At the moment I have a Homelab where I host most of my stuff. I have a Proxmox host where I have a Docker LXC container where most of my stuff lives, running behind Traefik. Nothing there are exposed to the internet, but I have a VPN setup to reach some services when not at home.
I have a VPS where I host stuff exposed to the internet, but I would like to host everything from my home server. I found Pangolin which looks really nice.
What would be the best way to set up this security wise? There are a few ways coming up in my head.
Just keep things mixed on the Docker LXC where I expose some services with Pangolin
Create another Docker LXC where I have the exposed services (on a separate VLAN)
On a separate host, maybe even on a separate router? Would there be any advantage of doing it this way instead of the previous point with VLANs? Since I’m not a network expert this feels a bit more fool proof than point 2.
Any other ideas for best practice?
I will probably run Pangolin on a VPS.
Note that I’m pretty new to self hosting and I’m not an network expert. What should I have in mind doing this? What are the biggest security risks here? I appreciate some inputs, tips and tricks
Exposing services presents risks if flaws are found in that service. The way you minimize the risk is making sure that if the server that hosts that service is compromised make sure it can not be used to move laterally to other servers. This can be achieved using separate networks or by setting up firewalls rules on any adjacent servers to block connections.
Like Tom mentioned, you’d probably want to set up a DMZ network on your router and set up all servers you plan to expose to the Internet in there. Then you tidy up the DMZ with firewall rules allowing traffic in only on the ports you want available. By default nothing on the DMZ should be allowed to connect to anything on your internal LAN, and then you open specific ports if you need them, like say a connection to a logging server like Graylog.
Since I’m assuming most of the stuff you want exposed will be web servers in an ideal scenario you’d have everything behind a reverse proxy with some sort of web application firewall.
Oh, one last thing: you’d likely want something like CloudFlare in front of your reverse proxy. This helps keep your IP address private and helps avoid potential DDOS attacks. Depending how you configure it, also provides additional filtering for bad actors.
It is a learning curve for sure. But take your time and it’ll be a fun and rewarding journey. Good luck!
I have seen a number of videos on Pangolin as a replacement for Cloudflare tunnels. For me personally, I will stick with Cloudflare tunnels. I prefer the DDOS protection they offer as well as the other features like web application firewalls, etc. I also trust Cloudflare more to keep their environment secure than doing it myself in a VPS. YMMV
Plus I am just cheap. I prefer Cloudflare’s free services to paying for a VPS.
I’ve never had a DMZ setup before and when looking at it it seems like the recommended way is to set it up on a secondary firewall. The way you explain it, it sounds just like an extra VLAN with restrictive firewall rules. Or do i misunderstand this? The beauty of Pangolin is that I don’t need to open any extra ports. Its seems to work with UDP hole punching (?).
I have a reverse proxy running on my internal stuff, but I guess I need a second one for the external services as well.
Regarding Cloudflare: I don’t want to use Cloudflare and that’s where Pangolin comes in place as an alternative to that. The VPS will be the one fronting the services with its IP address.
What I do like about Pangolin is that you can use it to authenticate on the VPS to access your services.
With this ‘Authenticate before Connect’ config, hackers can’t just poke at your services so this arrangement is more secure than having a port forward or routing through a reverse proxy without authentication.
Yup pretty much. And if you want to be extra secure, and your hardware allows it, you can have it physically separated rather that just logically, i.e. a second card in your router rather than a VLAN.
I have a deep distrust over things that magically punch holes in firewalls. It feels nice not to have to worry about firewall rules, but unless you fully understand the implications of what it does and how it does it, you don’t know what security risks it creates. You’re basically placing 100% faith in what they do and pray for the best
It feels a bit like you’re comparing apples to oranges. Pangolin has an auth before connect which the client must setup on their end. You’re comparing it with a plain port open in the firewall which requires 0 setup on the client end or a reverse proxy which again requires 0 setup on client end.
Perhaps a better comparison in this case would be with WireGuard, which I fully trust because it’s well established and battle tested industry standard.
I would see Pangolin (or Cloudflare Tunnels) with Auth as being an alternative to using a VPN on your firewall to access your private services. The benefit over a normal VPN would be you wouldn’t need a VPN client on your device. Mostly we’d be talking web apps anyway (but not necessarily.
I don’t think Pangolin has SAML or any other sort of SSO features yet but it’s quite new and I expect they’ll add that sort of thing at some point.
Even properly secured public cloud services would probably use some sort auth like Zitadel or Keycloak at the reverse proxy with SSO to the backend services. That’s the sort of direction I see Pangolin going.
That’s fine, I did the same. I just don’t like the centralization of the web going on with Cloudflare. Would be great to have a few more options to spread things out a bit. This is one reason why I was so happy to find Pangolin, even if i understand it won’t give me the same protection.
I completely agree with that and also using Cloudflare tunnels means you have them as part of your trust as they are the ones issuing & managing the certificates. Add on to that their terms and conditions. that last I checked state you can not use them for video, and are of course subject to change as they see fit.
