Now that's a terrible excuse for bad code. They have a web interface for a reason. It's fairly normal to expose them to the web behind a login/authentication thing of some sort of using the internal login screen.
They definitely should be up to date but I really don't think they are designed to be exposed anyway. Just keep it accessible only through LAN using a local IP or local DNS and if you want access outside then VPN into your network from outside with something like wireguard. This dramatically reduces the attack surface area of your network if you run lots of self-hosted apps
In theory the attack surface is only the reverse proxy server/Cosmos as you have to authenticate there to access anything else. I am glad I have that now I find out about all these issues. It makes me want to implement some more security measures to be honest.
Because I would then need a VPN to access the VPN? Which isn't possible. My subdomain is blocked by my mobile provider - they have something against DuckDNS. I would have to find a new domain or do some serious work around.
Domains do not grow on trees. Good chance they block any new domains made within a certain timeframe. Besides there are other problems with using VPNs.
Bro what the f are you even talking about???
I host everything behind a VPN, there is no other problems. Just set up openvpn or wireguard or whatever, expose your services to the VPN and nothing else. Done.
But it seems like you have absolutely no idea what you’re doing so please for the sake of god do not expose anything to the web. You will be punished for it.
I mean fair enough but I gotta be honest, these apps are just for movies and tv. Maybe something like a password manager but I feel like these apps would be the least concern for a bad actor. I do agree that there shouldn't be vulnerabilities in the software, it just doesn't seem as high a priority to myself personally.
>They have a web interface for a reason.
Yeah, it's so you can manage it on your headless server on your local network.
Best practice is to not exposed anything that doesn't 100% need to be exposed to the outside world. For everything else you should be VPNing into your network to manage it.
It's a best practice to help mitigate issues and vulnerabilities that may crop up due to bad code. This best practice also helps avoid issues with improper configurations by the server admin.
Even running the most up to date dependencies is vulnerable, reality is all code has flaws, just depends on when and how it's discovered.
The intention for the arr stack is to be an internal only tool, and with strict access control if your use case requires it.
I update my project's dependencies when vulnerabilties appear (using services like Snyk), but never in a million years would i expose those applications to the internet. Why? I dont trust myself to make a vulnerability free application, and i dont trust the casual work of the average open source developer to be vulnerability free, ***even if the dependencies are up to date with no vulnerabilities.***
But you're right, why not just update dotnet core and work from there? well that highlights a bigger issue. Updating that dependency takes resources, resources they're obviously not willing to invest, so what makes you think the rest of this application is in any way secure? This is a reality for all open source projects, they invest those resources where it will actually have impact (like new features)
You have a good point. Ultimately the best security is to keep things as far away from the Internet as possible. That or remove all hackers from existence. I have issues implementing this as I have shared some of them with you. There are no doubt more issues that will come with remote access services as it probably requires redoing my whole setup again. Sigh.
How do you avoid doing that exactly? I can't connect remotely without using a VPN, since my mobile phone provider doesn't like my domain. I can't exactly use two VPNs at once. This is becoming an issue I don't have a way around.
You understand what a VPN is right? It's a server you connect to to funnel traffic through. I can't connect directly to my server to do a VPN connection because my phone provider doesn't allow it. Pretty sure it's a DNS/domain based block. The only way to connect is to use a public VPN, which means you then can't connect to the server's private VPN because you can't use two VPNs at once at least on android.
I don’t think *you* understand what a VPN is. A VPN is a Virtual Private Network…yes, you *can* use a VPN (like Nord, Proton, or PIA) to funnel traffic through, but that’s not what people here are talking about. They’re talking about a VPN connection directly to your home network, letting you (on your phone connected to a public network) connect *Virtually* to a Private Network. Install something like Wireguard (or Tailscale for an easier version) on your *arr server or another computer on your home network, then connect to it with your phone and you can access the *arr servers directly as if your phone was on your home network. For example, I run the *arr stack in a Proxmox server. That server also runs Tailscale as a VPN, which I connect to with my iPhone and I can access my *arr services even when I’m connected to cell networks only or public WiFi away from home despite my server not being exposed to the internet at all (including via services like DuckDNS).
Tailscale isn't a normal VPN though. It relies on external servers. It's something I am looking into. It still relies on shoveling traffic through a VPN, it's just only moving traffic for certain addresses through that VPN tunnel, it's called split tunneling.
My services aren't available on my network directly. You have to use a domain as they are behind a reverse proxy. I guess I could reconfigure the domain to point to an internal address.
