I wanted to test out Nextcloud and I am interested in being able to securely access the server from outside of my home network.
I have seen people use FQDNâs, reverse proxys, and cloudflare tunnels to do this, but to me it would seem much easier just to use Tailscale. That way the server is never exposed to the public internet in any way.
The question I have is this: If I load the Nextcloud client on my android phone and I connect to a coffee shopâs WiFi for example . . . If I forget to âTurn ONâ my Tailscale VPN and the Nextcloud goes searching for my internal tailnet IP address of the server . . . am I, in any way, opening up an opportunity for someone on that Coffee Shopâs Wi-Fi to leverage my phoneâs searching for an IP that doesnât exist?
Hopefully that makes sense.
===========
Now, it doesnât have to be Tailscale.
I have a Unfi Gateway running a Wireguard VPN in which I can access my LAN.
I would think this is just as secure as Tailscale. As long as I am not concerned about anything on my LAN, I would say that the NextCloud instance should be quite safe.
The client will tell you if the servers certificate is wrong. I see why you want to protect it. But 99% of the servers i am installing is public. As long as you stay updated and secure everything the correct way you are not that exposed.
But you client wont expose anything either. It will try to connect to a url but nothing more.
Why are people still doing that in 2025 when thereâs 5G almost everywhere thereâs a coffee shop?
In theory, all kinds of shenanigans can be done with public hotspots. In practice, itâs similar to email links: if you click on a legitimate link, youâre mostly safe â except for the usual metadata collection, of course! So, make sure HTTPS is enabled on your server and that youâre actually connecting to the coffee shopâs Wi-Fi and not to a hotspot set up by the guy in the black hoodie sitting in the corner.
If your server is properly secured with HTTPS, and you donât get asked to install anything in order to connect to a WiFi network, nobody will be able to read the traffic, so you should be fine, even if you accidentally connect to a hotspot set up by the guy in the black hoddie.
However, if the black hoodie guy somehow manages to trick you into installing certificates or malware on your laptop or phone, HTTPS and possibly even a VPN such as Tailscale wonât be of much use anymore. They may then indeed be able to intercept the HTTPS connection. Or, if they have managed to install actual malware, they may even be able to access the data before it is sent to the server via the encrypted connection, or after it has been received on your device.
So, if you connect to public Wi-Fi networks, this also means that the security of your client devices is at least as important as, if not more important than, the security of your server. Because even the most secure server wonât help you if an attacker manages to compromise your client devices.
Rephrasing this - could a malicious actor (if they saw something reaching out to an ip address (say in the RFC 1918 ranges - like 192.168.1.1/24) could they mimic the IP, accept the connection, and then ???
I guess that is what I was getting at.
The Server is fine, I was wondering about the client side of things.
. . . if the client side wasnât using any sort of certificate or SSL to connect on the local network, would that make it more problematic publicly?
I may be thinking about this incorrectly, but I thought Iâd ask.
re: 5G
I travel the world and I am not paying for 5G everywhere I go - thatâs the main reason.
As far as the server/client setup.
Iâve ONLY just started playing with it, so I have yet to read up on setting up the system to use https connections. In fact I was tinkering with CasaOS, and they had a âquickâ (?) install that created the connections that were NOT https . . . and it got me thinking.
Got a link for me to read per chance that takes me straight to the meat of the matter?
It is mostly Hotel Wi-Fiâs that I am connecting to (so, the usual login requests - Name/Room number). Anything else and I slow right down and start looking a lot closer.
Thanks for the warning, but if anything that were to connect to asked me to âinstallâ anything - Iâd be out. There is the usual âAgree to the Terms and Conditionsâ catch all, but thatâs about all Iâd tolerate.
I would think that if the Server was set up without HTTPS, and I were to connect to a public hotspot . . . even though the client wasnât connected to the server, I âfeelâ like Iâd still be asking for trouble.
Yes, because there are possible attack vectors that undeniably exist, which, similar to phishing emails, typically rely on tricking you into doing something. In this case: connecting to a fake hotspot, installing something, accepting an insecure certificate.
No, because if your server is secured with proper TLS certificates, only allows HTTPS connections, and you donât fall for such tricks, then no one can actually read the traffic.
However, public Wi-Fi networks naturally come with privacy implications, as the operator can still see which websites and services youâre connecting to, much like your ISP. This is one of the rare use cases where a privacy-focused VPN like NordVPN, Mullvad, etc., actually may make sense. These services can also help further mitigate some of the risks outlined in section 1. That said, you need to be aware that by using them, youâre simply shifting trust to the VPN provider, who then has access to all that information.
