Is this a good way to secure "VPN only" endpoints?

I’m using Tailscale, but I also want some endpoints to be public. If they are public I require users to be authenticated using an Authentik middleware. This is not necessary when the user is using the VPN. This is my current setup, do you know if this is secure? I tried getting in myself, but as far as I know, it works fine. Has anyone set up a similar system who would be willing to share their configuration? Thank you.

services:
  whoami:
    image: containous/whoami:latest
    container_name: whoami
    hostname: whoami
    networks:
      - traefik-network
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.example.com`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=le"
      - "traefik.http.routers.whoami.middlewares=authentik-proxy@docker"
      - "traefik.http.routers.whoami.tls.domains[0].main=*.example.com"

      - "traefik.http.routers.whoami-vpn.rule=Host(`whoami.example.me`)"
      - "traefik.http.routers.whoami-vpn.entrypoints=websecure"
      - "traefik.http.routers.whoami-vpn.tls.certresolver=le"
      - "traefik.http.routers.whoami-vpn.tls.domains[0].main=*.example.me"
      - "traefik.http.routers.whoami-vpn.middlewares=whoami-vpn@docker"
      - "traefik.http.middlewares.whoami-vpn.ipwhitelist.sourcerange=172.18.0.1"
      - "traefik.http.middlewares.whoami-vpn.ipwhitelist.ipstrategy.depth=0"

What are tou trying to protect against? Determining if something is secure becomes quite hard w/o the answer to that question (see also, opsec)

You hear all the time about purported “security issues” of VPNs but never a good explanation as to what the vulnerabilities are. Start there.

Second most VPN software has its own authentication. What are you accomplishing by adding a r
Also, why do you want a VPN? This is similar to the castle and most concept… so you have two gates to cross the moat. If I can breach one the second should be just as easy. Once inside though what security do you have, if any? If you just provide services this significantly reduces the attacks.

That makes sense. I want to protect multiple web services including Jellyfin. These of course do have their own authentication and I think I can trust that their authentication is secure.
But a big part of self hosting for me is learning about Docker and other bits and bops.

I’m not sure I completely understand your reply.

You hear all the time about purported “security issues” of VPNs

I think this mostly concerns VPNs as a service like Nord VPN etc. I’m not aware of any security issues with OpenVPN or Wireguard in my case.

most VPN software has its own authentication

Correct, as mentioned above this is mostly about learning about these setups. In a real setup, you might use GitHub OAuth or another secure Auth solution. Tailscale also supports this.

Once inside though what security do you have, if any?

I’m not sure what additional security would be necessary. SSH is only allowed for specific users and requires those users to reauthorize every 24h. Other services should be secure since I use Tailscale’s ACLs to limit users’ access to specific ports, in this case, 443. Furthermore, most if not all services have their own authentication so even if a malicious user were to hijack one of the VPN accounts they would still have to figure out the credentials to a specific service.