What would be the best practices for needing external access to certain servers on my network, including link access (non-user) such as Nextcloud?
@Victor this begs a future blog article, but in general, this is the best practice:
- any external users should need a VPN (OpenVPN with certificates + credentials is strong)
- offer external users’ VPN only access to required resources
- OpenVPN AS (internally-hosted VM/host) is the most flexible way to go for you to have Access Control Lists on a per-user basis to achieve zero trust even for external users
As for non-user access, when it requires direct external access, that’s when port-forwarding works well, especially if you limit the source to only the required origins such as all of Nextcloud IPv4 address space. Many vendors now offer it in their knowledge base, but if not, can usually be obtained through tech support requests.
Normally as David suggested, a VPN would be the recommended mechanism to access Nextcloud remotely.
But the one item I sympathize with is the file sharing feature that allows you to share files with a protected link, and the secure drop feature that could allow customers to securely send you files.
A VPN isn’t practical for those use-cases. So what I would suggest is the following.
- Set the Nextcloud server on it’s own VLAN where it cannot directly connect to other devices on the local network (but it’s OK to allow devices on other VLANs to connect to it)
- Use Cloudflare’s Argo Tunnel to connect the Nextcloud server to Cloudflare’s network, and you’ll also need your domain to be hosted on Cloudflare to enable the WAF services to protect against external attacks.
- Create a DNS record and point it to the Argo Tunnel CNAME and enable the Cloudflare proxy for it.
Finally, going forward you would need to stay on top of any security updates. Ensure you subscribe to Nextcloud via email, RSS, social media, etc. so that you’re aware when they release an update and you can get it installed asap.
Can we get access to cloudflare dns server for our respective domains to create a records and such?
Not for the managed domains, but you can register a domain of your own, or we can delegate a sub-domain to your own choice of authoritative DNS.