A VPN connection to your home network could to the same, but it depends on how you use it. If youâre only using it to access services hosted at home, it only protects those specific connections - unless youâre routing all of your traffic through that VPN connection, and thus through your home internet connection.
So, after reading all this, you might think: âWell then, doesnât Tailscale mostly only have advantages?â
Yes, but its main advantage lies in the fact that your Nextcloud server is not directly exposed to the internet. This mainly prevents it from being subject to traditional hacker attacks, such as brute-force or DDoS attacks. So, itâs not so much about this specific public Wi-Fi scenario, although it can of course also help with that indirectly. For example, if someone manages to do a man-in-the-middle attack via a fake hotspot (say, because you werenât paying attention, and then also ignored a certificate warning while connecting to your Nextcloud), then itâs definitely beneficial if your cloud isnât directly accessible from the internet, because the attacker might have your password now.
However, I would say that the risk of this actually happening is extremely low, and of course there are also disadvantages if your server is not directly accessible from the internet. The most obvious one being that you canât easily share files with others.
I donât see any risk here either. TLS/SSL or VPN is used. If the applications are implemented correctly, faulty certificates are automatically recognised and blocked. The data is encrypted end-to-end between client and server over the wifi. Of course, the use of incorrect URLs is always a risk. But this cannot happen with a Nextcloud client or VPN client, as you do not adjust the settings when you are on the move.
Hosting Nextcloud via VPN vs. direct access via reverse proxy / web server is a completely different topic. I have no problem having my Nextcloud directly accessible.
With email providers, the web server and IMAP server are also located directly on the internet. Nobody cares about that either.
The risk with Nextcloud for web access and Client / WebDAV is the web server. Of course, you must therefore always keep all packages up to date. But then the web server should also work without errors and not be a real target for attack.
However, if web servers and/or Nextcloud are outdated, which anyone can find out with a simple HTTP request such as https://cloud.server.tld/status.php, then you should not be surprised that your own Nextcloud is attacked.
Ok you can hardly protect yourself from DDoS. Any script kiddy can shoot the Nextcloud from the Internet with little effort and money. But probably also applies to VPN. But the attackers first have to be interested in the on-prem hosted web server / Nextcloud or VPN. How many million Nextcloud instances are there now?
Yes, the public Wi-Fi hotspot scenario is not a good enough reason to put your Nextcloud behind Tailscale imho. This is because if someone manages to trick you into using a fake hotspot and then manages to sniff the packets or to redirect DNS to a phishing site or sonething like that, theyâre probably more interested in your email, PayPal or online banking accounts than your Nextcloud. And to protect you from that, all your traffic needs to go through a VPN, not just the traffic to your Netxlcoud.
Yes and no. With all these attack measures, you will not be able to trick the Nextcloud client, mail client or browser because the certificate no longer matches. Phishing pages with the original name and manipulated DNS such as https://help.nextcloud.com will not work. They must differ by name. And if you look, this is always the case with phishing sites. Exceptions are, for example, malicious code on the device, such as Emotet under Windows, where the client side is manipulated and the user can the see the correct e.g. banking website with correct TLS/SSL certificate. This works because TLS/SSL is an end-to-end transport encryption and the malware manipulates the data on the client side beforehand. Thatâs why only 2FA helps with internet banking. But that is a completely different topic.
Yes, the risk is extremely low and such an attack would therefore not be viable. It would require the user to ignore multiple security warnings and manually install certificates. HTTPS effectively mitigates many of the attack vectors mentioned in the article I linked above, to the extent that they no longer pose a real threat.
So if at all, an attacker would likely resort to other methods, such as luring you to a fake Wi-Fi login page. This would then be a similiar threat to phishing emails, where they try to trick you into entering your credentials on a fake website, and neither HTTPS nor a VPN can protect you from doing that. And if youâre tricked into installing something from such a site, nothing can help you at that point, because the attacker would then potentially have full access to your device and everything on it before anything can be protected by HTTPS or a VPN.
Thatâs why Android is considered less secure than iOS. Unlike iOS, Android allows installation from external sources (apk files from websites). But you first have to allow this in the Android settings. Without this setting, you can only be directed to malicious apps within the Google Play Store. And yes, they do exist. Probably just like in the Apple App Store.
Yeah, I mean, ultimately no device will ever be 100% secure. I prefer an operating system that still lets me make at least some decisions on my own. In the end, if you want a computer to be completely secure, youâd have to disconnect it from all networks, or better yet, just turn it off.
