I run a load of containers on a NAS, and reverse proxy them through synology’s inbuilt reverse proxy settings.

Essentially, I’d like to harden my security, and not really sure how best to do it.

Seeing people recommend nginx proxy manager, I’ve tried to set this up but never managed to get the certificates to work from letsencrypt (“internal server error” when trying to get one). When I finally got it working a while ago (I think I imported a cert), any proxy I tried to setup just sent me to the Synology login page.

I’ve tried to setup the VPN that comes with Synology (DSM 7+), but I must have set it up using the local IP address. It only works when I’m on my LAN, and not from an external network. Which is kind of the point, lol. I would like to use VPN to access the home network when out and about.

I’ve set random, long, unique passwords for everything I want to access, but I am guessing this is not the most secure, after seeing so many people use and recommend vpns.

I have tailscale, which is great for ssh-ing onto my Nas from the outside world. But to access my services, is a VPN the best way to do it? And can it be done entirely myself, or does it require paying for a service?

I’ve looked at authentic - pretty confusing at the outset, and Isee few evenings of reading guides ahead of me before I get that working. Is that worth setting up?

Does anyone have any advice/guides/resources that might help?

  • lemmyvore@feddit.nlEnglish
    1·
    7 months ago

    Tailscale is great, and very handy to edit my compose files from, for example, work. But I didn’t think I could use it to access my services?

    Tailscale has two features that, when enabled, will let you exit the tailnet through a node to a LAN (subnets) or to the Internet (exit node).

    You can use the subnets feature. You can install a Tailscale container on the NAS, mark it as using the subnets feature, and then you have two options:

    1. Use the “host” network mode on the Tailscale container, which will give it access to your NAS machine’s host network interfaces, and set up the subnet mask to your LAN’s subnet. You will be able to access your services on the NAS’s LAN IP and whatever service ports you expose to the host, just as if you were on the LAN.
    2. You leave the Tailscale container to use a private docker network, you create a “tailscale” docker network, you declare the Tailscale subnet as the docker network subnet, and you connect to it the Tailscale container plus any other containers that you want to access (in their docker compose files). This is more secure (in the absolute, abstract sense) because Tailscale traffic doesn’t pass through the LAN, and you only expose a short explicit list of containers to Tailnet. On the other hand you have to juggle container network names, and it just makes things more complicated.