To mitigate the risks you could put the local server into its own network where it cannot reach anything else in your home.

@Kkk2237pl What are you using for a router? A good uptodate version of something like ooenwrt, a separate subnet running on a different vnet and firewall zone.

Why the vps?

I run my server on the internet, and my security is crowdsec + geo ip block (well, white-list my country’s ip but same idea) and authelia.

Using this setup, I barely ever have even bots randomly pingig me, let alone anyone trying to access my NAS.

I was pondering the same for last couple of days and had some thoughts on how to make it feasible. My research led me so far to 2 prerequisites:

1. must have Anubis in front
2. must have a WAF solution in place that covers at least OWASP Top 10

I found pretty good Caddy documentation that covers both, so I think I’ll deploy a secondary Caddy reverse proxy that’ll perform such ops for public facing services.

Of course, I currently have only 1 Caddy instance reverse proxy ing my internal services, haven’t reached the part on traffic handling when my devices are connected to the “safe network” (aka my home LAN)

@Kkk2237pl Can I suggest that you start with something simple where as much as possible is templated - im like a broken record on this but i use #yunohost simply because heaps of people are using the same config.