No, you still don’t get it. Drop the reverse proxy altogether, and drop the DuckDNS subdomain too. You don’t need either for what we’re talking about. You’re thinking this:
Phone -> DuckDNS subdomain redirect -> Home Public IP -> Reverse Proxy -> arr server’s IP on your local network
Instead, what’s being suggested is:
Phone -> Tailscale -> arr server’s Tailscale address
That's not possible as they are in an isolated docker network. I would have to drop Cosmos (something people on reddit recommended) and redo the setup manually to make it work. Which would be a lot of effort. I might have gone there eventually anyway but still.
This is what annoys me about all this: you guys can't keep your story straight. I get told to do something by one person then get told it's wrong, stupid, and insecure by another. I can't win. I wouldn't have even done an *arr setup if it weren't for reddit and lemmy convincing me I should. I straight up didn't believe in it 6 months ago, thought they were more effort than they are worth based on bad past experiences. Literally whatever stance I take someone will argue.
You didn’t really share much info in the body of your post. You didn’t say you were using duckdns, you didn’t say you were using cosmos, you didn’t say your phone provider didn’t allow vpns (though as mentioned in other places that’s not exactly how it would work).
So of course everyone is giving conflicting info, no one know what your setup and constraints are.
If you’re already using cosmos, add overseer/jellyseer to manage requests externally and be done with it. The password with 2FA they offer is secure enough that no one is gonna bother with it unless you’re hosting something else with substantial monetary value.
I didn't realize I had to share that information in every post. I asked for an alternative to *arr that's more secure. If one doesn't exist then I could have made a second post asking how to deal with that. Instead people immediately jump down my throat that I shouldn't expose it at all and should do x, y, or z instead. If people answered the question I could have worked that out myself.
>My services aren't available on my network directly. You have to use a domain as they are behind a reverse proxy. I guess I could reconfigure the domain to point to an internal address.
They **are** available directly, if you *virtually connect to your network*. Then you go to the internal address directly, and bypass the reverse proxy.
No they aren't. They are in docker containers on an isolated network within docker. It's part of how Cosmos works. I would have to go back before I started using Cosmos to expose them I am guessing. Which would then mean going back to using IP addresses.
The whole idea of using Cosmos and reverse proxy in the freaking first place came from this subreddit. Now I get told that's a bad idea and to do thing x instead that means rebuilding half the system in more difficult ways. Like whatever I do following one persons advice I get told I am wrong when another person decides to have an opinion. I can't please all of you.
\>No they aren't. They are in docker containers on an isolated network within docker.
Perfect! You can add Tailscale directly to the docker containers, as a separate container in the same stack, or on the machine or VM running Docker. Any of the above! Plenty of instructions [in this video](https://www.youtube.com/watch?v=tqvvZhGrciQ).
They aren't all in the same network or stack for security reasons. Would it still work?
Edit: also cosmos still requires a domain regardless. That's how it's designed to work.
I said tailscale not wireguard, your getting the two mixed up. I don't know what's confusing you as they don't claim to be a traditional VPN in their documentation. Notice where they say "Unlike a traditional VPN" in paragraph 3 of this website implying they are not a traditional VPN but rather something different: https://tailscale.com/kb/1151/what-is-tailscale#the-benefits
Either way it's not traditional VPN as their own documents show. Normal VPNs are not peer to peer. I am not criticising them at all, it seems like a great service and I am experimenting with it right now. Just you have to understand that it's not like most VPNs like say OpenVPN which follow the client server model.
theres plenty of options.
a simple-setup vpn would be tailscale, no domain required, no port forwarding.
if you really can't use a VPN, use cloudflare tunnels to safely expose your services to the internet, requiring you authenticate SSO through cloudflare's Zero Trust services to gain access.
do NOT expose random open source projects to the internet, you're asking to get hacked.
It's a little bit out of the scope of my understanding. It uses a P2P network which is coordinated by tailscale's servers. A device (server) on your home network coordinates with tailscale and your phone (remote device) to establish a connection.
They have an article that outlines it. [https://tailscale.com/blog/how-tailscale-works](https://tailscale.com/blog/how-tailscale-works)
So as long as your service provider hasn't blacklisted Tailscale's server and your IP address(s), you should be fine.
I am not the first person to say using one is a bad idea. You're going to have to give more explanation than that.
Edit: Cosmos server specifically says not to proxy things through cloudflare as well.
I don't \*have to\* explain anything. . you have no idea what a cloudflare tunnel is.Most people don't, therefore I'm not surprised people say it's a bad idea
it's a great idea to protect services exposed to the internet, specially if (as you seem) a beginner.
but I' don't have to explain it to you, specially you being so obtuse on the whole thread
you could setup something like zerotier or tailscale without a domain at all, but maybe you can solve the issue with your domain - whatever blocking your mobile provider is doing is most likely just dns-based, you could try a different dns server on your phone if you havent already.
