I have Nextcloud (NC) setup on my local network, without any form of reverse proxy setup or https (just http). I set it up via a basic Portainer stack on-top of a OMV6 installation. I access this system via Tailscale when I am not at home. I do not share this instance with anyone but myself and my devices. My network operates through an OpenWRT router that connects to a standard ISP modem. I have not setup port forwarding as I do not want external services being able to access my network.
My instance does not have file encryption setup and I make use of the SMB features of NC, but again this is all behind a firewall. My NC instance does have a strong password and 2FA enabled.
My main concern is, am I reasonably secure in this setup? Could someone outside my network still intercept my traffic, or bypass and exploit an open port behind my router’s firewall? I understand that if someone is already inside my network then I have little protection but my concern is the much more frequent threat from those outside my network.
Does anyone have any recommendations to improve this setup?
I am thinking of deleting my local IP address from my NC config as well so that I, or someone with access to my network, could only connect via my Tailscale account. I am also considering setting up encryption on the drive my NC is installed on, and creating a seperate VLAN for my NC/OMV server.