Slowly dipping my toe(s) into self hosted services and home networking, and getting a little confused as to the best solution for my needs.
My primary requirement is being able to access my obsidian vault over the web via obsidian remote with some sort of authentication layer to keep my network safe from external attacks.
My initial solution was to use Authelia and nginx, but various Ibracorp tutorials kept linking back to dependencies on setting up other tools, and I quickly became intimidated, overwhelmed, and confused. I also looked into Cloudflare tunnels, Wireguard (I pay for PIA), and other solutions of this nature. I vaguely realize that a number of these tools offer different services, but also fully admit I am in over my head and want to proceed confidently vs blundering my way though.
I also run a baremetal pfsense firewall at the top of my network, and was looking at solutions delivered from that level of control as well. I’ve been reading, researching and learning, but suffering from a series of self-starts as I either run into solid obstacles or recommended to look at alternatives to those I am trying to configure when I reach out via various forums looking for assistance.
Edit: Thanks for the amazing support, recommendations, and conversations! I’ve initially set up Tailscale given my current configuration and preferences to install something on pfsense, but I realized I neglected to also mention that one of my primary requirements is to access at least my Obsidian vault through the web on my work laptop ( for which I do not have admin rights, so no way to install anything on it)
I’m sure I’ll get a number of recommendations here as well, but hoping that I can be pointed towards some guides with some good backlinks to “easy” to understand clarifying documentation supporting the configurations
The safest way always starts with the following sentence: I do not want to have to trust anyone else but me!
In accordance to that sentence, you should definitely rule out everything that is closed-source and everything that involves a company. If you have a public IPv4 Address i would recommend using wireguard. It is safe and fast if done right. Additionally use hard geoblocking rules for your pfSense Firewall. Block everything that is from another region, especially Asia, Russia, Africa, South America. Additionally you can block IP-ranges that do not belong to your ISP. You will find that info on the web. If you need access for someone or want to host a website/mailserver you can unblock ip-regions for that port only. That is a safe way. Also please don’t use the standard wireguard port
If you aren’t streaming a ton of media, use CloudFlare Tunnels. They are amazing, simple to setup, no opening ports, no port forwarding, multifactor authentication…way easier than VPN
I see everyone recommending Tailscale; and it’s making me worried I’m missing out on solething.
How does it compare to Unraid Connect’s remote access feature? It’s set up to remote in with dynamic UPNP, and close the lease to the port once I’m done. It’s the official implementation by Unraid themselves so it’s probably at least as secure as Tailscale, no?
Moreover access to Unraid Connect is password protected and I set it up so it requires 2FA.
Part of being safe is not telling people what you use, so they can create a profile on you and attack vector.
Most people use a VPN/wireguard to access their network.
Nothing is secure, You wouldn’t believe how many times I’ve seen people leaving private keys in text files. Unfortunately we live in an era where we need to treat all of our data with the utmost security.
An outbound reverse VPN that pulls you back in would be the best approach in terms of keeping a low profile and ease of use, perhaps a product such as tailscale or teleport?, but the most robust and well tested method would be a simple wireguard Peer to Peer on your firewall side, assuming quality firmware.