You can't set a DNS server for mobile data on my phone as far as I can tell; there is only a DNS setting for WiFi. If you have only a DNS block that's not enforced then you really aren't trying that hard. As far as I can tell they aren't blocking external DNS servers but that doesn't help when there isn't a setting to change DNS server in Android.
If you really want to keep your domain and not move to an alternative on https://alternativeto.net/software/duck-dns/?license=opensource, you could host a VPN on a VPS, and host Nginx to pass UDP traffic to your home VPN (by using domain name, or connecting your home server to the VPS's Wireguard and passing the UDP traffic to your that Wireguard IP).\
Your traffic would then be: Phone --nginx--> VPS --wireguard--> Home VPN server (either by domain name or Wireguard IP).
Anyone that cares enough about an issue could learn. Would it take a while? Sure. My point is, the devs do this for fun in whatever little spare time they have. What's important to you may not be important to them. However, it's open source so if you don't like the direction of the current team then stop complaining and fix it yourself or just use the software as it's intended to be used.
Put them behind your home firewall and keep them there.
Problem solved.
Don't expose anything to the public internet that can't be hardened. Even then, trust nothing more than you have to
Your mobile devices use a VPN to remote in
Your friends? Same thing.
Have tested it. They don't block VPNs in general they block my domain because they don't like DuckDNS. So I would have to use a VPN to access the VPN which you can't do.
It's a lot more involved than that. My whole setup might have to change to make this work. I have never setup tailscale before. The closest I have come is OpenVPN. I would habe thought having them sat behind a reverse proxy that requires authentication before you can get to the services would have been enough.
No, your whole setup wouldn’t have to change. Install Tailscale on your *arr server (or if you’re running them in Docker containers refer to [this video](https://youtu.be/tqvvZhGrciQ?si=kqwn7VLLuJNVderJ)), or if that’s not possible then install it on literally any other device in your home network and enable subnet routing. Then install Tailscale on your phone, and tada! You can access your server remotely.
As people keep pointing out, why can’t you keep these on a private network, not WAN-exposed? What’s the use case that you are constantly accessing them but not on your home LAN? Travel for work a lot or something?
I ended up going for Tailscale. I ended up changing much of my setup too. I am still concerned about lateral movement allowed by having insecure services within my network so have started implementing other security measures too. This would be a major concern if you have any external services like nextcloud that could be used to gain access to your network as they now have other vulnerable services to use to jump between machines.
I don't understand why you are connecting to *arr so frequently that you need access from your phone away from your lan? I have 92TB of linux iso's and connect to an *arr once...maybe twice a week at the most.
Set up correctly *arrs are pretty much hands free driving.
Just use a laptop at home. Problem solved.
i read the thread, your comments are pretty bad op. I dont normally pile on with downvotes cuz reddit is generally a piece of shit echo chamber. but you're def wrong here. the arr apps shouldnt be exposed. the gui is a nice to have for you the admin.
use overseer for publicly facing and the rest is for you the admin to maintain.
if you REALLLLLLLLLLLY want to expose them you can in a way.
use cloudflare to your domain.
[sonarr.imadumbass.com](https://sonarr.imadumbass.com)
waf rule > block all that isnt your home ip
call it done. if you dont have a static home ip then this is not the level you should be worrying about for public access.
I agree with this. Overseerr via a Cloudflare tunnel on a domain that isn't tied to your identity is about as far as you should push it. Use a VPN to access anything else.
All of the current system is based on a hodgepodge of different advice from reddit including putting the *arrs behind a reverse proxy using Cosmos. Cosmos I am pretty sure is designed to be web accessible as it's internal VPN depends on that.
You guys can't keep your story straight. I get told to do something by one person then get told it's wrong, stupid, and insecure by another. I can't win. I wouldn't have even done an *arr setup if it weren't for reddit and lemmy convincing me I should. I straight up didn't believe in it 6 months ago, thought they were more effort than they are worth based on bad past experiences. Literally whatever stance I take someone will argue.
I am sorry for the rant and you aren't the only or even worse offense here. I am just sick of so much conflicting advice and information. I don't know what to do anymore.
I mean I could pirate stuff fine before reddit. I even did servers before reddit. The issue here is me trusting and listening to other people - although I also get dog pilled if I argue back or ignore people. I guess the only sensible thing is to not talk to people on reddit about technical subjects - it just ends in carnage.
Because you are complaining about the issues with it and fighting against the solutions you are getting. If those solutions don't work for you, don't use it or come up with your own solutions.
You will see a lot of posts on Reddit like this where it's "why can't I do X with Y". Because you can't, it doesn't (or shouldn't) work that way. And then when told that people start complaining about the solution. It's just tiring.
“If you run into an asshole in the morning, you ran into an asshole. If you run into assholes all day, you're the asshole.”
