To mitigate the risks you could put the local server into its own network where it cannot reach anything else in your home.

@Kkk2237pl What are you using for a router? A good uptodate version of something like ooenwrt, a separate subnet running on a different vnet and firewall zone.

Why the vps?

I run my server on the internet, and my security is crowdsec + geo ip block (well, white-list my country’s ip but same idea) and authelia.

Using this setup, I barely ever have even bots randomly pingig me, let alone anyone trying to access my NAS.

I was pondering the same for last couple of days and had some thoughts on how to make it feasible. My research led me so far to 2 prerequisites:

1. must have Anubis in front
2. must have a WAF solution in place that covers at least OWASP Top 10

I found pretty good Caddy documentation that covers both, so I think I’ll deploy a secondary Caddy reverse proxy that’ll perform such ops for public facing services.

Of course, I currently have only 1 Caddy instance reverse proxy ing my internal services, haven’t reached the part on traffic handling when my devices are connected to the “safe network” (aka my home LAN)

@Kkk2237pl Can I suggest that you start with something simple where as much as possible is templated - im like a broken record on this but i use #yunohost simply because heaps of people are using the same config.

The absolute easiest way to securely access your server from over the internet would be to use tailscale or similar, but then you’d have to connect to the vpn service whenever you wanted to access those servers from outside your local network.

Get you a vps and start! Or if you don’t want to pay extra money host a tor service. You don’t have to open ports for that.