Recommendations for Nextcloud Configuration

I’m still learning a lot about networks and security, so I wanted to ask for recommendations about the best way to configure Nextcloud for external access.

I would like to be able to reach my Nextcloud instance from anywhere (I initially set it up to work under VPN, but found it annoying to have to VPN every time, and I’d also like to use my Nextcloud instance for automatic backups, which I don’t want failing when I’m off VPN).

I have the Turris Omnia with a 2TB hard drive attached. I have installed Nextcloud and can currently access it from LAN. I have also configured my Omnia to utilize dynamic DNS with a hostname provided by No-IP, but I have not yet enabled port forwarding, as this is where I would like some advice.

Is there a way to allow access to the Nextcloud instance from anywhere, but block traffic to any other device, and block access to the Foris/LuCI tools, etc?


Actually there is one opinion - use a static IP and block all access from other IPs.
But I think that’s nearly impossible from mobile devices and abroad.
To circumvent this, VPN was created :wink:

What could make your situation more easy (and several backup software gives you option to do it): create a little script that establishes VPN connection before doing the backup and closes connection afterwards.

While doable, that is not quite “plug and play”. I guess I wouldn’t mind also using the Nextcloud sync clients, and I haven’t seen a way to configure them to only sync when connected to a specific network, and in my limited testing of them, they complain frequently when they can’t reach the Nextcloud server, which is annoying.

I guess the better solution is to buy a Raspberry Pi or something and have it serve as my Nextcloud server rather than the Omnia then?

What you want to reach isn’t plug’n’play…

This has nothing to do with the Omnia - it is the very same for handing traffic through to a local installation on the omnia or to a separate device.

Maybe give wireguard a try - it is a more lightweight VPN than openvpn and doesn’t eat up batterie too fast.

Well, from what I understand, if I have the Nextcloud server running on a separate device, then with the DDNS + port forwarding, I can forward to that device instead of to the router, and at least that way external access wouldn’t reach the Foris/LuCI config page (though maybe I am wrong)

This can also be done directly on the router without external device, e.g. using a virtual machine (lxc) to isolate nextcloud on the router.

Ah, ok, so that is possible. I will look at that route then. Thanks