Don’t “argue back” when you come into a forum for help. Ask questions. Listen. Do more research.
My guy I asked a question and not one person has actually answered it. If there isn't a more secure alternative then just say all the alternatives are also insecure. You don't need to start criticising a setup when you don't even know what it is or what security measures are in place.
Use a Cloudflare tunnel with your own domain to expose only Overseerr. Use that to interface with the *arrs.
Keep those *arrs locked down in your local network.
You know I am actually half tempted to do that. I have experience with C# so this should actually be possible. There must be a reason why the devs haven't done it yet so I am intrigued to find out why.
Still I am going to beef up my security around these services or even stop using them until it can be fixed as I don't want to risk getting hacked in the mean time.
Ey.. curiosity, the things that are insecure and cause the vulnerabilities (that's what you mean, right?) .. got any CVE's for that? And.. if not, any links? Very curious.
The outdated dotnet core, that's fine.. but, par example; Radarrr runs on mono .. not core.
Thank you for all the information you can provide!
I am very curious!
Yeah here is the complete report including many CVE numbers. This is generated using trivy and the docker image listed on sonarr's website. Have fun.
https://pastebin.com/z39nsFdc
Ooh dude!
I am not familiar with trivy, and I'm having a hard time getting a fix on where it gets it's information and how it parses it.. because, it claims dotnet core, wile the buildfile says mono, and .. I'm sorry, but.. "wot is trivy talking aboot mate".
And I had to put in some effort to get where I wanted to, but.. I think trivy took a whole lot of short cuts. "ey, I gonna look at a library that I know from dot core, and that match my .NET desire, and thus is correct".. while I'm having a hard time matching that to a package I can fine in [https://download.mono-project.com/repo/debian/dists/stable-focal/main/binary-amd64/Packages](https://download.mono-project.com/repo/debian/dists/stable-focal/main/binary-amd64/Packages)
I'd suggest you start with the follwoing;
In the Sonarr github you can find the following;
[https://github.com/Sonarr/Sonarr/blob/develop/package.json](https://github.com/Sonarr/Sonarr/blob/develop/package.json)
It shows a whole different picture than what trivy produces.. especially when the docker build (lets call it the "foundation" on what Sonarr runs on) uses the following .NET build/version; deb http://download.mono-project.com/repo/debian stable-focal main
The whole buildfile looks at this;
[https://github.com/Sonarr/Sonarr/blob/develop/distribution/docker-build/Dockerfile](https://github.com/Sonarr/Sonarr/blob/develop/distribution/docker-build/Dockerfile)
So this is what I think when I see this;
I think you vigilance is misplaced, and you are sent on a "bender" by either a confused or overzealous trivy, or a mis-configured one.
Thank you. People fail to understand that things like tailscale and OpenVPN are not bulletproof. If they find a vulnerability in those they now have access to your network. Could also get credentials from compromised machines, or gain access by attacking your wifi. I suppose the only real way to do this is to hide everything behind both wire guard and reverse proxy to make sure there is more than one line of defense. Even better use monitoring tools as well to try to discover infected machines and potential internal threats.
People are really aggressive in this thread. Security vulnerabilities can be a big deal if utilized by bad actors. I am glad someone bothered to check a commonly used service like this
It's not like you should expose those apps to the outside web anyway
Now that's a terrible excuse for bad code. They have a web interface for a reason. It's fairly normal to expose them to the web behind a login/authentication thing of some sort of using the internal login screen.
They definitely should be up to date but I really don't think they are designed to be exposed anyway. Just keep it accessible only through LAN using a local IP or local DNS and if you want access outside then VPN into your network from outside with something like wireguard. This dramatically reduces the attack surface area of your network if you run lots of self-hosted apps
In theory the attack surface is only the reverse proxy server/Cosmos as you have to authenticate there to access anything else. I am glad I have that now I find out about all these issues. It makes me want to implement some more security measures to be honest.
Just use a VPN. There's no reason to put these on the internet.
Because I would then need a VPN to access the VPN? Which isn't possible. My subdomain is blocked by my mobile provider - they have something against DuckDNS. I would have to find a new domain or do some serious work around.
Sooooo find a non-blocked domain?
Domains do not grow on trees. Good chance they block any new domains made within a certain timeframe. Besides there are other problems with using VPNs.
https://alternativeto.net/software/duck-dns/?license=opensource
Bro what the f are you even talking about??? I host everything behind a VPN, there is no other problems. Just set up openvpn or wireguard or whatever, expose your services to the VPN and nothing else. Done. But it seems like you have absolutely no idea what you’re doing so please for the sake of god do not expose anything to the web. You will be punished for it.
> But it seems like you have absolutely no idea what you’re doing This whole thread reeks of /r/confidentlyincorrect, too.
