VPN vs HTTPS reverse proxy: which is most secure?

Hey all,
My aim is to manage a remote site (parent’s home, pfSense) from my home (pfSense) and make backups from home to parent’s home. There is a Synology at the remote site:

First option that came to mind was a s2sVPN, which allows me to log on to the remote pfSense firewall, make backups to the Synology and access clients.

A friend of mine had the same challenge and het set up a reversed proxy on the Synology at the remote site. His reasoning is that HTTPS traffic is encrypted so the connection is secure.

My question here: does this hold true? Is the reversed proxy secure enough? Or would it be more secure to use a VPN?


Not sure I can answer if the reversed proxy is secure enough (you need to define secure and enough) but OpenVPN provides a lot of control over users, certs, ca, passwords, cryptography and ciphers. OpenVPN is widely used and has a very good implementation on pfSense.

I fear you have to do a lot of reading to truly satisfy yourself as to which is more secure.

I will bet you end up using OpenVPN :wink:

1 Like

haha you made me laugh! There is secure and secure.
The plus side of his approach is he doesn’t need to keep a tunnel up all the time and it’s as easy as typing one of his aliases for nas, drive, web etc. and he is in using synology’s new 2fa on his watch.
Also, as the synology uses 2FA at every login, it should be pretty hard to hack into it.
This guy is using a lot of remote connections and he is way more advanced in IT than myself.

I think the automated 2FA on the watch is pretty neat…

I think both are plenty secure for what you’re trying to do, the real consideration is do you want to have an active connection, or one that only connects when you tell it to.

For me I employ both. I have a monitoring server at home, and a small lab rack at work. I have a GRE tunnel between the two and use Q in Q with IPSEC running inside to encrypt the traffic on the tunnel. I do it this way so that the Zabbix server that lives at home can monitor the resources I have at work and alert me if there are issues. This just works better if Zabbix doesn’t have to dial into a VPN to do its job.

However, I also have a VPN that lets me into my network when I am not either at home or in the office. This is the traditional on demand StrongSwan type of VPN.

So it boils down to this, do you really need that connection to always be on, or would it be ok to have something dial in? If I were you, I’d go with the latter. Reason being, if your parent’s computers get infected with some sort of malware and finds an active connection back to your network…well need I say more? Thus why I only use “active open connections” (my own term) for things I control and can secure and everything else needs to log in or provide a cert every single time it wants access.

1 Like

Thank you for sharing your setup type and for your recommendations!
May I ask which firewall/router brands you use in your locations?

the real consideration is do you want to have an active connection, or one that only connects when you tell it to.

^ This ^ is what I have been asking myself also! I think I might want a mix of those for different purposes.

First: The “parents” network is under my complete control. I designed it, I implemented it, I manage it. It consists of a pfSense firewall/router, a Cloud Key gen2+, Switch, some AP’s and 4 cameras, all UniFi.
Second: There is only one (elderly) person living there that only has an iPad. Basically all she uses is Mail and FaceTime. She doesn’t know how to browse the internet and she will not tap bad links. Her iPad is very old though (iPad 4) w/ outdated iOS version, not the best idea from a security standpoint, so I may consider to ask Santa for a current model under the xmas tree.

All that said, your consideration not to have a permanent tunnel appears very valid to me and I have wondered about that too.

So then here are my connection purposes:

  1. Manage the parents network:
  • access to pfSense GUI for firewall management
  • access to cloud key for for UniFi Network management and Protect cameras
  1. Make data backups from home to parents site
  • access Synology at parents home
  • backup daily during night time (off site backup)

Based on your recommendations I would think that:

  • For (1) I would use either VPN or reverse proxy, since the hardware for the reversed proxy (Synology) is already there either one is at my disposal at no extra cost
  • For (2) I would prefer not to have the tunnel open 24/7, but only while running the backup. I am still contemplating how I would like to set up that backup. The best approach might be to automate connecting and disconnecting and let the Synologies at both endpoints do their stuff in between. May have to look into how that is done.

Would appreciate any thoughts.

What you described is exactly what I’d do. Since you’ll only need the tunnel when you’re doing admin things and backups, just write a script to start the VPN, run the backup, and then stop the VPN. The only reason to have a tunnel up constantly is if you’re expecting it to always be in use. Once the backup is done, the VPN isn’t really needed so I wouldn’t want it open.

1 Like

The amount of traffic a site to site requires in the idle state is in the bytes range, not something I worry about. But having an open server with no connections invites people to try and connect.

I have my site to site set so that only one connection is allowed, in theory as long as my remote is connected, no other people can try and connect.

Unless your internet is metered, I wouldn’t worry about the persistent connection.

1 Like

I did this. Backing up family computer to my Synology.

I installed ZeroTier client on their computer and on my Synology (by following the instructions on the ZeroTier web site) and it works beautifully. They have a Mac and I have them using TimeMachine to back up. TimeMachine sees the Synology as a local network drive, thanks to ZeroTier and mdns by default.

I also am able to remote into their computer to help them as I have added my personal computer to their ZeroTier network as well.

1 Like