Opinions about exposing NextCloud on R.Pi to the internet from home network?

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Opinions about exposing NextCloud on R.Pi to the internet from home network?

timmmay

20591 posts

Uber Geek

Trusted

Lifetime subscriber

#272391 23-Jun-2020 12:53

I've set up NextCloud on a R.Pi on my home network. Using Fritzbox Port Sharing I could expose this machine / service to the internet. Of course that means if someone compromises NextCloud / Raspbian they're on my home network, and while things are somewhat protected at home it's a trusted network and I haven't really secured it.

My gut says "don't do it" and to have it on the LAN only, and use a VPN from devices to home for syncing. I already have the VPN set up, so not a huge deal for me, and TBH these days we don't leave the house all that much anyway.

I want this for sharing small files between phones and computers that are updated occasionally. I use Dropbox but their 3 device limit is annoying, Resilio Sync is fine but having a server is convenient.

Thoughts?

davidcole

6041 posts

Uber Geek

Trusted

#2510489 23-Jun-2020 13:43

I have mine done. It's got better security that some apps. I was wondering about putting it behind cloudflare access, or I could force it to be local only and use a vpn.... I'm undecided.

I pulled all my crap out of dropbox and google drive to put it local.

Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight

davidcole

6041 posts

Uber Geek

Trusted

#2510491 23-Jun-2020 13:45

Also, you can actually run two "accounts" of the server. One being it's external address, and another the internal. That's kind of useful for devices that will never leave the house.

I do this with reverse proxying (in caddy) I have cloud.domain.com for external access, and I also use clould.internal.domain.com for internal.

timmmay

20591 posts

Uber Geek

Trusted

Lifetime subscriber

#2510550 23-Jun-2020 14:34

I would run CloudFlare in front of it as that's how I do my DNS, but I'd need to use iptables to whitelist local addresses and CloudFlare IPs. Probably easy enough. That would mitigate many issues, but means it's more difficult to use on mobile, from work, etc. Probably defeats the purpose of it.

I think I'll start with VPN / LAN access and see if I like it. Right now I want to do something I thought would be fairly basic - share a folder with a number of devices / people, myself and my wife. I created a user for each of my devices, but maybe I just need to use one user per person, but that probably doesn't solve the problem entirely. Group Folders won't sync in Windows, and I can't work out how to do folder shares otherwise. Maybe I'll end up trashing it and using BitTorrent / Resilio Sync instead.

michaelmurfy

meow
13271 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#2510568 23-Jun-2020 14:56

I've got a script for the Cloudflare stuff:

#!/bin/sh

DIR="$(dirname $(readlink -f $0))"
cd $DIR
wget https://www.cloudflare.com/ips-v4 -O ips-v4.tmp
wget https://www.cloudflare.com/ips-v6 -O ips-v6.tmp
mv ips-v4.tmp ips-v4
mv ips-v6.tmp ips-v6

for cfip in `cat ips-v4`; do ufw allow from $cfip to any port https comment "Cloudflare IPv4"; done
for cfip in `cat ips-v6`; do ufw allow from $cfip to any port https comment "Cloudflare IPv6"; done

ufw reload > /dev/null

Run it via cron nightly:

0 0 * * 1 bash /root/cloudflare-ufw/cloudflare-ufw.sh > /dev/null 2>&1

But that is what I have personally done with Nextcloud along with using Authenticated Origin Pulls and a Cloudflare Origin certificate.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

davidcole

6041 posts

Uber Geek

Trusted

#2510679 23-Jun-2020 17:32

What does it do Michael?

Also with cloudflare you can restrict access through as well.

I want to work out fail2ban on Nextcloud I had it on my ssh, but then I put in a few rule to restrict to just work and all my fail2bans dried up as it wasn’t open.

davidcole

6041 posts

Uber Geek

Trusted

#2510680 23-Jun-2020 17:34

timmmay:
I would run CloudFlare in front of it as that's how I do my DNS, but I'd need to use iptables to whitelist local addresses and CloudFlare IPs. Probably easy enough. That would mitigate many issues, but means it's more difficult to use on mobile, from work, etc. Probably defeats the purpose of it.