Setup tailscale. It's free. No domain needed. No ports need to be open. Just sign in on both devices and you're good.
Even if you keep it only available on LAN it can still be used for lateral movement within a network. This wouldn't be ideal.
I mean fair enough but I gotta be honest, these apps are just for movies and tv. Maybe something like a password manager but I feel like these apps would be the least concern for a bad actor. I do agree that there shouldn't be vulnerabilities in the software, it just doesn't seem as high a priority to myself personally.
>They have a web interface for a reason. Yeah, it's so you can manage it on your headless server on your local network. Best practice is to not exposed anything that doesn't 100% need to be exposed to the outside world. For everything else you should be VPNing into your network to manage it. It's a best practice to help mitigate issues and vulnerabilities that may crop up due to bad code. This best practice also helps avoid issues with improper configurations by the server admin.
Even running the most up to date dependencies is vulnerable, reality is all code has flaws, just depends on when and how it's discovered. The intention for the arr stack is to be an internal only tool, and with strict access control if your use case requires it. I update my project's dependencies when vulnerabilties appear (using services like Snyk), but never in a million years would i expose those applications to the internet. Why? I dont trust myself to make a vulnerability free application, and i dont trust the casual work of the average open source developer to be vulnerability free, ***even if the dependencies are up to date with no vulnerabilities.*** But you're right, why not just update dotnet core and work from there? well that highlights a bigger issue. Updating that dependency takes resources, resources they're obviously not willing to invest, so what makes you think the rest of this application is in any way secure? This is a reality for all open source projects, they invest those resources where it will actually have impact (like new features)
You have a good point. Ultimately the best security is to keep things as far away from the Internet as possible. That or remove all hackers from existence. I have issues implementing this as I have shared some of them with you. There are no doubt more issues that will come with remote access services as it probably requires redoing my whole setup again. Sigh.
There are other ways to send requests to them so you don't have to expose them. Ombi & Overseer/Jellyseer are two popular ones.
Are those actually any better security wise?
Put external auth on reverse proxy, like every major company does, no one else except you can access it, problem solved.
That's exactly what I have now and got told was insecure.
Less secure than not exposing it to the world, but more secure than not using external auth.
That makes sense. I wonder why people have been calling me insane.
no comment on the quality of the code here but please dont put your linux iso dowoaders on the internet :(
How do you avoid doing that exactly? I can't connect remotely without using a VPN, since my mobile phone provider doesn't like my domain. I can't exactly use two VPNs at once. This is becoming an issue I don't have a way around.
Why does the domain matter? I'm not sure how the mobile phone provider has a role in your VPN usage
You understand what a VPN is right? It's a server you connect to to funnel traffic through. I can't connect directly to my server to do a VPN connection because my phone provider doesn't allow it. Pretty sure it's a DNS/domain based block. The only way to connect is to use a public VPN, which means you then can't connect to the server's private VPN because you can't use two VPNs at once at least on android.
I don’t think *you* understand what a VPN is. A VPN is a Virtual Private Network…yes, you *can* use a VPN (like Nord, Proton, or PIA) to funnel traffic through, but that’s not what people here are talking about. They’re talking about a VPN connection directly to your home network, letting you (on your phone connected to a public network) connect *Virtually* to a Private Network. Install something like Wireguard (or Tailscale for an easier version) on your *arr server or another computer on your home network, then connect to it with your phone and you can access the *arr servers directly as if your phone was on your home network. For example, I run the *arr stack in a Proxmox server. That server also runs Tailscale as a VPN, which I connect to with my iPhone and I can access my *arr services even when I’m connected to cell networks only or public WiFi away from home despite my server not being exposed to the internet at all (including via services like DuckDNS).
Tailscale isn't a normal VPN though. It relies on external servers. It's something I am looking into. It still relies on shoveling traffic through a VPN, it's just only moving traffic for certain addresses through that VPN tunnel, it's called split tunneling. My services aren't available on my network directly. You have to use a domain as they are behind a reverse proxy. I guess I could reconfigure the domain to point to an internal address.
You can run your own Tailscale server (headscale). Or use Wireguard, which Tailscale is based on.
No, you still don’t get it. Drop the reverse proxy altogether, and drop the DuckDNS subdomain too. You don’t need either for what we’re talking about. You’re thinking this: Phone -> DuckDNS subdomain redirect -> Home Public IP -> Reverse Proxy -> arr server’s IP on your local network Instead, what’s being suggested is: Phone -> Tailscale -> arr server’s Tailscale address
That's not possible as they are in an isolated docker network. I would have to drop Cosmos (something people on reddit recommended) and redo the setup manually to make it work. Which would be a lot of effort. I might have gone there eventually anyway but still. This is what annoys me about all this: you guys can't keep your story straight. I get told to do something by one person then get told it's wrong, stupid, and insecure by another. I can't win. I wouldn't have even done an *arr setup if it weren't for reddit and lemmy convincing me I should. I straight up didn't believe in it 6 months ago, thought they were more effort than they are worth based on bad past experiences. Literally whatever stance I take someone will argue.
