paulschofield 6 Posted August 3, 2023 Posted August 3, 2023 I'd like to set up secure external access to my server. Before I go through the steps of obtaining a domain, security certificate etc. I was wondering if there was another way. If I had a VPN on my server (Mac) and a VPN on the player (Firestick), would that suffice? Traffic leaving my server and being received by the player would be encrypted.
Luke 42083 Posted August 4, 2023 Posted August 4, 2023 HI, in theory but I think SSL is the better route.
paulschofield 6 Posted August 4, 2023 Author Posted August 4, 2023 Thanks Luke, I might give it a try. Someone else posted that traffic between the VPN's will be in the open and technically that's true, but in all honesty should I really care? (This person has deleted their comment but I still received the email)
Luke 42083 Posted August 4, 2023 Posted August 4, 2023 Some users who may have insight on that are @pwhodges@rbjtechand @Zenith Media
rbjtech 5284 Posted August 4, 2023 Posted August 4, 2023 (edited) TLS is the defacto standard and fully portable and these days is pretty simple to setup - VPN on the other hand has the dependency of the agents running and if not necessarily guaranteed to encrypt end-end anyway ('part' of the path may be in the clear). As per Luke's advice, I agree - go with TLS first, and then add layers of protection if you need the enhanced security such as VPN(to hide your public IP), Reverse Proxy (adds TLS abstraction), IPS (to inspect packets)..etc ps - TLS is the modern form of SSL - which was depreciated many many years ago ... Edited August 4, 2023 by rbjtech 1
pwhodges 2012 Posted August 4, 2023 Posted August 4, 2023 Agreed. But consider adding a reverse proxy immediately, as it may be the easiest way to get TLS, rather than getting (and renewing) a certificate separately and installing it in Emby. Caddy, in particular, automates that completely for most situations. Paul 1
paulschofield 6 Posted August 4, 2023 Author Posted August 4, 2023 I realise the traffic will be unencrypted between the two VPN connections but both IP's will be anonymous. Shouldn't that be enough or am I missing something?
TMCsw 249 Posted August 5, 2023 Posted August 5, 2023 49 minutes ago, paulschofield said: I realise the traffic will be unencrypted between the two VPN connections but both IP's will be anonymous. Shouldn't that be enough or am I missing something? Generally a VPN will not allow incoming connections (remote users can't connect to the VPN, unless you/they allow and use port forwarding). That is if you are talking about the vpn's like Nord, PIA, express ..etc. If your running a self hosted VPN then that's a different story. 1
TeamB 2438 Posted August 6, 2023 Posted August 6, 2023 On 8/4/2023 at 6:40 PM, rbjtech said: not necessarily guaranteed to encrypt end-end anyway ('part' of the path may be in the clear) On 8/5/2023 at 9:54 AM, paulschofield said: I realise the traffic will be unencrypted between the two VPN connections I am a little confussed by these statments, is someone able to elaborate on this.
MrPaulo 8 Posted August 6, 2023 Posted August 6, 2023 I have Emby working from a docker container in a Synology NAS. I use Synology build in reverse proxy to provide SSL. I expose the reverse proxy custom ports. The SSL provided by the synology box is lets encrypt - updated out of the box. (In the synology control panel go to advanced --> reverse proxy) I run my own DNS server in synology (I mimic DDNS with a cname to no-ip free ddns and have ddns being updated by my routers) As an extra layer of obfuscation I use a prefix domain (e.g. Emby29293.mydomain.com) this way unless the correct domain hits the synology box it will not be redirected to emby. I also have completely disabled in Emby any of the functionality to bypass login or showing usernames - the interface exposed to the net is a username/password screen. In comparison, implementing VPN is an extra layer - I use VPN but only for apps that dont have a good security layer - I moved from application ssl to synology - one point to manage certificates.
rbjtech 5284 Posted August 6, 2023 Posted August 6, 2023 4 hours ago, TeamB said: I am a little confussed by these statments, is someone able to elaborate on this. Not sure what @paulschofieldmeans about no encryption - I never said that.. To clarify - as I know you are fully aware of this In referring to end-end encryption. If using http/in the clear - then any 'encryption' done by the VPN is only being done between the two VPN clients. If the VPN endpoint sits on lets say a shared router (as opposed to the end client) - then from that point to the end device, it's in the clear. In the grand scheme of things, a VPN is obviously better than http only, but is typically less secure end-end (from a purely encyption point of view) than https. https could be intercepted with mitm attacks, so obviously is not 100% safe either. In summary, the primary purpose of a VPN is to tunnel traffic across two end points, but imo, it should not be used as a https substitute. 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now