

Other measures such as enabling 2fa of Nextcloud will help a bit. If you are running your own firewall, you may also consider to use geo-ip blocking.

Background: all data over the network/internet is in the form of “packets”. These packets have a source and destination IP.

You will want to do is set up a static DHCP reservation based on your PC’s MAC address. You will make this DCHP Reservation on your router. That way, if your PC ever disconnects from the internet (reboots, internet outage, etc.), when it reconnects it will be assigned the same static private IP. Let’s say you have assigned 192.168.0.20 to your PC. If this PC is running NextCloud on port 80, you will then add a port forwarding rule on your router to forward inbound port 80 traffic to 192.168.0.2:80.

There are a couple of ways to make this secure. You could/should add a user to your Next Cloud so only you can log in via username/password.

If I were you I would first set up a Wirguard server on the PC. Add port forwarding Rules to forward all port 51820(Wireguard port) to the PC (192.168.0.20:51820). In the Wireguard config file on the client side, your AllowedIPs would include your home network (i.e 192.168.0.0/24). Then, you put a client WG config file on your laptop/phone so you can securely connect to your home network VPN. From there you can securely(encrypted traffic) access your home network (i.e NextCloud, printers, router, etc.). Wireguard is light weight and super easy to configure. More than happy to send links and assist you through the process.

Use RDP port open and use DUO to protect it? DUO is free for I think 10 users at least

Fancy. I’ll look into that. I’m already paying for Mullvad as a VPN service, so maybe that could be used for this??? Wow, I’ve really only scratched the surface of what servers and VPNs do.

Another option is tailscale. Tailscale only does authentification, the traffic goes encrypted from node to node. Pretty neat!!

You could also use netmaker, netbird or a vpn

I2p might even be a option if your feeling brave

Using a nonstandard port does not significantly improve security. With a small botnet or probably other ways it only takes minutes to scan the ipv4 range, so scanning for unusual ports isn’t too much of an effort.

With IPv6 thats not as bad, but there you should be fine with the ip alone. And if a domain points to the ip it will get scanned eventually, regardless of the port.

Also you should not expose a server to the internet, if the server is not secure, regardless of the port. Nextcloud is generally secure enough to be accessible through the web, if you don’t mess up by exposing the wrong ports(database) and your passwords are good.

Connecting through vpn is the most secure, but also the least usable because of the effort and you cant share files with your friends if they aren’t in your network.

I don’t think you can use it for that, since it’s designed for you to connect to their servers.

But to stick with the original comments idea, there are very cheap and even free VPS available to Set Up a VPN endpoint like the comment suggested. To just play around a bit, Oracle free tiers should be fine. Check tailscale and/or wireguard for reference on how to set something like that up.

VPN as in virtual PRIVATE network not the commercial stuff. Your phone connecting to your device would be part of your home network, it will be encrypted between wherever you are and your home and all data would appear like if it came from your home.

You can set up your own vpn on the machine running nextcloud (or sometimes home routers have the option included). Wireguard is really simple for this (simpler than openvpn) and very resillient to network changes (it reconnects fast and invisibly if you switch networks, go on and off wifi, use another SIM…) while away from home, many tutorials can be found online.

No, the FAQ on Mullvad VPN | Privacy is a universal right says you cannot use their service to connect your devices together. They’re more of a virtual privacy network than a virtual private network IMO.

It’s true. Its not an ideal solution.

Thats also why I recommend to add source IP to the port forward rule, in case he cant go with #1.

Setting it up on the home next cloud server would mean punching holes in the firewall to let them connect while away, which is what I was trying to avoid.

Do no retail VPNs offer between-device connections? Shame if not.

You already puch holes for the company selling you “anonymity” to get access to your home network traffic and phone without realising it.

You do understand the “retail” VPN “provider” gets to see all your traffic unencrypted even if the server is running in RAM it can even start playing man in the middle with ssl certificates (and this is not a very difficult task in 2023) wich would allow it to display in the clear all traffic from HTTPS sites.

With your own vpn service, you get to control the server side of things and it’s not a hole you punch into your firewall it’s a lock that will open only if you provide correct authentification. If it is on the nextcloud server, it will also get covered by the same fail2ban.