Network security and remote access options

I would appreciate some thoughts / advice…

I would like access to my HA from outside my network and as far as I see it I have main four options:

  1. ZeroTierOne
    I currently use ZeroTierOne but my phone often drops the VPN connection so I have to reconnect. I also have suspicions that it was adversely affecting my phone battery life.

  2. A self hosted VPN provided by my UniFi USG, using DuckDNS
    Similarly Android does not allow an always-on VPN unless it is to an actual numeric IP address so I am again always having to reconnect. My ISP does however allow me to pay a negligible one time fee for a fixed IP so that is an option.

  3. Vanilla DuckDNS and an open port on my router
    Call me paranoid but I’m not all that keen on opening a port on my router unless someone here can convince me that it is safe to do so :wink:

  4. And of course Nabu Casa
    I don’t wish to use Nabu Casa for remote connection for the same reasons I don’t want to rely on any cloud services unless absolutely necessary.

There are other options of course but they seem to me to be either very technical or commercially paid-for (e.g. VPN subscription)

A fixed IP address and UniFi VPN seems to me the way I should go but is there any technical or security downside to getting my IP fixed and using the UniFi VPN?

Is there anything else I need to think about?

Thanks for any feedback and hopefully it might be useful to others too.

1 Like

It’s been over two months since I posted this so I’m bumping it* as I am really surprised no one had a view. (one ‘like’ though :slight_smile: )

* Yeah, ok, I’m sorry but this seems like exactly the kind of question this community usually has a lot of good advice on.

The only downside to having a fixed IP would be if you like to upset people on the internet and you get DoS attacked. From a security point of view static vs dynamic doesn’t really matter, assume that you are always getting port scanned which you probably are. Even with a dynamic IP, I would just try and keep the USG up to date.

If you do option 3 and open a port with duckDNS, also use Let’s Encrypt to get an SSL certificate so your connection and especially your login is encrypted. Then make sure you have a good password and preferably a 2FA method attached to your account. All of this (and actually any of the options for that matter) doesn’t eliminate any hacking threat but greatly reduces the chance someone will either brute force their way into your HA or try and man-in-the-middle attack/intercept you. This is what I do with a DDNS service and Let’s Encrypt cert.

The problem I have with using a VPN is I have to leave it always on or remember to connect whenever I need and sometimes iOS devices don’t play well with VPN especially always on services. I have a UniFi VPN, but I don’t use it for HA.

I use option 3 as well. But with a setup that’s a little bit more complex, which results in a bit more security:
I have bought wildcard-certificate (wasn’t available via LetsEncrypt back then), and instead of HA directly I only expose an Apache reverse proxy. That RP by default points at a simple dummy HTML page. Only with the correct hostname the connection will be forwarded to HA. The key here to added security is the wildcard certificate. With a fixed certificate, an attacker would just have to look at the certificate to know what the correct hostname is. But with the wildcard, it could be anything. Hence my exposed HA is only reachable under shomerandomlongstring.my.domain, and I am fairly sure, that potential attackers will get stuck here already for a while, even before they have the chance to brute force their way into my system. So basically the URL to my HA already acts like a password.
Edit:
I didn’t set up anything for my TLD. That way something like nslookup my.domain will not return any result.