Long story short both my with and I have work VPNs on our phones that need to be enabled at all times and therefor a VPN for our own network isn’t a viable path (sure wish there was some sort of VPN per focus mode type option but alas). What is the next safest option for us to expose a few core services (Immich, Paperless, etc.).
The safest is simply to not expose at all and we’ll definitely be doing that for the majority of our services.
Can you setup a separate work vs personal profile on your phone and enable the corporate VPN only on the work profile? I know this is possible on Android (https://support.google.com/work/android/answer/6191949?hl=en), and I believe it is possible on iOS. Otherwise, I would suggest that you ask your employer for a work phone.
I do it old school.
Port forwarding to a reverse proxy.
Services secured by authentik with 2FA
Ceowdsec constantly analyzing the proxy and application logs in search of attackers, and automatically implementing bans at both, firewall level and proxy level.
Watchtower to make sure i keep the services updated, just in case a known vulnerability is disclosed before I have the chance to update the apps.
I also pre-emptively block known bad-actor countries that I know I will never visit, like Russia, China, Iran, Belarusia
Tunnels, like Cloudflare tunnel. It is what I use for my personal project. No ports need to be open whatsoever.
Reverse proxy with authentication is another option, but in theory a little bit less secure than mTLS.
For example, you can setup Caddy, which will be the only service exposed to the web (port 443), and used to proxy HTTP traffic to your internal services. Authentication can be handled with Authelia, caddy-security or other solutions.
Are these your personal phones? If so I would advise not having a work VPN on them 24/7 or really any work software/management stuff at all, just not a good idea.
Now if you are going to expose things online, you could maybe limit it to specific IP addresses, if you know what egress points your work is using (assuming they aren’t dynamic).
this is not enough information.
What do the phones have to do with exposing services?
To where, from where?
What is running and where? (where is paperless running)
See a similar question, with my response in this same sub:
https://www.reddit.com/r/selfhosted/s/4vZzXKxwUY
(Not self-hosted, but…) what about a Cloudflare Tunnel? Configure a Private Hostname for each service you want to host, run cloudflared on a VM or Container on your local LAN, and voila…public remote access. If your self-hosted services are restricted to your use or a small group of users, add a Cloudflare Application to provide an additional layer of authentication.
(YMMV regarding your opinion about Cloudflare’s privacy policies.)
It depends on what services you are exposing and how you need to access them.
If using web browsers or apps with support, mTLS is essentially equivalent in strength to VPN authentication, and if you enforce mTLS as a requirement at the perimeter of your network your attack surface is really small.
and therefor a VPN for our own network isn’t a viable path
Doubt it really routes all your traffic through the work tunnel, likely just their domain and their ip range gets send their way.
You think they want to deal with all the employees opening youtube video? So in similar way as you are send somewhere out there to see youtube video, you would be send to your own server through a different tunell if it fits ip range…
but anyway, if no vpn then I am big fan of geoblocking. I host stuff for people and sure as fuck am not going to babysit them and make them jump through hoops… so I am using opnsense to geoblock the entire world and only allow IPs from my country to initiate connection in to my home network.
You can go that way if you got the skill, or buy some new router that supports it, unifi ucg-ultra has it and costs like $130
What’s your operating system? If this is for a static environment, I would order a static IP, port forward which would allow servers to run over the internet but apply strict IP tables rules, that only make this accessible to whitelisted IP addresses. I use this method for some of my services, and it works wonders. Port is only open, but only accessible to and from a single machine, so I have full use of my upload speed (4000 up) and not restricted to any VPN bottlenecks, and also being IP limited my services are protected from hackers, and snoopers. Just be sure to use IP tables save or IP tables persistent otherwise changes are lost on startup.
Take a look at Pomerium. Straightforward to set up reverse proxy, but gives you all of the security goodies you’d probably want when opening your home network to the world.
Call path would be:
Your device → Home Router → Pomerium Proxy (which would handle authn/z) → Your Services
Pomerium also has a free tier for their hosted control plane, so all you’d have to host is the proxy.
Disclaimer: I’m a field architect for Pomerium, but we quite literally are built exactly for this usecase.
Probably a reverse proxy (like nginx) serving everything over https ofcourse.
Tailscale, Zero Tier, Cloudflare
I’m using cloudflare zero tier
Adds security and such as well
That idea is what I mentioned above in my post - I’d love for it to exist but I’m not sure it does for iOS.
In terms of the work phone topic - I’ve seen it mentioned before. Even if my employer offered it I’m looking for an option that doesn’t have me carrying around two phones.
I have a work account on my personal Android and I was told that this also works for iOS. I’m not sure about specifics cause it was done via a company script.
Bottom line - it is possible for iOS.
This is the correct answer OP. Work VPNs conflicting with your own VPN can be a headache. I lke mTLS more than using a VPN for everything. VPNs are just more popular because they are easier to setup.
Not sure if this is relevant to OP but does Cloudflare still prohibit streaming via tunnels? (My info may be woefully out of date, since I switched to Tailscale a while back.)