Nextcloud behind router with port forwarding disabled - security concerns and improvements using Tailscale?

I have Nextcloud (NC) setup on my local network, without any form of reverse proxy setup or https (just http). I set it up via a basic Portainer stack on-top of a OMV6 installation. I access this system via Tailscale when I am not at home. I do not share this instance with anyone but myself and my devices. My network operates through an OpenWRT router that connects to a standard ISP modem. I have not setup port forwarding as I do not want external services being able to access my network.

My instance does not have file encryption setup and I make use of the SMB features of NC, but again this is all behind a firewall. My NC instance does have a strong password and 2FA enabled.

My main concern is, am I reasonably secure in this setup? Could someone outside my network still intercept my traffic, or bypass and exploit an open port behind my router’s firewall? I understand that if someone is already inside my network then I have little protection but my concern is the much more frequent threat from those outside my network.

Does anyone have any recommendations to improve this setup?

I am thinking of deleting my local IP address from my NC config as well so that I, or someone with access to my network, could only connect via my Tailscale account. I am also considering setting up encryption on the drive my NC is installed on, and creating a seperate VLAN for my NC/OMV server.

It depends a lot on the security of this service, and we are no experts here, to judge the advantages compared to a usual VPN connection. SSH/VPNs are packages that are actively reviewed and can probably considered to be relatively secure when properly kept up-to-date (even when the ports are exposed).

You could do that, also prohibiting direct connections outside from your Nextcloud server (which is however a problem if you want to run updates on the NC, NC apps and the system), so it reduces the comfort.

I’d consider using containers (VeraCrypt etc.) for sensitive information as an independent additional layer of security.

My setup is similar to yours but I am using owncloud where the router is locked and does not allow port forwarding. I am using cloudflare tunnel to access my files via the internet and works extremely well.

Yes, because it is all within Wireguard Go.

You could setup a DHCP server and/or reverse proxy in order to stop using IP’s. It is for convenience and laziness as much as security. Both make life easier and would add https.