Restrict Nextcloud over VPN except Talk

Hi every one

We want restrict our Nextcloud over vpn. But we want nextcloud talk open for public, so people can communicate and talk easily on mobile apps without vpn.

Is there any suggestion or solution for this?

NC: 25.0.3
OS: Debian 11

Nextcloud Talk is highly integrated with Nextcloud, so I’m pretty sure this isn’t possible. Or at least not without doing some major changes to the code base of the Nextcloud Core and / or the Talk app itself.

Hi,

It might be possible with a WAF or a firewall with integrated vpn and/or application layer firewall policy.

My idea (not sure it will work without doing some tests) is to block any https requested from the public interface that is not destined to URLs like :

And only have another fall through policy that only allows access to your nextcloud server from the VPN interface.

But this solution would demand a lot of debug and time since nextcloud is not meant to be used this way.

What I would recommend it’s to use reverse proxy, WAF, IPS, and other security solutions that are meant to be used to protect web servers. It would be much easier and more effective.

I think in this case you must use a software to act as MitM to analyse the TLS/SSL traffic. But maybe it is possible.

Another idea:
Perhaps it is possible to use two names e.g. talk.domain.co and cloud.domain.co. From the internet the access to cloud.domain.co is not possible (e.g. nameserver but not not sufficient for safety reasons). The access to talk.domain.co is from the internet possible. Then you can hopefully (!!!) modify some Nextcloud settings (e.g. .htaccess for Rewrite) to deny the domain talk.domain.co for normal Nextcloud features but not Talk).

First add the second name talk.domain.co and test Nextcloud Talk. Then test do deactive talk.domain.co for normal Nextcloud sevices. And when that works deny access from Internet.

1 Like

Hi thank you for your reply

We are already using WAF (Hosting Firewall), and reverseproxy to secure our NC instance running on separate VPS. But to secure it more we want to restrict over VPN,

Yes this is good idea, but our hosting firewall only allow us to restrict IPs not the URLs. But this suggestion is good. We need to make some rules in our nginx reverse proxy I guess and restrict VPN access through nginx instead firewall. Not sure it will work, need to test. And also need to discuss/analyse how reliable to restrict from nginx.

Easiest method would be a secondary Nextcloud. Why not shield yourself entirely for external traffic accessing your otherwise secure system.

Or, use Rocket.chat as your external chat and integrate it into your Nextcloud. Works wonderfully and has that familiar Slack/Discord interface everyone is used to.

2 Likes

Also, depending on what the underlying goal is, Talk is tightly integrated into nextcloud, for example you can access/share files with Talk. So if your idea is to not be able to access files for example, Talk will basically work around that idea…

Maybe https://docs.nextcloud.com/server/stable/admin_manual/file_workflows/access_control.html makes sense for you? But then again, the idea of @just might be a good solution.

1 Like

Well, if @dolphinscorp is going to block the URL to the files app, users will probably not be able to access the files anymore. But this can lead to all sorts of unexpected side effects, because as you and I already said, Talk is highly integrated with Nextcloud. And even if you manage to get URL filters / block lists working properly, it’s a tedious process, which is way too error prone and needs to be reviewed after every change you’re doing to your setup.

Security-wise it’s also a questionable thing to do, since you still have to log in to your Nextcloud. This means that there is a high risk of some less obvious things still being accessible, which then could be exploited by the users, and even more so by a hacker.

I would not recommend to go down this rabbit hole, and instead use something completely separate, as @just already recommended.

Yep! :slight_smile:

1 Like

Totally agree, this just leads to a false sense of being secure.

1 Like

Thank you for all valuable comments.

You all are right. Still we need to secure our environment. For file sharing, we have created an external file share mechanism Like weshare, @just suggestion of rocket chat is also good to reach this goal. Through rocketchat people can chat/share the files also.

Its our organization requirements. We are considering all suggestions, even if someone have more suggestion please write this would be helpful.

So, you only want to use Talk then or are you still using other parts of nextcloud ?

@SysKeeper Thank you for asking. We just want to use talk.

Maybe you can uninstall some Nextcloud apps if you do not need them. Maybe you can set the quota of the user to 0 MB. Maybe you can use two Nextclouds. One Nextcloud only for Talk and another Nextcloud for files, …

Actually we want to use same talk, so when user connect to Talk through mobile app or from laptop through VPN they should have same talk history.

We are looking and searching/testing workarounds and will also update here about the progress.

Then I don’t really understand your question, then you can restrict the whole nextcloud installation to only accessible from the internal/VPN network ?!

yes right. Nextcloud totally accessible via VPN IP only. Users who connects to VPN can connect to nextcloud.

And allow Only nextcloud Talk to be publicly accessible. So mobile users can talk/chat/call etc. No requirement of file share through talk etc.

Now I’m a little bit confused…

Why restrict it at all if you only gonna use the Talk part anyways? Just set the storage quotas to zero for all users, and they can’t store any files.

And I would even go one step further… Why use Nextcloud at all, if you only need chat and video calls? I mean, don’t get me wrong, Nextcloud Talk is a good product, but its biggest strength is the fact that it is tightly integrated with Nextcloud. So, if you don’t use any of Nextcloud’s other features, I think there are better standalone solutions, like e.g. Rocket.Chat (Slack alternative) or Jitsi (video conferencing).

Hi @bb77 thank you for your comments.

Nextcloud we are fully utilizing in our environment (that is now publicly accessible on VPS) . We want to secure it so that only VPN connected users (our official users) can utilize it only. And hide it from public internet.

For ease of users, we are finding some solution so our users should not configure vpn on mobile to chat or urgent calls on talk.

This is tricky though but need to do even if it highly integrated with Nextcloud. Looking into it and will post progress here.

Hi all,

In continuation of above, just want to ask if someone have idea, for example if we create another Nextcloud instance (Fresh installation) for talk purpose only, is it possible to replicate only all talk history/current conversation in bidirectional way? May be something possible with mysql specific tables replication?

Any idea/possibility?