• Bdaman
    link
    fedilink
    English
    arrow-up
    49
    arrow-down
    1
    ·
    10 months ago

    The only externally accessible service is my wireguard vpn. For anything else, if you are not on my lan or VPN back into my lan, it’s not accessible.

      • sunbeam60@lemmy.one
        link
        fedilink
        English
        arrow-up
        8
        ·
        10 months ago

        Funnily enough it’s exactly the opposite way of where the corporate world is going, where the LAN is no longer seen as a fortress and most services are available publically but behind 2FA.

        • AtariDump@lemmy.world
          link
          fedilink
          English
          arrow-up
          8
          ·
          edit-2
          10 months ago

          Corporate world, I still have to VPN in before much is accessible. Then there’s also 2FA.

          Homelab, ehhh. Much smaller user base and within smackable reach.

          • sunbeam60@lemmy.one
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            1
            ·
            10 months ago

            Oh right. The last three business I’ve worked in have all been fully public services; assume the intruder is already in the LAN, so don’t treat it like a barrier.

      • Footnote2669@lemmy.zip
        link
        fedilink
        English
        arrow-up
        3
        ·
        10 months ago

        Not OP but… I have an old PC as a server, Wireguard in docker container, port-forward in the router and that’s it

      • Bdaman
        link
        fedilink
        English
        arrow-up
        1
        ·
        10 months ago

        Sorry, haven’t logged on in a bit. I use OPNSense on an old PC for my firewall with the wireguard packet installed.

        Then use the wireguard client on my familys phones/laptops that is set to auto connect when NOT on my home wifi. That way media payback, adguard-home dns and everything acts as seamless as possible even when away while still keeping all ports blocked.