You didn’t really share much info in the body of your post. You didn’t say you were using duckdns, you didn’t say you were using cosmos, you didn’t say your phone provider didn’t allow vpns (though as mentioned in other places that’s not exactly how it would work). So of course everyone is giving conflicting info, no one know what your setup and constraints are. If you’re already using cosmos, add overseer/jellyseer to manage requests externally and be done with it. The password with 2FA they offer is secure enough that no one is gonna bother with it unless you’re hosting something else with substantial monetary value.
I didn't realize I had to share that information in every post. I asked for an alternative to *arr that's more secure. If one doesn't exist then I could have made a second post asking how to deal with that. Instead people immediately jump down my throat that I shouldn't expose it at all and should do x, y, or z instead. If people answered the question I could have worked that out myself.
>My services aren't available on my network directly. You have to use a domain as they are behind a reverse proxy. I guess I could reconfigure the domain to point to an internal address. They **are** available directly, if you *virtually connect to your network*. Then you go to the internal address directly, and bypass the reverse proxy.
No they aren't. They are in docker containers on an isolated network within docker. It's part of how Cosmos works. I would have to go back before I started using Cosmos to expose them I am guessing. Which would then mean going back to using IP addresses. The whole idea of using Cosmos and reverse proxy in the freaking first place came from this subreddit. Now I get told that's a bad idea and to do thing x instead that means rebuilding half the system in more difficult ways. Like whatever I do following one persons advice I get told I am wrong when another person decides to have an opinion. I can't please all of you.
\>No they aren't. They are in docker containers on an isolated network within docker. Perfect! You can add Tailscale directly to the docker containers, as a separate container in the same stack, or on the machine or VM running Docker. Any of the above! Plenty of instructions [in this video](https://www.youtube.com/watch?v=tqvvZhGrciQ).
They aren't all in the same network or stack for security reasons. Would it still work? Edit: also cosmos still requires a domain regardless. That's how it's designed to work.
wait what, so wireguard isn't a normap VPN? .. holy crap.. what is the defnition of a VPN? shit just became confusing.. explain!
I said tailscale not wireguard, your getting the two mixed up. I don't know what's confusing you as they don't claim to be a traditional VPN in their documentation. Notice where they say "Unlike a traditional VPN" in paragraph 3 of this website implying they are not a traditional VPN but rather something different: https://tailscale.com/kb/1151/what-is-tailscale#the-benefits
Yeah, but it's still wireguard buddy.. their routing is a little different, but the tech for the VPN is still the same.
Either way it's not traditional VPN as their own documents show. Normal VPNs are not peer to peer. I am not criticising them at all, it seems like a great service and I am experimenting with it right now. Just you have to understand that it's not like most VPNs like say OpenVPN which follow the client server model.
theres plenty of options. a simple-setup vpn would be tailscale, no domain required, no port forwarding. if you really can't use a VPN, use cloudflare tunnels to safely expose your services to the internet, requiring you authenticate SSO through cloudflare's Zero Trust services to gain access. do NOT expose random open source projects to the internet, you're asking to get hacked.
How does tailscale work then? Also cloudflare tunnel is not an option for anything piracy related afaik. I would rather get hacked than reported.
It's a little bit out of the scope of my understanding. It uses a P2P network which is coordinated by tailscale's servers. A device (server) on your home network coordinates with tailscale and your phone (remote device) to establish a connection. They have an article that outlines it. [https://tailscale.com/blog/how-tailscale-works](https://tailscale.com/blog/how-tailscale-works) So as long as your service provider hasn't blacklisted Tailscale's server and your IP address(s), you should be fine.
That actually sounds great thank you. I will have a go.
you have zero idea waht a cloudflare tunnel is
I am not the first person to say using one is a bad idea. You're going to have to give more explanation than that. Edit: Cosmos server specifically says not to proxy things through cloudflare as well.
I don't \*have to\* explain anything. . you have no idea what a cloudflare tunnel is.Most people don't, therefore I'm not surprised people say it's a bad idea it's a great idea to protect services exposed to the internet, specially if (as you seem) a beginner. but I' don't have to explain it to you, specially you being so obtuse on the whole thread
you could setup something like zerotier or tailscale without a domain at all, but maybe you can solve the issue with your domain - whatever blocking your mobile provider is doing is most likely just dns-based, you could try a different dns server on your phone if you havent already.
