Security: Is it safe to connect to Nextcloud 'naked' (that is, without VPN) on public Wi-Fi?

  • Connecting to a listed Nextcloud provider.
  • Or connecting to your own instance.

Let’s say the only service I want to use over public Wi-Fi logged in is Nextcloud. Otherwise I’m just reading news sites and I don’t care whether anyone is watching me doing so. Do I need a VPN? All in all, I’m not sure: https://defensivecomputingchecklist.com/#publicwifi

1 Like

Activate two-factor authentication on your Nextcloud instance and make sure it has a proper SSL cert…

No-one can guarantee safety, of course, with anything that involves on online connection. Personally I’d recommend the added security of a good VPN, particularly for public access points. I think it’s far more more probable that a bug in the Nextcloud stack, or a misconfiguration, would expose you to an attack. I’d have a lot more confidence in an openVPN connection not being compromised, and at the very least, it’s an extra barrier for an attacker to deal with.

However as long as the connection is done via modern https, I would call this secure as well. Depends on how sensitive the data is in the end. A VPN is a second layer of course. I would recommend WireGuard over OpenVPN nowadays.

1 Like

AFAIK, Wireguard hasn’t hit 1.0 yet, and still is not officially recommended for production use. I’d like to see it audited and mature for a while before switching. Once it’s proven dependable, it certainly has many advantages, not the least the far smaller codebase, which is a big plus for security.

I know of these restrictions, but run Wireguard on my private VPN 2 month now. It is rock solid and really easy to install.

Sure, there’s a lot of folks out there making use of it. I’m just saying that while it may be stable in terms of performance, we don’t yet have much basis to know quite how solid it is in terms of security.

1 Like

That will be resolved very shortly, matter of months…https://arstechnica.com/gadgets/2020/01/linus-torvalds-pulled-wireguard-vpn-into-the-5-6-kernel-source-tree/
It won’t make it into 20.04 LTS, but should be backported shortly after.

Next Linux 5.6 also has native WireGuard, next Debian etc etc. Sure for professional use I would also wait for official stable release but for private use IMO the much easier configuration allows especially less experienced users to setup a secure VPN easily, compared to OpenVPN where one always needs to take care proper configuration.

How’s that going to change matters? Wireguard is a new VPN option, an effective one, but it’s still a VPN?
By the way, you can use Wireguard already today, I run it on my Pihole.

How’s that going to change matters?

How solid a product is in terms of security (Wireguard in this case) is mostly a perception issue.
Wireguard has proven to be useful - and much more efficient - for years.

And the perception will change the moment Linus blesses it to be in the kernel…

1 Like

I’d say it’s a bit more than a perception issue. With OpenVPN, it’s mature, widely deployed in production, and has had a proper security audit.

With Wireguard, it’s still not quite at version 1.0, has no audit, and their official position still says this:

Some parts of WireGuard are working toward a stable 1.0 release, while others are already there. Current snapshots are generally versioned “0.0.YYYYMMDD” or “0.0.V”, but these should not be considered real releases and they may contain security quirks

So, if security is the concern, there’s a pretty decent basis to say that sticking to OpenVPN for the time being is probably wise.

Strictly speaking, you are right, of course. But this should count for something

…compared to the horrors that are OpenVPN and IPSec, it’s a work of art.
…Linus

I’m running it on my router (DD-WRT firmware) for over a year.
Just the convenience factor makes you wonder why this hasn’t happened years ago…

Wireguard might not have had a proper audit.
But OpenVPN by now can’t be properly audited due its sheer size and “hoarding” mentality…

Linux 5.6 with Wireguard 1.0 has been signed off by Linus…

TLS/SSL and VPN uses same or different encryption. Both can be a security problem.
Do not use TCP/IP … use IPoAC

Ubuntu 20.04LTS released, WireGuard already there

Will also be backported to 18.04LTS…(!)