I think I'll start with VPN / LAN access and see if I like it. Right now I want to do something I thought would be fairly basic - share a folder with a number of devices / people, myself and my wife. I created a user for each of my devices, but maybe I just need to use one user per person, but that probably doesn't solve the problem entirely. Group Folders won't sync in Windows, and I can't work out how to do folder shares otherwise. Maybe I'll end up trashing it and using BitTorrent / Resilio Sync instead.

But if your local address lea don’t go out through the internet (ie the 2 reverse proxies I have then it’s only the external ups that are white listed). Much smaller list is good.

timmmay

20591 posts

Uber Geek

Trusted

Lifetime subscriber

#2510875 23-Jun-2020 20:06

I use CloudFlare's free plan with my AWS server. It's basically DNS and a cache, but your host is still on the internet, so random port scans will find it. The only way to tighten that up is with firewalls - I use security groups on AWS, but on a standard Linux host you use IP Tables.

CloudFlare do have a paid option that basically means your server isn't on the internet directly, it's a private connection to them and then from there onto the internet. But I don't need that.

Michael's script takes the CloudFlare IP list and adds it to the Linux firewall each night. I don't bother with that on AWS, I did it once and the IPs haven't changed as far as I can tell - CloudFlare free doesn't give you much in the way of error logging so you can't see if some of their IP ranges can't connect.

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

michaelmurfy

meow
13271 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#2510923 23-Jun-2020 20:27

I’ve had IP addresses change with Cloudflare, and stuff break. I’d rather mitigate the risk with just running the script nightly.

Script uses UFW which is essentially an iptables wrapper. It is easier to maintain.

If you have authenticated origin pulls enabled it forces traffic to go via Cloudflare. Just an extra security layer.

timmmay

20591 posts

Uber Geek

Trusted

Lifetime subscriber

#2510986 23-Jun-2020 20:45

Yeah, useful to have. I should really do the same with AWS and security groups. I found a lambda to do it, so I might go install it now.

Update - lambda didn't work well. I did a manual check and the CloudFlare IPs don't appear to have changed in years. They have massive amounts of IP space, a /12, /13, /15. That'd be expensive to buy, actually just about impossible to buy now.

Tracer

343 posts

Ultimate Geek

#2512546 25-Jun-2020 23:59

I've setup a VPN and now I'm always at home even on the move. It's handy for many things other than just NextCloud and I'm rather happy with WireGuard from a security standpoint.

timmmay

20591 posts

Uber Geek

Trusted

Lifetime subscriber

#2512555 26-Jun-2020 06:54

I dumped NextCloud as it isn't really what I needed. Main use case is I need my KeePass passwords on multiple devices and Dropbox limits device numbers. Solution I'm currently trialing is BackBlaze B2 with GoodSync on PC and FolderSync on Android (both have free versions that are good enough for me), and so far it's working well. I was going to use AWS but B2 is cheaper and the free tier is likely to do what I need.

davidcole

6041 posts

Uber Geek

Trusted

#2512559 26-Jun-2020 07:17

timmmay:

I dumped NextCloud as it isn't really what I needed. Main use case is I need my KeePass passwords on multiple devices and Dropbox limits device numbers. Solution I'm currently trialing is BackBlaze B2 with GoodSync on PC and FolderSync on Android (both have free versions that are good enough for me), and so far it's working well. I was going to use AWS but B2 is cheaper and the free tier is likely to do what I need.

I use next cloud for that. With keepassium. But I'm not using the nextcloud file browser (in ios files), just open the file with a webdav url instead it works perfectly.

Once I had that workingm, the i started moving things I had spread across dropbox and google drive. Really happy with it. I have a script that runs that calls a file scan if something is introduced outside of nextcloud/

timmmay

20591 posts

Uber Geek

Trusted

Lifetime subscriber

#2512561 26-Jun-2020 07:41

I just found the NextCloud clients to be missing key features. Happy to use B2 as a file server, I trust BackBlaze and it saves running and maintaining the Pi. Plus I only put encrypted or non-critical data up there anyway.