NextCloud with Wireguard: which ports to open to stay secure

Operating system and version (eg, Ubuntu 20.04): Raspbian GNU/Linux 10
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.28
PHP version (eg, 7.4): 7.3.27-1

I successfully installed at home NextCloud together with Wireguard on a Raspberry Pi 3B+ (OS : Raspbian).
I opened on my server the port 51820 for Wireguard.
If I open the ports 80 and 443 for NextCloud on the server, my understanding is that the trafic between NextCloud and my computer/smartphone (when I am not at home) will not go through the vpn.
If I am right, is there a way to get the external trafic for NextCloud go through the vpn ? How ?

With VPN solution like Wireguard you are able to access internal network resources like Nextcloud without exposing them to the internet (port forwarding). If you only want to access you Nextcloud instance from your local network and through VPN on-th-go, you need to open a port for Wireguard only. Traffic will flow through VPN tunnel once you enable it, independent from the fact if you exposed or not you Nextcloud instance to the internet.

If you want to access you Nextcloud instance directly from the internet (without VPN) or maybe share you data with external people you need to make Nextcloud available from the internet. This way you don’t need Wireguard (at least not for Nextcloud) - but you can still use it.

Thank you Willi for your clear answer !

As said, I opened up the 51820 port on my server for Wireguard. I also installed the vpn client on my mobile. It works well.
But how can I access through the vpn my NextCloud (installed on the same Raspberry than Wireguard) ?
What address should I search for on my smartphone (or other device ) to connect NextCloud ?
Should I put some parameters to the installed Wireguard ?
Let me explain my installation:

  • Box from Orange (my ISP) to connect to the internet,
  • no fixed ip from internet
  • NAT open port for Wireguard: 51820
  • local network IP:
  • fixed local IP (
  • Wireguard installed, to solve the problem of the not fixed ip from my isp,
  • NextCloud installed

The ping is ok.
When I call with my smartphone (not connected in wifi) through the vpn :

I really wonder if I should add some parameters to the wireguard installation since Nextcloud is called with another port (9321) in this video (see captured screens). But I don’t know how to give this parameter to Wireguard… Andrea set up the install with Docker

SC Rasp1

In case you may help me solve this…

Thank you for your patience and help !

hi @Dom_Dom connection from (Wireguard) VPN should be more or less the same as you have internally from your LAN.
I still don’t understand how you installed your Nextcloud instance. Is it running direct on Raspi, is it docker or any other virtualisation technology? How do you access you Nextcloud from your internal LAN (note the IP).

As next step I would double check which IP you see when you contact from Wireguard VPN - is it you public IP, is in internal of the Raspi (or you Nextcloud). If the IP is internal - it is expected to work exactly the same as within your internal LAN.

If the address resolves to the public IP you may hit rebind protection or “internal LAN IPv6 issue” - you find lot of examples searching this forum for rebind issues like here or here some of the posts are in German but Google translator or deepl are really good today :wink:

1 Like

Hi Willi,
Thank you a lot for your help.
For whatever reason, it now works like a charm…
I can now access to NextCloud both from my local network and from internet through the VPN.
The local Raspberry address works perfectly as well as the Wireguard address
I really have no clue as to why it did not work before (may be too many attempts to connect incorrectly ?)…
The only point I wonder is how to unconnect when using the NextCloud application on Android (because when I don’t use the VPN, I would not like hijackers steal my id or password) ? In a browser, there is an Unconnect item in the user menu, but not on the Android app.
Anyway, thank you a lot Willi !!

great to hear it works

sometimes wait a little and restart helps…

in my eyes you don’t need to worry about this. The client (and even active browser session) don’t reveal your user data to anybody, because you session is bound to specific host - if this host is not accessible in your network nobody will see the cookie/sessionid with your login information… depending on how you access your system there is a theoretical chance somebody could intercept this data but this rather theoretical (e.g. you use IP address to access the host, and same IP address exists in the network you connect then - which is unlikely for private addresses - especially if you don’t use popular IP range like 192.168.0.x). You could even increase the security by using hostnames and adding SSL certificates - but this has a drawback you need to expose your host to the internet to acquire public letsencrypt certificate or deal with self-signed certificate which is painful.

1 Like

So I won’t worry about my last point !
Thank you again for your kind help !