I’ve managed to set up a baikal server to sync my calendars and tasks instead of using a free cloud service provided by nextcloud. I’m able to reach it from beyond my local network, but this is all very new to me and I’m a little worried about what permanently leaving a port open for this.

I’m hoping to find some resources for securing this, before leaving it up all the time. I suppose as an alternative I can always only run it at home and only sync when I’m home but this seems less ideal.

Thanks a bunch for the help in advance. I really appreciate it.

  • drudoo@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    Use a reverse proxy in front and be sure to have auth setup in Baikal.

    I’ve been using it with traefik for 5ish years now without issues.

  • BitSound@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    Wireguard might work well here. You’ll have to set it up on each device you want to have access your server, but I’m guessing that syncing only involves a handful of devices, which wouldn’t be bad.

    • thelittleblackbird@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      As a friendly suggestion: Don’t rely on wireguard alone, try instead services like tailscale or zerotier because if you set up ur server in residential zone, there are huge chances that you will hit some cg-nat in other cities / countries.

      Those are nasty problems that wireguard is not able to solve but those programs can

      Apart of that this is the zero risk approach and it should be the default one.

    • Corr@lemm.eeOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      So if I understand this correctly, I configure wireguard on the server end and port forward to the IP for the wireguard interface? and then configure devices to send packets through their wireguard interface for specific applications to get synced up? Thanks for your reply :)

      • BitSound@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Yeah, when you configure it, you essentially say “all traffic to 1.2.3.0/24 should go through this wireguard connection”. Then, your OS automagically knows “oh, this connection to 1.2.3.4 should go through Wireguard, and I’ll handle it like so”. You don’t have to configure any applications specifically, their network connections just get routed appropriately by your OS.

        • Corr@lemm.eeOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          So I’m just taking a look at wireguard on android. I just need to point a specific address to wireguard and it takes care of it then? This seems relatively straightforward to configure.

          Last question (hopefully). I’m running this server off a pi with bullseye. The guide on their site for setting up a server uses buster but the client uses bullseye. The buster version needs to setup unstable release packages but the bullseye client doesn’t. This should mean that I’m good to just grab the default Debian package on bullseye?

          Thank you very much for your help with this!

            • Corr@lemm.eeOP
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              This seems promising for simplicity. I’ll check it out!

          • BitSound@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            Yeah, you’ll also need to configure your server to whitelist your phone, and then everything should just work. And yeah, you should be able to just use the default deb package on bullseye.

            • Corr@lemm.eeOP
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              I think I’ve configured it all (using the the link the other person sent). I think I screwed up the port forwarding tho and I’m not home to fix it for now.

              Everything looks like it should work but only time will tell lol. Thank you again for your help!

            • Corr@lemm.eeOP
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              1 year ago

              So I got home and fixed my port-forwarding rule, but I can’t get my phone to connect. That aside, I’m now a bit lost as to how to get access to baikal , or anything else… I can’t seem to find any resources that explain how to do this either. Do you know of anything I can read to try to set that up?

              Edit: I sorted out reaching the baikal server from the VPN. Still working on getting my android phone to work with wireguard tho :/

              Edit: I apparently can’t read and mistyped a key value. Turns out everything has been working this whole time 🤦

              • BitSound@lemmy.world
                link
                fedilink
                English
                arrow-up
                2
                ·
                1 year ago

                I unfortunately can’t really offer much advice here. I configured Wireguard on my phone by essentially copy/pasting the configuration from my laptop and changing the values as necessary like the public key and client IP address. Turned it on, it activated VPN mode in Android and everything started working.

                I guess make sure you haven’t mixed up your public/private keys, your server knows about the new device (and is restarted), and your phone is using the right IP address as basic troubleshooting steps.

                • Corr@lemm.eeOP
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  1 year ago

                  I added a final edit where it turns out I just mistyped the public key and the rest of the config was completely fine. Oops lol. Thanks for your input on this I really appreciate it. Now final question. Since my server now works on a whitelist basis, it should be reasonably safe to leave the port open indefinitely going forward? If not, is there more I should consider doing to increase security?
                  Thanks again :)

  • wildbus8979@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    There are a number of options…

    Setup a reverse proxy with nginx, using SSL, with http auth or better yet client certificates.

    Setup a VPN to access your home network.

    Use SSH forwarding to access the local service.

    • Corr@lemm.eeOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Are these all roughly equivalent in security? Or is it a case of some of these being a bit less complex to set up but you sacrifice security? I’ll look into these options though. Thank you

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 year ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    HTTP Hypertext Transfer Protocol, the Web
    IP Internet Protocol
    SSH Secure Shell for remote terminal access
    SSL Secure Sockets Layer, for transparent encryption
    VPN Virtual Private Network
    nginx Popular HTTP server

    5 acronyms in this thread; the most compressed thread commented on today has 9 acronyms.

    [Thread #80 for this sub, first seen 25th Aug 2023, 11:15] [FAQ] [Full list] [Contact] [Source code]