*.home.arpa or custom domain as FQDN for more secure remote access?

[rollsfrost]

Hi! First time pve installer here and I'm trying to setup:

OPNSense (VM), Home Assistant OS (VM), Frigate NVR (LXC) in one machine.
I want to configure a firewall/router, set up VLANS on my switch and to run a CCTV system + IoT devices.

I travel a lot so I would like to have remote access to my system. While I want to restrict internet access to frigate, I would like to access pve, OPNSense, and Home Assistant if something has to be configured remotely.

I just bought a custom domain (for testing, it was only £0.70 for 1 year)

From a security standpoint, what would be the "best" option for this?

A) Setting up a custom domain + OPNSense + Unbound + cloudflare zero trust tunnels? Letsencrypt certificates? DNS Challenge? (still researching for a route)
B) *.home.arpa + set up OPNSense + WireGuard VPN access? (still researching for a route)

FYI, Everything I mentioned above are just what I could gather from the internet therefore, I have zero experience and extremely limited knowledge. Please feel free to suggest or correct me if I'm wrong.

Thanks!

 

[groque]

I recommend keeping your hypervisor and management interfaces off the open internet. Use WireGuard (Option B) to ensure secure remote access, so only authenticated users (you) can reach your internal services. I prefer using the TLD .internal, accepted by ICANN in July 29, 2024 for private-use applications.

If you prefer using your custom domain, you can set up a reverse proxy like Caddy to automatically generate Let's Encrypt certificates for your services. You can even use a reverse proxy plugin in your OPNsense firewall. You can also configure Let's Encrypt to generate certificates via API if you add your domain to Cloudflare. Just be sure to not configure your firewall to port forward to this reverse proxy so that you're not exposing your internal services to the internet.

 

[zodiac]

There really isn't a lot of a difference between either option. Cloudflare sets up a VPN connection (which might even be WireGuard in many cases) and then grants you access is you're authenticated. If you trust Cloudflare to do the right thing, then solutions #1 and #2 are almost equivalent. If Cloudflare can't be trusted, then players much bigger than you and me have a real problem.

 

[louie1961]

I do a mix of both. All services in my homelab have a FQDN using a domain I purchased and Let's Encrypt certs, even if not publicly exposed. I host my router on bare metal on a separate machine from Proxmox. My LAN is fully segmented. Most of my services are only accessible via Tail scale mesh VPN. But I do expose Nextcloud And a couple of WordPress websites via Cloudflare tunnels.