Why VPN tunnels are safer than opening a port on my router?
Hi!
I often read suggestions to use something like Tailscale to create a tunnel between a home server and a VPS because it is allegedly safer than opening a port for WireGuard (WG) or Nginx on my router and connecting to my home network that way.
However, if my VPS is compromised, wouldn't the attacker still be able to access my local network? How does using an extra layer (the VPS) make it safer?
I often read suggestions to use something like Tailscale (...) safer than opening a port for WireGuard (WG)
I guess someone is trying really hard to upsell Tailscale there. But anyways it all comes down to how you configure things, Tailscale might come with more sensible defaults and/or help inexperienced user to get things working in a safe way. It also makes it easier to deal with the dynamic address at home, reconnects and whatnot.
Specifically about Wireguard, don’t be afraid to expose its port because if someone tries to connect and they don’t authenticate with the right key the server will silently drop the packets. An attacker won’t even know there’s something listening on that port / it will be invisible to typical IP scans / will ignore any piece of traffic that isn’t properly encrypted with your keys.
f my VPS is compromised, wouldn’t the attacker still be able to access my local network? How does using an extra layer (the VPS) make it safer?
The extra layer does a couple of things, the most important might be hiding your home network IP address because your domains will resolve the VPS public IP and then the VPS will tunnel the traffic to your network. Since your home IP isn't public nobody can DDoS your home network directly nor track your approximate location from the IP. Most VPS providers have some security checks on incoming traffic, like DDoS detection, automatically rate limit requests from some geographies and other security measures that your ISP doesn't care about.
Besides that, it depends on how you setup things.
You should NOT have a WG tunnel from the home network to the VPS with fully unrestricted access to everything. There should be firewall rules in place, at your home router / local server side, to restrict what the VPS can access. First configure the router / local VPN peer to drop all incoming traffic from the VPN interface, then add exceptions as needed. Imagine you're hosting a website on the local machine 10.0.0.50, incoming traffic from the VPN interface should only be allowed to reach 10.0.0.50 port 80 and nothing else. This makes it all much more secure then just blunt access to your network and if the VPN gets compromised you'll still be mostly protected.
You should NOT have a WG tunnel from the home network to the VPS with fully unrestricted access to everything.
This is what I came here to make sure was said. Use your firewall to severely restrict access from your public endpoint. Your wiregaurd tunnel is effectively a DMZ so firewall it off accordingly
Yes, and to be fair the OP doesn't even need to expose a port on his home network. He can do the opposite and have the port exposed on the VPS and have the local router / server connect to the VPS endpoint instead. This will also remove the issues caused by having dynamic IPs at home as well.
If OP is asking this question, he's nowhere near knowledgeable enough to take on this risk.
Hell, I've been Cisco certified as an instructor since 1998 and I wouldn't expose a port. Fuck that.
I could open a port today, and within minutes I'll be getting hammered with port scans.
I did this about 10 years ago as a demonstration, and was immediately getting thousands of scans per second, eventually causing performance issues on the consumer-grade router.