How to set up secure access to internal resources behind a router?
Context
In my home network, there’s a Proxmox/Debian server (file storage, family photo archive on Immich, and e-library). My ISP provided a globally routable IP address, and I have my own domain. I also have a remote server abroad with OpenVPN installed for experimentation.
Goal
To achieve secure and convenient access to home server services from my phones.
Considered options
1. Direct port forwarding
- Bind my domain to my IP and forward ports on the router
- Disadvantage: Risk of router and home network hacking
2. VPN connection
- Install VPN client on phones and home server
- Work with the server as if inside the local network
- Disadvantages: Constant traffic consumption on the remote server, inconvenience of constantly turning on/off
3. Proxy on remote server
- Set up a proxy on the “remote” server to redirect requests to the home server
- Control access of connected devices to the remote server
- Restrict external requests to only the remote server’s IP
- Disadvantage: Additional proxy setup on devices
Main question
What other methods and technologies can be used to achieve secure and simple access to the home server?
WireGuard: A Modern Solution for Secure Remote Access to Home Servers
WireGuard is a modern solution for secure remote access to home servers using key-based cryptography instead of passwords, providing high performance and ease of setup on mobile devices.
Table of Contents
- WireGuard as a Modern VPN Alternative
- SSH Tunneling and Reverse Tunnels
- Reverse Proxies with Authentication
- Cloud Tunneling Services
- ZTNA Solutions for Secure Access
- Comparison of Different Approaches
- Recommendations for Choosing a Solution
WireGuard as a Modern VPN Alternative
WireGuard is a modern, fast, and secure VPN protocol that is perfectly suited for remote access to home servers from mobile devices. Unlike traditional VPN solutions, it uses advanced cryptography and requires minimal resources.
Advantages of WireGuard for home use:
- High data transfer speed due to code optimization
- Easy setup - key generation takes just a few commands
- Support for all major platforms: Android, iOS, Windows, macOS
- Low battery consumption on mobile devices
- Automatic connection recovery when network changes
Step-by-step WireGuard setup:
- Installation on the home server:
apt update && apt upgrade apt install wireguard
- Key generation:
wg genkey | tee privatekey | wg pubkey > publickey
- Interface configuration:
Create the configuration file/etc/wireguard/wg0.conf:
[Interface]
Address = 10.0.0.1/24
PrivateKey = <server_private_key>
ListenPort = 51820
[Peer]
PublicKey = <client_public_key>
AllowedIPs = 10.0.0.2/32
- Routing configuration:
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p
iptables -A FORWARD -i wg0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
- Client device configuration:
For Android and iOS, install the official WireGuard app and import the configuration via QR code or manually.
WireGuard offers a much simpler and more efficient solution compared to traditional OpenVPN, especially for mobile devices [source: vc.ru].
SSH Tunneling and Reverse Tunnels
SSH tunneling provides a flexible way to securely access internal resources without the need to deploy a full VPN. This approach is particularly useful when you have a remote server with internet access.
Persistent SSH Tunnel:
On the remote server, configure an SSH client to maintain a persistent connection to the home server:
ssh -N -R 8080:localhost:80 -o ServerAliveInterval 60 -o ServerAliveCountMax 3 user@home_server_ip
This command will create a tunnel that will redirect requests from port 8080 on the remote server to port 80 on the home server.
Reverse SSH Tunnel:
If the home server doesn’t have a public IP, set up a reverse tunnel:
ssh -N -R 8888:localhost:22 user@remote_server_ip
You can then connect to home services through the remote server:
ssh -p 8888 user@localhost -R 8080:localhost:80
Advantages of SSH Tunnels:
- No need to install additional software on client devices
- Uses proven SSH cryptography
- Allows tunneling of individual ports rather than the entire network
- Easy integration with existing infrastructure
For convenient use from mobile devices, you can create simple web interfaces or use apps like Termius [source: Reddit].
Reverse Proxies with Authentication
Reverse proxies are a powerful solution for secure access to internal services without the need to open ports on the router or use a VPN.
Setting up Nginx as a Reverse Proxy:
- Installation and basic configuration:
apt install nginx
systemctl enable --now nginx
- Creating a service configuration:
server {
listen 443 ssl http2;
server_name yourdomain.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
location / {
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
- Adding authentication:
location / {
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://localhost:8080;
# ... other settings
}
Additional security measures:
- Using Cloudflare for DDoS protection and automatic HTTPS
- Setting up rate limiting to prevent brute force attacks
- Using Authelia for two-factor authentication
- Restricting access by IP addresses
FRP (Fast Reverse Proxy):
For complex scenarios, you can use FRP - a tool for port forwarding through a reverse tunnel:
# frps.ini (on the remote server)
[common]
bind_port = 7000
# frpc.ini (on the home server)
[common]
server_addr = remote_server_ip
server_port = 7000
[web]
type = http
local_port = 80
custom_domains = yourdomain.com
This approach allows you to access home services through a domain without opening ports on the router [source: Reddit].
Cloud Tunneling Services
There are cloud services that simplify the setup of secure remote access by creating encrypted tunnels between your device and the home server.
