Best way to open the servers to the internet: DDNS or tunnel or vpn?

[fshrr]

There are multiple ways of giving access to our local resources to the internet. Main three being DDNS+exposed ports, tunnels or private vpns. Here are some of the pros and cons and points to remember for each.

DDNS+exposed port

Expose a port from the local network allowing outside traffic to hit the external IP directly. Using DDNS with cloudflare-ddns allows us to update dns records on for a domain when ISP changes our external IP.

pros

• direct access without involving third-party services

cons

• more vulnerable to attacks if proper security measures are not put in place
• app vuln translated to system vuln

Points to note

• implement fail2ban for ssh
• implement some sort of authentication for the internal services (authentik)
• keep all services updated
• monitor vulnerbilities in the system using a monitoring tool (wazuh) - more research needed
• use docker containers to prevent a single app's vulnerability allow access to whole system
• security in reverse proxy
• implement own ssl (lets encrypt)

Tunnels (cloudflare tunnel+cloudflare access, ngrok)

Use something like cloudflare tunnel where users make a request to cloudflare's data centres. Cloudflared daemon is installed on the server to keep a persistent https outbond tunnel open with cloudflare. The data is transferred between this tunntel. Cloudflare access is a complementary service used to authenticate any users.

pros

• no exposed ports
• cloudflare tunnel takes care of ddos protection, web app firewall and ssl
• cloudflare access takes care of authentication
• relatively easy to set up

cons

• reliance on external service
• free tier discourages media streaming
• all data is decrypted inside cloudflare for inspection
• if they limit their usage in future, it could require changing solution

Private vpns (wireguard, tailscale, netbird)

The server and all devices making requests to the server are inside a vpn. Wireguard can be implemented on its own. There are services like tailscale that set up mesh vpn with zero config. Unlike tailscale, netbird offers self hosted solution.

pros

• only the intended users can make requests because they will need to be in the vpn

cons

• requires setting up vpn on all clients
• limited user count for tailscale. but there are other solutions (https://www.youtube.com/watch?v=eCXl09h7lqo)
• limited number of users
• if the saas solutions limit their usage in future, it could require changing solution

[fshrr]

Currently leaning towards ddns or netbird. But researching more