There are multiple ways of giving access to our local resources to the internet. Main three being DDNS+exposed ports, tunnels or private vpns. Here are some of the pros and cons and points to remember for each.
DDNS+exposed port
Expose a port from the local network allowing outside traffic to hit the external IP directly. Using DDNS with cloudflare-ddns allows us to update dns records on for a domain when ISP changes our external IP.
pros
direct access without involving third-party services
cons
more vulnerable to attacks if proper security measures are not put in place
app vuln translated to system vuln
Points to note
implement fail2ban for ssh
implement some sort of authentication for the internal services (authentik)
keep all services updated
monitor vulnerbilities in the system using a monitoring tool (wazuh) - more research needed
use docker containers to prevent a single app's vulnerability allow access to whole system
Use something like cloudflare tunnel where users make a request to cloudflare's data centres. Cloudflared daemon is installed on the server to keep a persistent https outbond tunnel open with cloudflare. The data is transferred between this tunntel. Cloudflare access is a complementary service used to authenticate any users.
pros
no exposed ports
cloudflare tunnel takes care of ddos protection, web app firewall and ssl
cloudflare access takes care of authentication
relatively easy to set up
cons
reliance on external service
free tier discourages media streaming
all data is decrypted inside cloudflare for inspection
if they limit their usage in future, it could require changing solution
Private vpns (wireguard, tailscale, netbird)
The server and all devices making requests to the server are inside a vpn. Wireguard can be implemented on its own. There are services like tailscale that set up mesh vpn with zero config. Unlike tailscale, netbird offers self hosted solution.
pros
only the intended users can make requests because they will need to be in the vpn
There are multiple ways of giving access to our local resources to the internet. Main three being DDNS+exposed ports, tunnels or private vpns. Here are some of the pros and cons and points to remember for each.
DDNS+exposed port
Expose a port from the local network allowing outside traffic to hit the external IP directly. Using DDNS with cloudflare-ddns allows us to update dns records on for a domain when ISP changes our external IP.
pros
cons
Points to note
Tunnels (cloudflare tunnel+cloudflare access, ngrok)
Use something like cloudflare tunnel where users make a request to cloudflare's data centres. Cloudflared daemon is installed on the server to keep a persistent https outbond tunnel open with cloudflare. The data is transferred between this tunntel. Cloudflare access is a complementary service used to authenticate any users.
pros
cons
Private vpns (wireguard, tailscale, netbird)
The server and all devices making requests to the server are inside a vpn. Wireguard can be implemented on its own. There are services like tailscale that set up mesh vpn with zero config. Unlike tailscale, netbird offers self hosted solution.
pros
cons