Security with diferent ways to access HA remotely

Hi!
I can access HA in two ways. Connect with OpenVPN and use local ip to connect, or use ddns service and connect with dns address.

Is there any security level differences or is it basically the same?

So, I have it setup like this:

My no-ip account is set in Asus router with Let’s Encrypt certificate.
Then I installed NGINX proxy add-on, copy certificates to /ssl folder that I generated in router.
Changed port in NGINX to something else and then make a port forward in router to HA ip and NGINX port.
Now I can connect with https://xxxx:xxx. It works great, but is there a preferred way?
Is this even considered safe?

HA is running in Proxmox vm.

Regards!

The dynamic DNS service requires port forwarding in your router. A VPN does not. That is that security difference. Having the open ports when you already have a VPN set up seems like needless risk (all be it a small one) to me.

OpenVPN can use different ways to authenticate (certificates, username/password).
But like any VPN (Virtual Private Network) all traffic is encrypted, which is the main reason to use vpn.
In other words, nobody can ‘eve’s drop’, as the data is encrypted.

dDNS does none of those things, it only makes sure you can always reach your your site using the same dns, even when your IP address changes (hence the name, dynamic Domain Name Service)

So OpenVPN and dDNS are not related in any way whatsoever…

That does not mean, you can’t use dDNS together with OpenVPN (so you always use the same dns contacting your OpenVPN, even if you IP address changes )

Yes. But I do use Let’s Encrypt certificate for dDNS service. So then anything I send and receive through this “something.ddns.net” is encrypted? Only issue is this open port. But then again, what can someone do on that port? It is in vm and only ha os (but on the same network). I don’t know.

Google is your friend…

Is HTTPS enough for online security?

The short answer is no; unfortunately, it isn’t. First of all, you will still find sites that do not use it – although that is getting rarer. Plus, it cannot protect all the information you send when you go online – it only secures your browser traffic.

Your apps communicate with the Internet more than you’d think – and you need to protect everything, not just what happens on your browser. HTTPS can also be susceptible to specific attacks (like Root Certificate Attacks) that a VPN can protect you from.

Erm…depends wether it is a local vpn server, or 3rd party solution…

OpenVPN does require portforwarding

WRONG!
Encryption is a neccesary feature of a secure access, but portforwarding directly to HA can have SSL enabled and gain the same encryption.

The main reason to use a VPN over port forwarding directly to a service on HA is that a VPNs only target is to be secure and all other features have been left to the next service after the VPN.
Security holes can be limited to an absolute minimum this way.
Users can be limited to the ones where VPN is needed and thereby being independant of the users needed on HA to get that working.

If you portforward directly to a service on HA, then that service will hve to handle both security and features of the service and the features might take priority.
If you forward to the standard port 8123, then you are putting your security in the hands of the developers behind HA and ALL the developers of the integrations and addons running in HA, just one of them have to make a mistake in the coding and your security will be breached. Sometimes it is not even a mistake but on purpose to get a feature working.

OK, I guess i’ll add my opinion…

Using DNS only:

It only forwards the DNS registered to you to whatever the public (external) IP address is of your router.

It literally does absolutely nothing for security.

you still have to port forward any external traffic to your internal HA machine port via port forwarding on your router.

EX: Your external IP of your router is 173.32.90.3. The internal HA machine IP is 192.168.1.10. And you have port forwarding set up in your router to forward external port 8123 of your router to the internal IP of your HA machine port 8123. You have a dns service that registers my_dns_name.com to your router external IP address.

Typing 173.32.90.3:8123 on an external browser will take you directly to the login page of you HA installation.

type the username/password and you are in and can control your home.

By using DNS you will then type my_dns_name.com:8123 on an external browser and it will take you directly to the login page of you HA installation.

type the username/password and you are in and can control your home.

That’s literally it. There is no other security checks at all other than your HA username/password.

But if the public IP address of your router changes you can still access your router via the my_dns_name.com dns. That way you don’t have to keep track of what the current external IP address of your router is at all times.

Now add letsencrypt to the above:

Now whenever you type 173.32.90.3:8123 or my_dns_name.com:8123 it still takes you directly to the HA login screen but it now will encrypt the username/password that you type in so no one can easily sniff the traffic between your remote PC and your HA instance. Because that traffic is encrypted.

