Hi guys,

Just wanted to see why people would expose services either through a reverse proxy or normally, if technology like WireGuard and OpenVPN exist?

Convenience would probably be the top answer, but is it really worth the risk?

Thanks

  • ConfusionSecure487@alien.topBEnglish
    1·
    1 year ago

    They make the local device setup more complicated and in some networks, you don’t have a chance to connect.

    I like to go with HTTPS and mTLS. On mobile and in general browsers, you can easily install them and the I can access them everywhere HTTPS is allowed.

    • hi65435@alien.topBEnglish
      1·
      1 year ago

      Can you though? I used to do exactly these things and either on Android or iOS I had trouble installing a certificate. Well, in a way it’s not a a big issue anyway, probably it’s smart to go with public domains anyway (even for private resources)

      • ConfusionSecure487@alien.topBEnglish
        1·
        1 year ago

        I have no issue at all on Android. I don’t use iOS, so I cannot verify on there.

        But I meant client certificates in this context. What I do:

        1. Use a public domain, pointing A and AAAA *.domain.tld to an traefik lb/reverse proxy. I use it on Kubernetes.
        2. use LE for that *.domain.tld, instead of direct domain certs to be more private (as all public CAs disclose the signed certs (https://crt.sh/))
        3. create a own CA for Client authentication
        4. set the own CA as trust anchor for clients in traefik for domains which require authentication
        5. create client certificates + keys for my users. (I don’t use the CSR way, as that makes it complicated for them). I use the pfx format, as this widely accepted by the browsers and systems. p12 should also work
        6. Add the client certificate on the devices. But I don’t but the CA as trust anchor on them. This would lead to warnings on the devices, as that would allow MITM attacks.
        • hi65435@alien.topBEnglish
          1·
          1 year ago

          Ah ok that’s smart, so you don’t have to mess with installation and still can manage your own CA from the *.domain.tld. I just double-checked, I’m very sure it was on iOS but some years ago. Apparently it’s possible to install custom certs there as well but it’s a little painful

          edit: ok I think the general problem on iOS is to install custom certs globally, e.g. to use for the calendar I guess

          Personal Certificates can only be installed in Safari.
          NO other browsers are supported.

          https://kb.mit.edu/confluence/display/mitcontrib/Installing+Root+and+Personal+Certificates+on+iOS