Allow Internet access to Nextcloud Container

My current homelab configuration:

  1. 2-4 users
  2. Netgear SG-1100 running 23.05+ (LAN and OPT with VLANS in use)
  3. Nextcloud container running on Proxmox (accessed by 1-2 users)
  4. Purchased domain from Hover that is not being used

I want to securely access nextcloud from internet. There might be other servers/services I want to access from internet in the future hosted on Proxmox server. Not sure if VPN or port forwarding or something else is best way to do this. Any recommendation (pro or con) on which option to use would be greatly appreciated.

VPN is the most secure but the con is that you have to setup each user to utilize your VPN. Maybe that isn’t a con if you don’t mind the management.

Exposing the HTTP/HTTPS to the internet is less secure, but you will need a reverse proxy if are wanting to host more services utilizing HTTP/HTTPS. Something like HAProxy (pfsense package), nginx or Apache will do the trick. If you chose this method you can enable 2FA on nextcloud to make it more secure.

Tom has a great videos on setting up HAProxy

Cloudflare tunnels is another option to expose services, but I prefer VPN for better security.

Careful about using the free tier of cloudflare tunnels. There are some limitations, especially for long a connections need to be kept open and the max post size (100 megs for the free tier). Syncing large files on the free tier will fail.

Thank you all for your help. I’m going with openvpn and follow From Ciphers to Certificates: Your Comprehensive Guide to Configuring OpenVPN on pfSense - YouTube

1 Like

Just to wrap things up, I followed Tom’s pfsense/openvpn guide and everything worked the first time.!

1 Like

As a follow-up, I now have Openvpn access to my self-hosted nextcloud server working with self-signed SSL certs😊 However, I want to use an application (Joplin notes) that does not support SSL with self-signed certificates securely.

Is there a way to configure pfsense and get a Let’s Encrypt issued certificate so that remote access to the nextcloud server is only thru OpenVPN AND I can access it from my LAN using private IP addresses?

I plan to use the DNS validation option since I already have a registered domain

If you get a wild card certificate you can use to to create anything *.YourDomain.com and as long as you have DNS working it will work.

Tom,

Not sure what “have DNS working” means. What changes would I have to make to PFsense?
Thanks

You would want to have a DNS entry in pfsense for NextCloud.YourDomain.com that points at the intenal IP for HAProxy.