Again, still no other security checks at all other than your HA username/password. Except now when you enter that info into your remote browser no one can peek into your traffic and get the info you type.

Add a VPN:

Normally when you set up a VPN it has you install SSL certifications on the VPN server for the network you want to reach and the device you are using to connect to it.

The SSL certs make sure that you have an encrypted lock and key to your VPN server so that nobody else can (easily) get in. Once in you have full access to your entire internal network just as if you were connected behind your router.

you still need to open the ports on your router and forward those to the VPN service for access on your network but without the certificate key no one can open the door to the router and get in.

I believe (but not 100% sure) that most VPN servers also encrypt the traffic just like letsencrypt does so there is no change there.

Using Nabu Casa is like using a VPN (except it’s only for HA and doesn’t allow you access to other portions of your network like using a VPN does) but it’s easier to set up since it handles the SSL certs, encryption and opening ports on your router for you.

So use a VPN for better security if you need network wide access from your remote site or don’t want to pay for NC.

But if you only want access to HA, don’t mind paying for NC and want easier setup then use that instead.

I actually use both.

This is all from a non-professional network person so I hope I got things mostly correct.

That is incorrect.
A DNS record maps a name to an IP address and it is static.
If the a routers public IP changes, then the DNS record will not change, but keep pointing to the wrong IP.

The reason why duckdns.org, dyndns.com and so on work is because the router or some device behind it has a program running that check a server on the internet. The server on the internet report back which IP the connection came from and if that changes, then the program will tell the DNS server to update the DNS record.
Its a workaround and the DNS service was never thought of being used this way, so there are shortcomings to this approach.

One of them is that there is a delay from the detection of the IP change to the update, since the program can not ask the server all the time. This delay will typical be around a minute, so not much.
Then there is the delay from the update request until the update actual become active, which can happen in seconds up to a few minutes.

The worst delay is the caching DNS servers.
A caching DNS server makes a copy of the DNS record and then when someone ask for the record, then just reply with this copy.
A caching server can reply with the copy to another caching server which then have a copy of a copy, and so on.
This is the way DNS is designed to work, since it reduce traffic on the connections. An ISP does not need to ask Google what their google.com IP address is every time a user type that into their browser, because the ISPs caching server stores a copy. This makes more room on the connection to the internet for other things and users get more bandwidth then.

Sometimes the IP address changes and the caching servers need to get this update, so the DNS standard has a time-to-live (TTL) value for all DNS records.
A TTL value is just a number for how many seconds a DNS record may be stored on a caching server, before it becomes stale. It is not a timestamp, though.
Once a caching server copies a DNS record it reads the TTL value and then starts to count it down towards 0.
Its important to notice here, that the TTL value is the original one and not the already counted down on the server that handed out the copy, so one caching server can be at the counter 1 of 80000 and then hand out a copy to another caching server and that other caching server will then start at 80000.
That is the reason why the general rule for changes to a DNS record takes 3x TTL to update throughout the internet.

Sadly that is not entirely true though,.
duckdns.org use a TTL of just 60 seconds, so 3xTTL means that the entire internet should be updated within 3 minutes, but some implementations of DNS servers and DNS clients refuse to go that low and when they see such a TTL value then they just replace it with what they think is appropritate. Sometimes this might be as much as a week.

The real solution to the DNS problem is in fact not dynamic DNS services, like duckdns.org, but instead IPv6, where all devices can get their own static IP, so DNS record can be mapped to a static IP, that never changes.

Yeah, sorry. I knew that but I was simplifying just a bit.

I’ll be more clear next time. Thanks for clarifying that for me.

However, I think the “limitation” you describe isn’t that big of a deal for a normal residential consumer user whose public IP address changes infrequently and is just using it to connect to their HA instance very occasionally as well. Since most here have been told to use Duckdns as the de-facto DDNS server I really doubt that a three minute update is that much of a show-stopper. Duckdns even has the instructions for users to follow to keep their IP up to date (I think it checks every 5 minutes by default)

And to reiterate I really don’t recommend it’s use either as a stand-alone solution.

Go with a real/self-hosted VPN or just use NC.

I understand that, but I have replied to a few posts that did not understand the basic DNS standard.
My reply was not really to you, but more to other readers.
Its especially the servers and clients that ignore low TTL values that cause the problems.