Hey all, I don’t know anything at all and I’d love to be pointed in a direction so I can learn.
I already have a home server set up for media storage for entertainment and work. I’m looking to set up a second server from a single board computer as a VPN so I can remotely connect to my home server without needing to expose it to the web, something I’d rather not do.
I don’t know anything about networking but I’m happy to learn. I use Arch on all my PCs and Debian on my server, I’m happy to read documentation but I honestly don’t know much about the tech and I don’t know where to begin.
Can anyone point me in the right direction? Happy to DIY things once I know how the tech works.
Edit: thank you all for the recs, in addition to your suggestions, I’m also looking into running OpenVPN server on my SBC (which is still on order from China). Once I have things all set up, I’ll update this post. I appreciate your points on security, I’m not thrilled at my current level of security, I definitely ultimately want to invest in a hardware solution.
check me if I’m wrong yall, but a VPN isn’t going to ‘stop your server from being exposed to the web’, it’s just going to encrypt the traffic between you and the server. We use VPN servers to take the load off other servers; so we can dedicate one server to well, hosting a crap ton of VPN’s.
if you want to protect your server, use a hardware or software firewall. I’d recommend pfsense (software; free. you can also set it up baremetal and voila, hardware; free). make your comms port something obscure like I dunno 52311 (guess what I do?), then set that port for https traffic. Or, just use the https port which is. . . google. . . 443!. Then on your laptop use ssh or a vpn to connect.
Then you can run Snort as an IPS to check for ‘suss’ activitiy. Although. . . I’ve done that. . . and. . . it’s a lot. Going through those logs for suspicious activity. . .ick. Just run a virus scanner on your hardware every once in a bit.
I suppose you could NAT the thing so it doesn’t return it’s IP on a scan, but a good firewall is going to limit botnets pretty severely, just seems like overkill. (also, I don’t know anything about the setup)
Hopefully your router has the firewall, its default configuration is good enough, and any changes you have made have not compromised its security. Also, the OP mentioned their router supports WireGuard, which I believe neatly solves the VPN requirement.
You can still have a host based firewall for added protection, but that may be overkill.
pfSense is a FreeBSD based firewall appliance OS, and would likely be best suited on your router, or between your DMZ and your most secure segment of your LAN (I believe this latter scenario is again overkill for a home network).
I moved on from pfSense over a decade ago, since at the time the pfSense community really discouraged using the CLI at all. When I was trying something specific (I don’t remember what it was), the only way to do it was by editing a config file through the CLI, which was unsupported.
I also saw the OP mentioned their network has Arch and Debian machines, so introducing pfSense is a totally different OS to learn. You can look at nft (replacement for iptables) on Linux. I personally prefer a firewall abstraction, so I use firewalld. If you need something graphical, I recommend fwbuilder (firewalld also has a GUI configuration tool).
I also run my own DIY router on an Intel NUC running Arch Linux (migrated from Debian before that old NUC died), with firewalld and WireGuard. For management the only way to log in from outside my home network is through the WireGuard port.
What I love about WireGuard is that it uses Single Packet Authentication, where if a client doesn’t encrypt their messages with the pre-shared key and the public key of my router, the router doesn’t even respond so would-be attackers wouldn’t know something is listening on that port.