Popular solutions:
-
Ngrok:
- Provides a public URL for accessing local services
- Automatic SSL certificate generation
- Supports authentication and access restrictions
- Free tier with limitations
-
Cloudflare Tunnel:
- Secure tunnel between your server and Cloudflare’s network
- No need to open ports on the router
- Free tier with good capabilities
- Integration with Cloudflare Access for access control
-
Tailscale / ZeroTier:
- Create a virtual network between devices
- Automatic NAT traversal setup
- Support for mobile devices
- Encryption of all transmitted data
Setting up Cloudflare Tunnel:
- Install Cloudflared:
curl -L --output cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
sudo dpkg -i cloudflared.deb
- Configure the tunnel:
cloudflared tunnel login cloudflared tunnel create home-services
- Configure routing:
cloudflared tunnel route dns home-services yourdomain.com
- Start the tunnel:
cloudflared tunnel run home-services
These services are ideal for quickly deploying secure access without complex infrastructure setup [source: SocketXP].
ZTNA Solutions for Secure Access
Zero Trust Network Access (ZTNA) is a modern security approach based on the principle of “never trust, always verify.” For home networks, there are simplified ZTNA solutions.
Microsoft Entra Private Access:
- Part of Microsoft Entra Suite (2024)
- Provides secure access to applications without VPN
- Uses contextual authentication
- Integration with existing Microsoft infrastructure
Zscaler Private Access:
- Cloud-based ZTNA platform
- Provides secure remote access
- Automatic encryption of all connections
- Support for mobile devices
Home ZTNA Implementation:
- Setting up application-level access control:
location / {
satisfy any;
allow 192.168.1.0/24; # Local network
allow 10.0.0.0/24; # VPN network
deny all;
proxy_pass http://localhost:8080;
}
- Using mTLS (machine TLS) for authentication:
# Creating certificates
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
- Configuring Nginx to verify client certificates:
ssl_client_certificate /path/to/ca.crt;
ssl_verify_client on;
ZTNA approaches provide a higher level of security compared to traditional VPNs, as they provide access to specific applications rather than the entire network [source: CSO Online].
Comparison of Different Approaches
| Approach | Setup Complexity | Security | Performance | Ease of Use | Cost |
|---|---|---|---|---|---|
| WireGuard | Low | High | Very High | High | Free |
| SSH Tunnel | Medium | High | Medium | Medium | Free |
| Reverse Proxy | Medium | High | High | High | Free/Paid |
| Cloud Services | Low | High | Medium | Very High | Free/Paid |
| ZTNA | High | Very High | High | High | Paid |
Key selection factors:
- Technical competence: For beginners, cloud services or WireGuard are more suitable
- Security requirements: For maximum security, choose ZTNA or mTLS
- Performance: For high loads, WireGuard or nginx reverse proxy are optimal
- Mobile device convenience: All the solutions discussed support mobile platforms
- Budget: Most solutions have free tiers for home use
Recommendations for Choosing a Solution
For most home users:
WireGuard is the optimal solution due to its balance of ease of setup, high performance, and reliable security. It’s excellent for mobile device access and doesn’t require complex infrastructure.
For maximum security:
A combination of reverse proxy with two-factor authentication (e.g., Authelia + Yubikey) provides the highest level of security while maintaining ease of use.
For quick start:
Cloud services like Cloudflare Tunnel or ngrok allow you to get secure access within minutes without complex setup.
For advanced users:
SSH tunneling with automation through systemd or Docker provides flexibility and full control over the access process.
Example secure access architecture:
Phone → Cloudflare Tunnel → Reverse Proxy (nginx) → Home Server
↓
Authentication (2FA)
↓
Access Control (IP/device)
Regardless of the chosen solution, always adhere to security principles:
- Use complex passwords or authentication keys
- Regularly update software
- Restrict access to only necessary IP addresses
- Use two-factor authentication
- Monitor access logs
Given your situation (Proxmox/Debian, global IP, domain, remote server), I recommend starting with WireGuard for basic access, then adding a reverse proxy for specific services with additional authentication [source: LinuxBabe].
Sources
- WireGuard on your server: detailed instructions
- Remote access WireGuard connection, configure tunnel
- Building a VPN tunnel to a local network using “WireGuard”
- Creating a WireGuard VPN router for your home LAN
- WireGuard server and Windows client. Remote access
- Setting up WireGuard on OpenWRT: step-by-step guide
- How to set up and use the free WireGuard app for quick VPN in Russia: September 2024
- Remote Access in a Post-VPN World: A Secure Tunneling Alternative for Your IoT Devices
- 5 Best Self-hosted VPN/Proxy Solutions in 2024
- 9 VPN alternatives for securing remote network access
Conclusion
Secure access to home servers from mobile devices can be organized through several effective methods, each with its own advantages:
- WireGuard - the best choice for most users due to its balance of performance, security, and ease of setup
- SSH Tunneling - a flexible solution for those who prefer to use existing infrastructure
- Reverse Proxies - provide targeted access to services with additional security measures
- Cloud Services - ideal for quick start without complex setup
- ZTNA Solutions - provide maximum security for demanding users
For your specific situation with a Proxmox/Debian server, global IP, and domain, I recommend starting with WireGuard for basic network access, then adding an nginx reverse proxy with authentication for specific services like Immich and your library. This approach will provide both convenience for mobile device use and a high level of security for your data.
Experiment with different solutions and choose the one that best suits your technical skills and security requirements. Remember that security is a process, not a one-time setup, so regularly update your software and monitor access to your resources.