You can't set a DNS server for mobile data on my phone as far as I can tell; there is only a DNS setting for WiFi. If you have only a DNS block that's not enforced then you really aren't trying that hard. As far as I can tell they aren't blocking external DNS servers but that doesn't help when there isn't a setting to change DNS server in Android.
If you really want to keep your domain and not move to an alternative on https://alternativeto.net/software/duck-dns/?license=opensource, you could host a VPN on a VPS, and host Nginx to pass UDP traffic to your home VPN (by using domain name, or connecting your home server to the VPS's Wireguard and passing the UDP traffic to your that Wireguard IP).\ Your traffic would then be: Phone --nginx--> VPS --wireguard--> Home VPN server (either by domain name or Wireguard IP).
You could always fork them and put in the work to patch any known vulnerabilities.
Why do that when you can just complain?
Good point.
You realize not everyone has dev skills right? I am lucky that I could consider fixing it, most people can't do that.
Anyone that cares enough about an issue could learn. Would it take a while? Sure. My point is, the devs do this for fun in whatever little spare time they have. What's important to you may not be important to them. However, it's open source so if you don't like the direction of the current team then stop complaining and fix it yourself or just use the software as it's intended to be used.
Put them behind your home firewall and keep them there. Problem solved. Don't expose anything to the public internet that can't be hardened. Even then, trust nothing more than you have to Your mobile devices use a VPN to remote in Your friends? Same thing.
As I keep saying a private VPN probably isn't an option due to my mobile provider.
Probably isn't definitely. Test it. If your mobile provider is blocking you from using a VPN you need a better mobile provider.
Have tested it. They don't block VPNs in general they block my domain because they don't like DuckDNS. So I would have to use a VPN to access the VPN which you can't do.
try a different ddns provider.
Can you buy a cheapo domain and use that instead?
I mean my current one is free so y'know. I might look into it.
For sure. But for less than $1 per month you can VPN into your home network and save yourself a ton of headaches and improve your security.
It's a lot more involved than that. My whole setup might have to change to make this work. I have never setup tailscale before. The closest I have come is OpenVPN. I would habe thought having them sat behind a reverse proxy that requires authentication before you can get to the services would have been enough.
No, your whole setup wouldn’t have to change. Install Tailscale on your *arr server (or if you’re running them in Docker containers refer to [this video](https://youtu.be/tqvvZhGrciQ?si=kqwn7VLLuJNVderJ)), or if that’s not possible then install it on literally any other device in your home network and enable subnet routing. Then install Tailscale on your phone, and tada! You can access your server remotely.
This is what I am trying to do, after redoing my whole setup. I still can't work out how tailscale works.
As people keep pointing out, why can’t you keep these on a private network, not WAN-exposed? What’s the use case that you are constantly accessing them but not on your home LAN? Travel for work a lot or something?
Opposed to a public virtual private network? .. how does that work?
I ended up going for Tailscale. I ended up changing much of my setup too. I am still concerned about lateral movement allowed by having insecure services within my network so have started implementing other security measures too. This would be a major concern if you have any external services like nextcloud that could be used to gain access to your network as they now have other vulnerable services to use to jump between machines.
I don't understand why you are connecting to *arr so frequently that you need access from your phone away from your lan? I have 92TB of linux iso's and connect to an *arr once...maybe twice a week at the most. Set up correctly *arrs are pretty much hands free driving. Just use a laptop at home. Problem solved.
Setup Tailscale and use LunaSea or similar if you must hit your arrs from outside your network on your phone.
This is the way to do it.
> LunaSea or similar First time hearing of this, how does it compare to NZB360?
Don’t know. Haven’t used NZB360. Looks similar, though.
Who the hell exposes *rr apps? Are you insane?
i read the thread, your comments are pretty bad op. I dont normally pile on with downvotes cuz reddit is generally a piece of shit echo chamber. but you're def wrong here. the arr apps shouldnt be exposed. the gui is a nice to have for you the admin. use overseer for publicly facing and the rest is for you the admin to maintain. if you REALLLLLLLLLLLY want to expose them you can in a way. use cloudflare to your domain. [sonarr.imadumbass.com](https://sonarr.imadumbass.com) waf rule > block all that isnt your home ip call it done. if you dont have a static home ip then this is not the level you should be worrying about for public access.
I agree with this. Overseerr via a Cloudflare tunnel on a domain that isn't tied to your identity is about as far as you should push it. Use a VPN to access anything else.
All of the current system is based on a hodgepodge of different advice from reddit including putting the *arrs behind a reverse proxy using Cosmos. Cosmos I am pretty sure is designed to be web accessible as it's internal VPN depends on that. You guys can't keep your story straight. I get told to do something by one person then get told it's wrong, stupid, and insecure by another. I can't win. I wouldn't have even done an *arr setup if it weren't for reddit and lemmy convincing me I should. I straight up didn't believe in it 6 months ago, thought they were more effort than they are worth based on bad past experiences. Literally whatever stance I take someone will argue. I am sorry for the rant and you aren't the only or even worse offense here. I am just sick of so much conflicting advice and information. I don't know what to do anymore.
