Remote access 2nd opinion - VPN (Wireguard), DDNS and portforwarded - NextCloud next?

revolving-leslie · May 19th 2025

Hello good people of the OMV forums,

Experimenting with remote access to my OMV server. Have followed this guide and having set up Wireguard plugin, a DDNS (Duck DNS) and forwarded the port in my router, I have succesfully connected to my LAN remotely 🥳. I just want to double check that the steps I've taken will keep things secure? As far as I can tell this is the best way to do it but would appreciate if any could point out securitely flaws? In an abudnance of caution I've disabled the VPN and closed the port while I check here.

The only issue is that when I enable the VPN client on my laptop, I can access only the LAN but not the internet (ie: anything outside the LAN). After a quick search, I think this may be by design (for security?) and there's some extra config I can do to use the VPN and the internet simultaneously. Are their any security/speed concerns with doing this?

I'm thinking next steps are to use NextCloud. I see this official guide. Is a reverse proxy needed if I'm using wireguard? Again a quick search implies it shouldn't be needed if using a VPN but would appreciate advice here.

Thanks!

chente · May 19th 2025

Quote from revolving-leslie

Experimenting with remote access to my OMV server. Have followed this guide and having set up Wireguard plugin, a DDNS (Duck DNS) and forwarded the port in my router, I have succesfully connected to my LAN remotely 🥳. I just want to double check that the steps I've taken will keep things secure? As far as I can tell this is the best way to do it but would appreciate if any could point out securitely flaws? In an abudnance of caution I've disabled the VPN and closed the port while I check here.

You don't need to disable that port even if you're not connected. I'm not going to say it's impossible to be hacked, because nothing is impossible in this world. Maybe NASA or some world-famous superhacker could hack you, but it's unlikely NASA wants to see your movies and family photos.

Quote from revolving-leslie

The only issue is that when I enable the VPN client on my laptop, I can access only the LAN but not the internet (ie: anything outside the LAN). After a quick search, I think this may be by design (for security?) and there's some extra config I can do to use the VPN and the internet simultaneously. Are their any security/speed concerns with doing this?

Check if the tunnel you've set up on your laptop has AllowedIPs configured like this:

AllowedIPs=0.0.0.0/0

If it doesn't, change it. This will redirect all communications in any IP range to the VPN tunnel.

There's no security issue with doing this. On the contrary, if you connect to the internet from a public Wi-Fi network (a bar, for example, a shopping mall, or a hotel), all your traffic will be encrypted, which will improve your security.

Quote from revolving-leslie

I'm thinking next steps are to use NextCloud. I see this official guide. Is a reverse proxy needed if I'm using wireguard? Again a quick search implies it shouldn't be needed if using a VPN but would appreciate advice here.

Nextcloud works differently than a VPN. Nextcloud creates a web address that anyone can access and access the login screen. After that, Nextcloud has several very strong security measures that prevent anyone from logging in, such as two-factor authentication, among other options. It all depends on how far you want to go with your security.

On the other hand, the only way to access a VPN like Wireguard is to configure the tunnel on the client, which you can't do if you don't know the access keys. The disadvantage of a VPN is precisely that: you need to configure the tunnel on the client, whereas with a service like Nextcloud (or Jellyfin, or any other) configured through a proxy, you can access it from any internet-connected device without prior configuration on that device.

One way to achieve double security is to configure Nextcloud to only allow local access (not common, but possible) and access your local network through Wireguard. This way, you'll always be protected by Wireguard, although you'll lose some Nextcloud features, such as file sharing with third parties.

bermuda · May 19th 2025

You can configure your vpn-client either way. I personally use openVPN and my mobile devices are 100% routed via vpn, while my desktop clients only route traffic that has to pass via vpn (to reach the clients on the other side) while they use the local gateway for all the other stuff.

You should brush up on the topics and do everything step by step. Considering you question about security I don't think you can get any assurances that way. VPN and encryption are state of the art solutions. They are considered very secure with the exception of human error during setup/configuration (weak passwords for example). So it's basically up to your skills/knowledge.

Using Nextcloud via VPN is not the usual approach. It is doable thou. Reverse proxy is only needed when you want to have access to different services on the same host running on the same port. Kinda like http://myhost/service1/ and http://myhost/service2/. The proxy would redirect your requests to the correct apps hosted on the same machine, identified by the url only. It seems you have a lot to learn first.

revolving-leslie · May 20th 2025

Thanks both for the input. After more research and thought, and with the help of your replies, it seems Nextcloud is possibly surplus to my requirements and unnecesarily complicates things as I'm learning and experimenting.

chente - Re fixing the Wireguard client on Mac, it was already set that way. After quite a bit more searching, I discovered it was. DNS issue and I had to add a line to the config file to specify DNS server. So I had to add the following to [Interface] in the config file (Google's DNS servers)

DNS = 8.8.8.8, 8.8.4.4

Didn't have to do this on my phone, oddly. Looks like (yet another) Mac issue.

Quote from bermuda

Using Nextcloud via VPN is not the usual approach. It is doable thou. Reverse proxy is only needed when you want to have access to different services on the same host running on the same port. Kinda like http://myhost/service1/ and http://myhost/service2/. The proxy would redirect your requests to the correct apps hosted on the same machine, identified by the url only. It seems you have a lot to learn first.

Got you. I suspect the proxy then is needed becuase OMV and NC use the same port for web gui?

Quote from bermuda

It seems you have a lot to learn first.

Yes indeed... that's why I'm posting here to seek the wisdom of those more kneolwedagble than I - so thanks again! 🙃

bermuda · May 20th 2025

Quote from revolving-leslie

Got you. I suspect the proxy then is needed becuase OMV and NC use the same port for web gui?

Not necessarily. Most people move the GUI port to 90. But If you have Nextcloud and you also want to serve some other self hosted app on the same host using the default secure connection (https), there is no other way to share the same port other than to have a reverse proxy with a subdomain or subfolder configuration. There is also more to that. You will see once you learn more and start to connect the dots.

But you can also do everything on separate ports. You just have to remember all the ports to access the services later. It's your decision how you want to make all that stuff work.

A proxy can do far more than just redirect. It can be very overwhelming seeing such a configuration. There are many pitfalls to break stuff without even knowing it. But it is doable to anyone who is willing to learn new things and who also likes to tinker with things and doesn't give up easily. Once you get the basics it will be easy to setup things the way you want.

revolving-leslie · May 20th 2025

Super. Thanks again!

chente · May 20th 2025

Quote from revolving-leslie

Re fixing the Wireguard client on Mac, it was already set that way. After quite a bit more searching, I discovered it was. DNS issue and I had to add a line to the config file to specify DNS server. So I had to add the following to [Interface] in the config file (Google's DNS servers)
DNS = 8.8.8.8, 8.8.4.4
Didn't have to do this on my phone, oddly. Looks like (yet another) Mac issue.

Thanks for the report. I just added this note to the wiki.

omv7:omv7_plugins:wireguard [omv-extras.org]

Participate now!