My mantra is "plan to be hacked". Whether this is a good backup strategy, a read-only VM, good monitoring or serious firewall rules.

Yep!

For me it's a sense of reliability and control - my stack will keep working even if new censorship rolls out (I live in a heavily censored and sanctioned jurisdiction), or if there's a global outage, or whatever else. I am also the sole authority over my piece of the Internet, and no one can do anything to alter it or take it away.

For now I'm only toying around, experimenting a little - and then closing ports and turning my Pi off. I do have my NAS constantly exposed, but it is solidly hardened (firewall, no SSH, IP bans for unauthorized actions, etc. etc.), fully updated, hosts no sensitive data, and all that is important is backed up on an offline drive.

I'll be honest, if you aren't planning on sharing with others, I'd recommend switching to something like wireguard to connect back into your house instead of exposing everything publicly. Some firewalls have wireguard built in, so you can setup the VPN easily. But then all you have to do is keep your VPN endpoint safe to keep your internal network protected from the Internet, instead of having to worry about the security of everything you expose.

That's a good piece of advice, but due to several considerations (extreme censorship interrupting VPN connections, family using NAS for automatic backups, and some others) I cannot go that route.

There's nothing saying you can't have ports forwarded for the NAS, and have a VPN for everything else. Censorship may be a problem, but those more often block VPN services like NordVPN, not protocols. So running your own is less likely to be stopped. That said, of course comply with local laws, I don't know where you live or what's legal there.

If you really want multiple things exposed at the same time, you have two options(which can be used in combination if needed/wanted):

1. A reverse proxy. I use caddy. I give it a config file that says what address and port binds to what hostname, and I forward port 443/80 to it. That works great for web content.
2. Use custom ports for everything. I saw someone else walking you through that. It works, but is a little harder to remember, so good notes will be important.

I still recommend against forwarding a lot of ports as a beginner. It's very common for software and web apps to have security vulnerabilities, and unless you are really on top of it, you could get hit. Not only does that put all your internal devices at risk, not just the one that was original breached, it also will likely become part of a botnet, so your local devices will be used to attack other people. I'd recommend getting confident with your ability to maintain your services and hardening your environment first.

It's not illegal to use VPN in my area, but connections are blocked on a protocol level, both through OpenVPN and Wireguard.

I already managed to make caddy work, so, hooray!

I also found a setting on my router that fully isolates certain devices from the local network. I want to put the server in there, so that the rest of my LAN is not under threat. I also want to figure out VLANs.

It literally does the same thing, except it's self hosted?

Did you also forward UDP port 443?

If not I would as well since it is used for QUIC which is supported and automatically turned on for Caddy.

What do you mean by blocked at a protocol level? You might give it a try on a random port to see what happens.

You could also look into port knocking. It is dated but still worth while.

I am not an expert on security and I don't know how to setup ddns, but I simply use Tailscale VPN to access my RPi4 homeserver running Umbrel from outside of my home, I simply installed Tailscale in my Umbrel and in my phone, and when I want to access from my phone Immich, Nextcloud or any other app running on my Umbrel. I simply enable the Tailscale VPN. Maybe it has some limitations, but is the simpler way I found, and based on what I read, it is more secure than exposing a port in the router, but not sure.

I mean any connection through these protocols is just not working over the Internet. DPI equipment detects respective packets and cuts the connection, irrespective of the port you assign.

I would be fairly comfortable running a direct WireGuard connection even without Tailscale, but my location and use case simply won't allow me to.

Your setup is valid, nothing wrong with it, and yes, it is more secure. Just can't be used in my case.

No public server required at all

• CF: Yes

• frp: No

DDoS protection, WAF, and automatic SSL

• CF: Yes

• frp: No

Access controls and auth

• CF: built-in Zero Trust

• frp: manual setup of token/OIDC

Managed DNS

• CF: Yes

• frp: No

Built in security tools

• CF: Yes

• frp: No

---

Just like I said - prevalent reduction of valid arguments for usage of those services.

all home routers have NAT which functions as a firewall, but VPSes don't cone with any firewall by default, so you'd have to set one up. Also VPS ranges seem to hotter for scanning.

You don't need NAT for a Firewall. NAT doesn't provide any security benefits what so ever.

If you put something on the internet it should always have a Firewall. Use either ufw or firewalld. I don't see your argument since anything the bots can each will get probed.