How to Remotely Connect

When it comes to connecting to your services away from home, there are two common methods to approach this: through connecting to a Virtual Private Network or broadcasting your services to the World Wide Web.  These techniques can be used individually or combined for a tailored experience.

Virtual Private Network 

Security	Security starsstarsstars By requiring authentication before even  connecting to any services, you can greatly decrease your overall attack surface.
Shield_with_heart	Convenience starsstarscircle This will need to be configured on a device-by-device basis.  Once the service has been setup, you just need to make sure you stay connected.

Similar to a corporation, we can host a Virtual Private Network server from home.  This enables anyone to securely connect individual devices to their Local Area Network, even when away from home and accessing remotely over the Internet.  Using a VPN, your services can be available to you, your friends and family without making them accessible to the public internet.  

This is the most secure option for accessing services that handle private personal information such as Actual Budget or Paperless-ngx.  By requiring authorization to remotely access your Local Area Network, you can greatly decrease your attack surface – or the amount of publically-accessible software that may contain software vulnerabilities. 

Different apps are written by different developers meaning we cannot know how secure their security is unless they provide independent audit information. You do not need to be as concerned about the security of individual software programs while everything is protected behind the singular VPN program.

While open source software can improve security by putting more eyes on potential vulnerabilities, it does not mean there will not be breaches.  This is called a zero-day exploit.

This is clearly not the ideal for hosting a WordPress blog or forum (unless the intended audience is very small or exclusive).  When making services available for yourself, as well as close friends and family, this can provide a perfect balance of security and convenience.

For some services, you may still need to set up a fully qualified domain name to gain access to them because they cannot be used without https or through a local port.

Web Domain Name

Security	Security starsstarsstars By requiring authentication before connecting to any services, you can decrease your overall attack surface.
Shield_with_heart	Convenience starsstarscircle Once the service has been setup, you just need to make sure you stay connected.

This process will involve connecting your server and it's services to the world wide web. This makes it extremely simple for you to access your server from anywhere using any device.  This is, however, equally true for everyone in the world who has access to the internet.  You can take proactive steps to harden security, preempt vulnerabilities and limit fallout, but at the end of the day you are opening yourself and your server to the open internet.  Your Web servers address will be accessible by lookup on the Domain Name System databases.

Similar to a VPN, a well-configured single sign on service can decrease your attack surface.  Instead of individual apps like radarr managing their authentication, each with their own potential for vulnerabilities, services like authelia can act as a dedicated middle man.

Combination

Security	Security starsstarsstars By requiring authentication before connecting to any services, you can decrease your overall attack surface.
Shield_with_heart	Convenience starsstarscircle Once the service has been setup, you just need to make sure you stay connected.

diagram showing inside and outside access to a local restricted address.

While using a domain name to access an application, such as app.example.com, it is possible to restrict access to it to users on your local Network or connected by VPN.  This provides the convenience of a domain name and the security of a VPN.  This technique requires the most configuration but can produce the most tailored experience for balancing security and convenience.  For example, you can require that a user be on the VPN or local network to access actual or radarr, but OwnCloud and your website are accessible to the open internet.