Question about Security/Usage
-
I am considering setting up a nextcloud and maybe one or two other "web apps" on my FreeNAS box for privte use by family members.
I want remote access, but do not want to directly expose my FreeNAS to the internet, so port forwarding is not acceptable.
OpenVPN is definately an option, but it is very bad for battery life on mobile phones, and might also cause my family members problems as well. I ideally want something that can be fairly transparent to the user - just open a web browser, start an app, automatic sync etc.
Is it possible to set up HAPROXY (or some other package) as a front end and have client certificates on the devices requiring access?
Ideally I would like to have the system set up so that the TCP handshake won't even take place unless the device has a valid certificate (much the way OpenVPN can require a certificate)., or if the system uses UDP, and is totally silent that would be even better. I want to set things up to have as small an attack surface as possible, and be be very borking so automated probes don't get any useful information for further attacks and get bored very quickly.
Is this something that would be a good fit for HAPROXY, or is there a better way to do it? Would the security be as good as OpenVPN?
Any ideas/suggestions would be much appreciated.