NextCloud on Linode with Connection to Data at Home

I have heard many people trying to provide external access to their in-home installation of nextcloud. To do so you need to compromise your home security by doing port forward from your router. As another option, is it possible to installed NextCloud as follows:

  1. Install your nextcloud server in the cloud (on a service such as Linode)
  2. Connect you Linode NextCloud server to your home hard drive so that data is saved there

As setup such as this would allow family members to readily connect to the server from whereever they happen to be and would also allow you to utilize your own at home hard drive (without needing to pay for a lot of expensive clould storage).

I have reverse proxy on linode plus the vpn server, then i connect the nextcloud instance running at home on a single board computer as vpn client. data and nc at home.

Not necessarily. You can use a WireGuard tunnel instead and be very secure.

How? With a port forward or VPN, presumably.

Not true, because thanks to VPN Networks this is not necessary if you wish to avoid port forwarding.

The question is whether you must expose the service to the public internet. If this is a point of concern, you could also use a different Nextcloud for your family than the one you keep available locally. Either way, the Nextcloud frontend has proven extremely robust and hardened. That is why no one is complaining about getting hacked, etc.

so it is sounding like the in-house nextcloud can be made safe even if providing access from outside. when you say vpn server do you mean vpn router - I actually am running a vpn router at home so perhaps that could factor in to the solution? and actually, my nextcloud server is already connected to this vpn router (which I can obviously connect to from inside)

vpn router is just a way of selling product , you can use your router as vpn but I prefer to keep the server outside the premise where I run reverse proxy. if you run on the router, Either your router is acting as vpn server or some other location you may or may not be aware of.

You can use Openvpn Access Server or Tailscale

Openvpn Access Server and Openvpn can provide 2 nodes free licenses for node and connectivity and mobile device.

lot of videos on youtube.

I do actually have my nextcloud server attached to a vpn router. Is there a way to get to that securely from outside? Also, I was thinking that even if i setup my n/c server on linode and it would need to connect back to my home network to get to the hard drive (eg. maybe via portforward), at least I could limit that portforward to incoming traffic from a specified IP address

Hello,

I kind of disagree to this notion.

Your home network is always exposed to the internet. It is your router / firewall preventing unauthorized entry.

Ubuntu with default basic installation along with simple basic web etiquette like Strong Password is more than enough.

Unless some govt level hacking attempt is targeting your home network, you are good.

But if you need such level of security, its better to offload this hosting to some professional service provider rather than being DIY !!

Thanks.

I think the best way is to have the Nextcloud service and the data at the same place (performance, stability). But you can also install Nextcloud on Inode and host some of your data at home with External Storage but that is mostly bad and and I advise against it.

Three ideas:
1.) Nextcloud and data at Linode
2.) Nextcloud and data at home with Nextcloud access from the internet (port forwarding at router, Lets Encrypt certificate, …, maybe 2FA for web access from the internet)
3.) Nextcloud and data at home with VPN ( I advise against it if you want to use Nextcloud clients e.g. Android or iOS)

now select: 1, 2. 3

Another good option would be to run Nextcloud at home and run a reverse proxy on the VPS over a VPN tunnel.

See this part of what you’re saying is terribly vague because you don’t connect to a hard drive via port forward unless you’re talking about iSCSI.

Yes, perhaps I have been somewhat misguided or have the wrong idea on port forwarding not being secure. If it can be made secure then I would pursue that option. Thanks for the feedback

I can see the point of having server and data in same place. I might put the data with linode although that gets somewhat expensive especially when I do have hard drives at home that I could make use of. So maybe put aside option 1. Option 2 would be good provides that security is OK - based on what I have read in a number of the responses is that I shouldn’t be so concerned about that. So what I wonder about is what do I have available to me under option 2 to ensure security. You mention encryption and 2fa others have mentioned VPN tunnel and wireguard. What do most do when they put their nextcloud server on their primary router.

@sambo
I think there is no really security risk for option 2. You port forward 80/443 on your router to your webserver/nextcloud service. I think if all is up to date their is no really problem. You could possibly separate the webserver/Nextcloud from your LAN in a DMZ if you are afraid that someone will attack your webserver/Nextcloud.

I am not a fan of it because then the data must go a bypass to Linode and then to home. It may be somewhat safer, since only Linode is directly attackable.

You should do HTTPS encryption and 2FA in all cases regardless of what kind of setup.

That really depends on the setup. There are a couple ways to work around that where you can still access it locally. For example you can use split horizon DNS and a valid or manually trusted certificate and skip the VPS reverse proxy from the LAN.

It’s a little more advanced setup, but we’re going down the rabbit hole on this one anyway, so why not.

@KarlF12
Yes it is an option to host the “web gateway” (reverse proxy) at Linode and the rest at home. But it is not my settings. I don’t see the security risk for host only at home.