I’ve managed to set up a baikal server to sync my calendars and tasks instead of using a free cloud service provided by nextcloud. I’m able to reach it from beyond my local network, but this is all very new to me and I’m a little worried about what permanently leaving a port open for this.
I’m hoping to find some resources for securing this, before leaving it up all the time. I suppose as an alternative I can always only run it at home and only sync when I’m home but this seems less ideal.
Thanks a bunch for the help in advance. I really appreciate it.
Wireguard might work well here. You’ll have to set it up on each device you want to have access your server, but I’m guessing that syncing only involves a handful of devices, which wouldn’t be bad.
So if I understand this correctly, I configure wireguard on the server end and port forward to the IP for the wireguard interface? and then configure devices to send packets through their wireguard interface for specific applications to get synced up? Thanks for your reply :)
Yeah, when you configure it, you essentially say “all traffic to 1.2.3.0/24 should go through this wireguard connection”. Then, your OS automagically knows “oh, this connection to 1.2.3.4 should go through Wireguard, and I’ll handle it like so”. You don’t have to configure any applications specifically, their network connections just get routed appropriately by your OS.
So I’m just taking a look at wireguard on android. I just need to point a specific address to wireguard and it takes care of it then? This seems relatively straightforward to configure.
Last question (hopefully). I’m running this server off a pi with bullseye. The guide on their site for setting up a server uses buster but the client uses bullseye. The buster version needs to setup unstable release packages but the bullseye client doesn’t. This should mean that I’m good to just grab the default Debian package on bullseye?
Thank you very much for your help with this!
Use a reverse proxy in front and be sure to have auth setup in Baikal.
I’ve been using it with traefik for 5ish years now without issues.
There are a number of options…
Setup a reverse proxy with nginx, using SSL, with http auth or better yet client certificates.
Setup a VPN to access your home network.
Use SSH forwarding to access the local service.
Are these all roughly equivalent in security? Or is it a case of some of these being a bit less complex to set up but you sacrifice security? I’ll look into these options though. Thank you
If setup correctly they are mostly equivalent.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters HTTP Hypertext Transfer Protocol, the Web IP Internet Protocol SSH Secure Shell for remote terminal access SSL Secure Sockets Layer, for transparent encryption VPN Virtual Private Network nginx Popular HTTP server
5 acronyms in this thread; the most compressed thread commented on today has 6 acronyms.
[Thread #80 for this sub, first seen 25th Aug 2023, 11:15] [FAQ] [Full list] [Contact] [Source code]
Just in case you never heard of it, there is also the option to use Tailscale. It lets you connect to your services without opening any ports and uses Wireguard under the hood but makes configuration simpler
I have wireguard set up now and its working completely fine now. Thanks for the recommendation!