Need some server security advice

So, first let me explain my current setup:
FreeNas on a PC running currently only for backups. Raspberry pi running pihole as adblocker (but only for my PC’s, not my entire network) and also running pivpn with wireguard for server maintenance and access from outside of my network.

Now I want to install the nextcloud plugin on my freenas system and would like to be able to access it from the outside, but not by connecting to my VPN. Just as a normal website. I think it would be too risky to directly open the ports to my freenas system from the router as I also have all of my backups on it. So the idea would be to setup a reverse proxy server in front of the freenas system. I don’t have another computer for that use and also wouldn’t like to pay the electricity costs for that. Could I install the reverse proxy on my raspberry pi, as it already has a public domain name for the vpn or would that cause conflicts?

Also, if that wouldn’t cause any conflicts, I have never setup a reverse proxy server myself; Do you have any good guide recommendations for a reverse proxy server on a raspberry pi?

Thank you all for your help!

Anything that you make public facing will be poked and probed by the internet. If you are not confident in setting up Nextcloud and updating it then learn that first before adding another system in front of that that one that you are also not familiar setting up keeping updated. The safest bet is keeping these services behind the VPN as you have them now. I don’t have any but there are guides out there to getting Nginx reverse proxy setup on a pi. It’s a great way to learn how that works.

Thank you!
I am familiar with nextcloud and had it set up publicly before on other PCs but at that time I didn’t have my backups on that server too. The reason why I don’t want to use my VPN to access the nextcloud is that I want to create a couple of other accounts for some friends on the nextcloud, but I don’t want to give them full access over my network by connecting to my VPN. I think I’m going to backup the SD-Card of my Raspberry and then test if I get any conflicts by setting up the reverse proxy on the pi.

At some point you are probably going to want to invest in something like a pfsense machine.

I’m with @Greg_E running PfSense allows you to consolidate your pihole and OpenVPN, however, you’ll need a switch and a new router and probably an access point. Set-up vlans then set up Nextcloud (on your raspberrypi) on a vlan you allow access via OpenVPN but deny access to other vlans.

It will cost more but you will have greater flexibility though energy use doesn’t have to be high.

Hmmm. I see. Well, I’m going to set it up like this first and then see how much I can invest into it. Thank you!

Setting up a reverse proxy in front of nextcloud isn’t very difficult. I’ve never done this one something like a rpi, but simply set mine up within a VM. I’m aware you could similarly set one up through using a combination of docker images as well (for example nginx/letsencrypt containers). For nextcloud I’m aware a lot of people use a variety of reverse proxies rather than nginx, for example caddy or traefik. Although all reverse proxies basically function the same way, learning the nuances of each reverse proxy is kind of tricky syntax the syntax is different and their features and options will be different. (For example with caddy Let’s Encrypt SSL support with issue/renewal functions is built into the reverse proxy however it’s not possible to specify exact SSL specifications and functions that can be used as you could for example with nginx – caddy uses something they call “sane defaults” which I’m not sure what that means").

Even when working with reverse proxies and such, you’ll have to ask yourself – “is this good enough for a public facing server”. I’m not exactly sure how to answer this question but most likely it’s probably not in terms of security. It’s possible you could lock down your reverse proxy to only allow proxing according to source IP address (for example if your friends connect specifically from one IP address). Other options would be to add some two factor authentication scheme in combination with your reverse proxy – such as adding a DUO portal. Again is this good enough in terms of a public facing server?? I’m not sure I can answer that question.

It’s also possible to migrate your nextcloud server so it sits on separate VLAN that the rest of your network to attempt to isolate the server from the rest of your network. With a VPN connection in front of the VLAN it would be possible to limit access to this particular VLAN and not your entire network. Although you could use any “enterprise level router/switch” that could support VLANs, I’m aware pfSense allows for this type of setup and pfSense as a software package doesn’t cost anything – of course hardware does.

Ok, I’m going to backup my sd-card and see if I can get it working. I think my router has the option to define a lan port as a guest network, I’m going to see if I can separate the nextcloud server with that.

I would second tom’s opinion. Reverse Proxy is the way to go plus its easy to configure with nginx or haproxy.

If it must be on an open port the only way I would do this is to add http_auth on the webpage so things can’t scan it, and use iptables to lock down the port to only whitelisted IP’s. Alternatively you could do port forwarding over SSH.

My DO droplet gets scanned once every 5 seconds and dictionary attacks on my SSH port since I created it. Even though I have SSH key auth, and fail to ban I get attacked on the regular. (added 2FA and auto patching as additional precautions and only serve port 443 through firewall) It’'s no joke anymore to have things on public internet, there is a lot of malicious traffic out there.