Save to Open Port 8007 for PBS?

P

Pablo1732

Member
Dec 25, 2021
47
3
13
Hello,
I would like to synchronize my backups from my PBS in the local network to my PBS on an offsite server. In order to do that I have to open port 8007 as far as I know. Now I am wondering if it is safe to open this port to the internet. If the port is open, you can also access the config panel of the PBS from outside. Now my question. Is it safe to open this port or is there a better way to access the local server from the offsite server anyway.
 
One usual recommendation is: "No! Use a VPN!"

There are more valid and well documented solutions for this than I can enumerate. My personal choice would be hand crafted / plain WireGuard...

Just my 2€¢, ymmv!
 
  • Like
Reactions: Pablo1732
Pablo1732 said:
where can I find other options? google doesn't help me
Click to expand...
Well... I don't want to be rude, but if you can not find any vpn provider by using google you should probably not run services accessible from the internet. Trying search terms like "vpn to home" and any search engine gives me plenty results. Okay... too many...

As already said I for myself am on the WireGuard road, but this is just one of several solutions.
If you have a consumer router: check if your provider offers some "integrated" VPN functionality.

Best regards
 
UdoB said:
Well... I don't want to be rude, but if you can not find any vpn provider by using google you should probably not run services accessible from the internet. Trying search terms like "vpn to home" and any search engine gives me plenty results. Okay... too many...

As already said I for myself am on the WireGuard road, but this is just one of several solutions.
If you have a consumer router: check if your provider offers some "integrated" VPN functionality.

Best regards
Click to expand...
I know what a VPN is, I have had a WireGuard VPN myself for a very long time. I also use Tailscale and OpenVPN. But VPN connections do not work reliably on our home network! I have not found a way on Google how to connect to my home PBS with my offsite PBS! Any AI's have not been able to provide me with a working solution either.
 
why not firewall can allow specified ipv6 ? (assumption because no ipv6 experience yet here ...)
another way if you can't host your own openvpn/wireguard , is to install fail2ban then add rules to protect port 8007 (tuto are available on web)
 
  • Like
Reactions: Pablo1732
_gabriel said:
why not firewall can allow specified ipv6 ? (assumption because no ipv6 experience yet here ...)
another way if you can't host your own openvpn/wireguard , is to install fail2ban then add rules to protect port 8007 (tuto are available on web)
Click to expand...
I have set up 2FA on the PBS, but that's not enough, is it?
Is it possible to establish a VPN connection between offsite and home, where the client that connects to the vpn can safely access the devices in homenet but does not access e.g. website data via the vpn?
 
fail2ban alone is probably not really safe either, is it? I think the IPv6 is also dynamic. Are there any other possibilities than VPN?
_gabriel said:
why not firewall can allow specified ipv6 ? (assumption because no ipv6 experience yet here ...)
another way if you can't host your own openvpn/wireguard , is to install fail2ban then add rules to protect port 8007 (tuto are available on web)
Click to expand...
 
Pablo1732 said:
but does not access e.g. website data via the vpn?
Click to expand...
sorry, I don't understand what you mean (french here ...)

Pablo1732 said:
fail2ban alone is probably not really safe either, is it?
Click to expand...
fail2ban prevent brute force + if you've 2FA , for me the access is secure.


another way, I'm thinking about, is "SSLVerifyClient require" option of the Apache server, like for PVE here but need to be adapted for PBS.
 
  • Like
Reactions: Pablo1732
_gabriel said:
sorry, I don't understand what you mean (french here ...)


fail2ban prevent brute force + if you've 2FA , for me the access is secure.


another way, I'm thinking about, is "SSLVerifyClient require" option of the Apache server, like for PVE here but need to be adapted for PBS.
Click to expand...
I'll take my laptop as an example. If I connect my laptop to a VPN and then open Google, all the data is loaded via the VPN server. But is it also possible that I connect to the VPN (e.g. Wireguard) and when I now open Google it is not called up via the VPN but via the normal network, but that I can still connect to the devices in the network in which the VPN server is running.
 
We talk about a regular classic own self-hosted VPN to do p2p, not those from providers !
by default your own self-hosted vpn (wireguard or openvpn) is only used by the peers when they need to communicate with each other, with their local vpn ip, without need of routing.
 
Last edited:
_gabriel said:
We talk about a regular classic own self-hosted VPN to do p2p, not those from providers !
by default your own self-hosted vpn (wireguard or openvpn) is only used by the peers when they need to communicate with each other, with their local vpn ip, without need of routing.
Click to expand...
I am also talking about my self-hosted WireGuard VPN. But by default, all traffic is routed through the vpn server. However, I do not want to route all traffic, but only the requests to a specific device in the network.
 
if you connect to wireguard of PBS directly , just do not use "ip route" commands from your laptop wireguard client.
 
Pablo1732 said:
I am also talking about my self-hosted WireGuard VPN. But by default, all traffic is routed through the vpn server. However, I do not want to route all traffic, but only the requests to a specific device in the network.
Click to expand...
Check your routes. You can setup wireguard to only forward packets that are targeting your offsite IP.
 
  • Like
Reactions: Pablo1732
Pablo1732 said:
How can I set this? On the client?
Click to expand...
Yes. Lets say your offsite PBS got an IP 192.168.100.2 with 192.168.100.1 as the Wireguard server.
Then you could add a route to your client with 192.168.100.0/24 over 192.168.100.1 as the gateway.
Add set the wireguard client to "allowed-ips 192.168.100.0/24".
 
Dunuin said:
Yes. Lets say your offsite PBS got an IP 192.168.100.2 with 192.168.100.1 as the Wireguard server.
Then you could add a route to your client with 192.168.100.0/24 over 192.168.100.1 as the gateway.
Add set the wireguard client to "allowed-ips 192.168.100.0/24".
Click to expand...
Ah yes thanks, what I was looking for is "allowed ips"
 
But now back to the main question, which possibilities are there that I can access my home network pbs from my offsite pbs. (VPN's don't work very reliably on our network because our internet connection is unreliable. In addition, we have a dynamic IP.)
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back