Solution for hosting behind a VPN, locally

[maxdd]

I recently decided to move most of my services behind a selffhosted VPN.
It feels more secure and given i have fixed devices it didnt have anymore sense to keep the system exposed.
Now the only service which is forcing me to keep my domain active as well as ports open in the firewall is vaultwarden.
Is there any solution which does not require to install a self signed certificate on each and every machine to host it locally and fulfill this "interesting" requirement?

[sambellis]

Have you considered cloudflared? Or Tailscale?

[Index-Pixel]

I recently decided to move most of my services behind a selffhosted VPN.

It feels more secure and given i have fixed devices it didnt have anymore sense to keep the system exposed.

Now the only service which is forcing me to keep my domain active as well as ports open in the firewall is vaultwarden.

Is there any solution which does not require to install a self signed certificate on each and every machine to host it locally and fulfill this "interesting" requirement?

Hello, happy new year!

What you could do is still using your Domain.

Close all Ports except your VPN ones.
Use the DNS01-Challange (i.e. with ACME.sh) to obtain a Cert from i.e. LetsEncrypt on your Reverse Proxy or on the Vaultwarden Server if you use the built-in web Server(Not recommended).

https://community.hetzner.com/tutorials/automating-ssl-certificates-with-acmesh-dns/

Then set in your VPN Server DNS-Settings a DNS to point to your local VW instance.

You should now be able to use your instance with a ssl-cert active.

For the DNS01-Challange you don't need a Domain pointing to your public ip.

But for this to work you need the ability to access the domain settings of your provider via their api. If your provider doesn't provide an api you can still use another one.

For me personally Hetzner works perfectly fine(and their DNS Service is free). https://www.hetzner.com/dns/

You can change your Domain NS settings to use the hetzner DNS-Servers, so you don't have to migriate your Domains to a New Provider.

If you have any questions feel free to ask.

Cheers
Index

[kpfleming]

Yep, that's the solution.

[Index-Pixel]

And yes, you can obtain multiple certificates for your Domain. That's totally possible and legal. When you use the DNS01-Chal, there is no need to obtain a wildcard-cert. You can obtain a cert just for the sub domain without any Problem.

[kpfleming]

I have Vaultwarden hosted over a VPN, not publicly accessible, and without using self-signed certificates (I use a Let's Encrypt certificate). What is reason you think are required to use a self-signed certificate?