Running Wireguard VPN on my home server - general security advice

[Whiffle]

Hi there.

I am running Openmediavault on my home server and have a number of services (Home Assistant, PiHole, TVHeadend, Jellyfin) all running as docker containers.

I would really like to have a go at remotely accessing my server as I can:

* Back up photos to my server hard drives as well as access them remotely.

* Schedule TV Programs on TVHeadend when away from home

* Monitor my home when I am away

* Stream films to my phone, without the need for streaming services

Openmediavault has a built in addon for using Wireguard and I am hoping to give that a go, shortly.

Does anyone have any initial security advice before I take the plunge, please?

I am pretty nervous about making my home network available to the net and want to make sure that I have taken all necessary steps beforehand.

For example - I use both NFS and SMB to share folders on my network. Should I remove NFS, given that it does not allow for password protection?

 

[spile]

I’ve been running Wireguard on a Raspberry Pi 4 for a few years. I use it to remotely access my NAS and cctv systems. It’s very reliable and simple to use.

 

[Whiffle]

Thanks Spile - did you take any particular measures to secure your server itself or are you just happy that the VPN is strong enough to prevent access in the first place?

 

[img]

For remote its so far more secure than alternative. I haven't seen any worrying security patches.

 

[spile]

Thanks Spile - did you take any particular measures to secure your server itself or are you just happy that the VPN is strong enough to prevent access in the first place?

Obviously I don’t expose the NAS so no port forwarding. Other than that password protected login from lan but I don’t use 2FA.

 

[LostCorpse]

backup as a just incase it all goes wrong / something gets in.
proper network segregation and only exposing the ports you need to.
you could put a pfsense ffirewall between wireguard and nas with extra protection as well.
apply update to softwares
plenty of people got hacked through the nas and losst date as its running old software being exploited

 

[Cyber-Mav]

I dont trust these qnap etc devices they get hacked on regular basis. Dont even get updates for the older ones and when they break they become scrap

 

[spile]

Been running Qnap for 8 years without issues, but then I don’t expose it to the internet. The same applies to any NAS.

 

[Cyber-Mav]

I don’t expose it to the internet.

with that sort of approach ya can still be running windows xp lol

 

[firthy15]

I run my wireguard access through the vpn manager in unraid which gets its address from a duckdns container that updates that.

Would you guys say this is secure ?

 

[Rainmaker]

WireGuard is inherently a very secure and quiet protocol. It doesn't respond to requests unless they contain a recognised key, so scanners think nothing is there on the port at all. The ciphers are very carefully chosen, are non-NIST, and again very current and secure. The only real advice in addition to the above (network segregation, firewalling etc) is to enable PSK (pre-shared keys) on WireGuard if you have the option. When running WireGuard manually (using a .conf) it's a simple one line addition to the file, one for each Peer:

PresharedKey = xxxxxxxxxxxxxxx

Using a GUI manager as you are, you'll have to see if that box is available to tick. It's not essential, but it's a nice-to-have.

 

[spile]

with that sort of approach ya can still be running windows xp lol

I should have clarified that I don’t allow inbound traffic by opening ports other than for Wireguard.