Local network access for a mesh VPN access. Non-SSL

“Your data” means your_access, not just ownership.

I appreciate that Nextcloud provides a framework for family or business access. Requiring an SSL connection, however, still blocks access to your data if the SSL provider invalidates your SSL cert. I am looking to use a mesh VPN as a local network access. To federate a nextcloud instance with another instance appears to still require a domain. Federation should depend upon some internal certification, not an externally-approved cert. There are arguments that the SSL is required for browser access, and provides necessary higher-authority certification. The SSL is there for nextcloud visitors (NOT users), and to ensure that the web experience convinces users of the site that the web site is controlled and secure. It should be up the nextcloud admin to determine the security requirements or even roll-their-own. The mesh VPN should rectify that concern, as it is a WAN VPN which can be trusted, at least to the level of the SSL security if not more.

Does anyone have recommendations as to the use and success of using Nextcloud within a mesh VPN configuration?

Thanks!

Generally speaking, this is not true. Nextcloud does work without HTTPS, but it may be that certain features are limited or not available without HTTPS.

However, this is not directly Nextcloud’s fault, but rather due to the fact that more and more libraries and applications (especially in browsers and mobile apps) at least indirectly require HTTPS for certain features to work. Also, an increasing number of features rely on HTTP2, which doesn’t work without SSL. And yes, the specification would theoretically allow non-SSL connections, but all real-world implementations simply don’t, and you can spend hours debating that, or you can approach it in a more pragmatic way, which is what Nextcloud is doing, and which is what I prefer to do as well.

I’m not sure, but assuming that’s the case, you still don’t need a public domain if you only connect these instances “locally” or over a VPN or mesh/overlay network (instances hosted by others can’t connect anyway if yours is behind a VPN). You could use something like cloud.home.lan or cloud.home.arpa networking - Is TLD .local not a local TLD anymore? - Server Fault. Of course, in order for this to work, you have to set up your own local DNS zone, but that’s entirely possible without relying on third parties.

However, in order to setup a mesh network, you would likely still need a public domain name pointing to a public facing coordination server, which is needed for a mesh/overlay network to work properly. Maybe it is somehow possible to set something like this up using just IP addresses, but that would certainly be a challenge in itself

Well, as I said at the beginning, while it will work without HTTPS, you might run into certain issues, especially in browsers and on mobile devices, so I recommend using HTTPS even if everything is behind a VPN, which of course can also be achieved by setting up your own certificate authority and then rolling out the certificates to the client devices, in which case you wouldn’t be relying on any third parties. Do I think this is worth the effort? No, but it’s certainly possible

@bb77 Thank You for your reply. Those are simply assumptions with attempting to get the nextcloud instances federated. I do not wish to rely upon external SSL connections, and the reason for my question. It is worth it to me. Since it is an internally facing resource, i.e. family, browsers all demand an SSL. I have not established my own root certificate server, so points me in some direction. In saying that Nextcloud demands the SSL for federation, this doesn’t change that when seeking the federation and the predominant use of SSLs to ensure that functionality throughout a (mostly) non-technical family distribution, combined with the browser interface.