hi, I’m trying to better understand or calm myself regarding the device security when exposed outside. Currently, the device doesn’t have any ports forwarded and the only access is via local lan or through wireguard vpn. The vpn however messes with my android device that already have a vpn (adguard), and so I’ve created a macdroid script that works 80% okay.
Then I read about CF tunnels, how it has better security, etc., and so I’ve installed and got it working but now I’m thinking that anyone that scans for domains can easily find my sub+domain and can starting brute-forcing my sonnar, radarr, etc., services.
Am I missing something and perhaps staying with wireguard is a better option? Should I enforce a better security with cloudflare?
BTW: I’ve configured cloudflare for http route. should it be https?
Thanks for the support!
First of all most bots scan IPs it’s way easier as to have arbitrary domains to be scanned. Second Cloudflare may do pre filtering of known bad actors. Third you can setup extra authentication for cloudflare tunnels which will be secured by cloudflare. Who have a pretty good understanding of cybersecurity. Are they perfect, hopefully but realistically where people work their may be mishaps. But cloudflare usually is pretty secure.
Nonetheless you always should keep your your services up to date and not running some old vulnerable version.
Then you could just setup adguard home at home point DNS to that IP and use your own VPN for everything. That’s what I do. Then you don’t need to have a split tunnel.
I still need vpn for torrent connection (gluetun w/PIA ovpn) but I use CF tunnels to access all my media services’ front end (-arrs) pages. CF tunnels don’t expose my IP, secured by 2FA, and my Google account is the only ID that can even try to Auth. Any attempts by unsophisticated actors even leave a record of their google ID (derp) Sophisticated attacker would need to find my domain, exploit CF, break google 2FA, then guess a 26 character hex pw unique to each front end page. It’s so easy to setup, a caveman could do it. I wouldn’t use CF tunnels to stream media or DL large files though or they may suspend your account.
thanks for the detailed answer, I definitely need to explore the extra security measures that Cloudflare offers.
I guess that enabling another layer of security like code sent through email, will work when I access the services through web browser but not for apps.
initially, I used to have this setup but as Android can only operate one VPN at a time and I’m using Adguard to filter out ads, I needed to configure a macro that whenever one of Qnap apps was launched the Adguard VPN was shutdown and WG was activated. It’s working ok but not perfect and so I wanted to check CF tunnels too. So far, it works better in terms that I don’t need the macro to kick in whenever I want to access something outside my lan network
The only issue so far I need to deal with, is watching cameras with or without tunnels.