Hi, is anyone publishing their sensitive internal websites (eg Git, wiki, personal finance apps) online without a VPN, and securing them with OAuth or SAML?
How confident are you in this?
Google does this for their secret stuff:
But it feels like a huge risk. I’ve always run a VPN and connected to it. However it’s not very friendly when you change from WiFi to 4G and need to reconnect. Apps like Bitwarden are of course behind the VPN, so it’s a headache to save passwords on the go.
Is anyone here brave enough to implement zero trust MFA-based Auth and stick their web apps on the Internet?
So you think the VPN is more secure than the app/auth stuff you are using?
The VPN is less surface area than exposing everything directly, but in the end you are still running someone else’s code most of the time.
If you have things locked down and you have good logs/alerts for things exposing stuff isn’t /that/ dangerous. Most attacks are automated and looking for admin/admin levels of security flaws. If you can withstand that you are past 99.9999% of most attacks.
If a nation-state is focused on your stuff you’re likely fucked anyway.
That said I have a few services exposed so that family members can use them, but most are behind the VPN just because there isn’t much use in exposing them.
Mobile devices are all set up to automatically connected to WireGuard when not on the home WiFi so they get VPN access by default.
You can argue that larger companies know what they are doing or have their code audited. But most breaches aren’t due to software vulnerabilities they are due to social engineering and human error.
You could argue that by self hosting your own services you become a much smaller target so that you’re simply not worth the effort of a targeted hack.
Unless things can be automated generally you aren’t worth the effort. If someone wants a payout it’s way more lucrative to target larger companies where the customer data is valuable, or the reputation is ruined (how many of us migrated from lastpass after their hack?)
But imo, putting everything behind a vpn isn’t useful advice for self hosting your own services. A vpn connection isn’t always possible and if you need to login to a website on a borrowed/public device but can’t because you’ve hidden your vaultwarden behind a vpn you will have felt this pain.
Now I’m not saying you should blindly open up everything to the internet. But make informed decisions as to what is best for you and your needs.
Not using a VPN is not zero trust. Putting a server naked on the internet without any protection is not zero trust either, more like the exact opposite.
It depends on how secure the architecture,
applications, and application security are really. If it’s one app for which I’m the only user and can access behind encryption/WAF I might do it, but i still wouldnt leave other parts of my lan/homelab exposed to do so. That’s the key difference when self hosting.
I see a problem with personal stuff in at the same place as other than should be exposed. Like me having nextcloud and what to share a photo link to a friend.
It should not be an either/or. For ALL your apps you should require authentication (preferably with an IdP using stuff like OAuth) and use TLS, even when using a VPN or even inside your LAN. This is a core principle of modern security practices like “defense in depth”, which assume your network is always compromised.
I don’t run public NextCloud instances. However, it’s a pity that they don’t support mTLS, despite minimal code changes required to implement; and considering that NextCloud Talk already supports mTLS.