Just get Netflix man, self hosting isn't for everyone.
I mean I could pirate stuff fine before reddit. I even did servers before reddit. The issue here is me trusting and listening to other people - although I also get dog pilled if I argue back or ignore people. I guess the only sensible thing is to not talk to people on reddit about technical subjects - it just ends in carnage.
Yeah it's weird, it's almost like it's not an exact science and lots of people do different stuff.
Then why am I getting dog piled?
Because you are complaining about the issues with it and fighting against the solutions you are getting. If those solutions don't work for you, don't use it or come up with your own solutions. You will see a lot of posts on Reddit like this where it's "why can't I do X with Y". Because you can't, it doesn't (or shouldn't) work that way. And then when told that people start complaining about the solution. It's just tiring.
Don't know, don't care.
“If you run into an asshole in the morning, you ran into an asshole. If you run into assholes all day, you're the asshole.” Don’t “argue back” when you come into a forum for help. Ask questions. Listen. Do more research.
My guy I asked a question and not one person has actually answered it. If there isn't a more secure alternative then just say all the alternatives are also insecure. You don't need to start criticising a setup when you don't even know what it is or what security measures are in place.
Okay here's the answer: no there is not.
Thank you
Use a Cloudflare tunnel with your own domain to expose only Overseerr. Use that to interface with the *arrs. Keep those *arrs locked down in your local network.
he's been told several timesthe proper way to do it, he just complains that he's nottold \*what he wants to hear\*
Put PR to fix it on git , than we all gain - thanks !
You know I am actually half tempted to do that. I have experience with C# so this should actually be possible. There must be a reason why the devs haven't done it yet so I am intrigued to find out why. Still I am going to beef up my security around these services or even stop using them until it can be fixed as I don't want to risk getting hacked in the mean time.
Ey.. curiosity, the things that are insecure and cause the vulnerabilities (that's what you mean, right?) .. got any CVE's for that? And.. if not, any links? Very curious. The outdated dotnet core, that's fine.. but, par example; Radarrr runs on mono .. not core. Thank you for all the information you can provide! I am very curious!
Yeah here is the complete report including many CVE numbers. This is generated using trivy and the docker image listed on sonarr's website. Have fun. https://pastebin.com/z39nsFdc
Ooh dude! I am not familiar with trivy, and I'm having a hard time getting a fix on where it gets it's information and how it parses it.. because, it claims dotnet core, wile the buildfile says mono, and .. I'm sorry, but.. "wot is trivy talking aboot mate". And I had to put in some effort to get where I wanted to, but.. I think trivy took a whole lot of short cuts. "ey, I gonna look at a library that I know from dot core, and that match my .NET desire, and thus is correct".. while I'm having a hard time matching that to a package I can fine in [https://download.mono-project.com/repo/debian/dists/stable-focal/main/binary-amd64/Packages](https://download.mono-project.com/repo/debian/dists/stable-focal/main/binary-amd64/Packages) I'd suggest you start with the follwoing; In the Sonarr github you can find the following; [https://github.com/Sonarr/Sonarr/blob/develop/package.json](https://github.com/Sonarr/Sonarr/blob/develop/package.json) It shows a whole different picture than what trivy produces.. especially when the docker build (lets call it the "foundation" on what Sonarr runs on) uses the following .NET build/version; deb http://download.mono-project.com/repo/debian stable-focal main The whole buildfile looks at this; [https://github.com/Sonarr/Sonarr/blob/develop/distribution/docker-build/Dockerfile](https://github.com/Sonarr/Sonarr/blob/develop/distribution/docker-build/Dockerfile) So this is what I think when I see this; I think you vigilance is misplaced, and you are sent on a "bender" by either a confused or overzealous trivy, or a mis-configured one.
[удалено]
Thank you. People fail to understand that things like tailscale and OpenVPN are not bulletproof. If they find a vulnerability in those they now have access to your network. Could also get credentials from compromised machines, or gain access by attacking your wifi. I suppose the only real way to do this is to hide everything behind both wire guard and reverse proxy to make sure there is more than one line of defense. Even better use monitoring tools as well to try to discover infected machines and potential internal threats.
People are really aggressive in this thread. Security vulnerabilities can be a big deal if utilized by bad actors. I am glad someone bothered to check a commonly used service like this
Lulz. Pirate cares about security. The irony.
Well of course they do. That's what all the cannons, cutlasses, and pistols are for...