Connect to the VPS and initiate the port creation process.
Connect to the VPS and initiate the port creation process.
You need an SSH client on Android that can handle tunneling and actually let apps pass through it. This usually means you’ll have to root the phone, which goes against keeping it secure. Browsing HTTPS sites already gives you good protection. If apps in the Play Store say their data is encrypted, they’re using SSL too, so you’re safe without extra work from you.
This doesn’t seem logical. What’s your goal here? Which service on 433 are you attempting to safeguard? Running a VPN on 433 doesn’t really enhance security—it just adds complexity and potential points of failure for maintaining the connection. Opt for WireGuard instead, as it’s simpler. Regardless of the VPN type, always use certificates. If you’re using certificates, that provides sufficient protection. You can leave the port open to everyone; unauthorized access is unlikely. If a zero-day vulnerability in WireGuard is discovered, you’ll be safe from attacks. Those who exploit such flaws will likely sell it to the highest bidder or target major organizations like corporations or government agencies.
Some people might not see what I need. To help, I’ll use a VPN to reach my home server, usually for streaming. It’s already set up on a VPS for that purpose. It functions well except on certain public Wi-Fi networks. When using those, I require: opening a port—possibly for HTTPS or SSH, likely TCP port 443, since blocking it there is risky. For extra security, access should only come from the DDNS domain name and constantly changing IP address via the phone to that port. This part seems straightforward, most of the setup is already done. I might eventually create another VPS, install OPNsense, and use it instead. I’m comfortable with it at home and find it much simpler, even more so with a graphical interface. Also, strong intrusion detection would be helpful. I still don’t understand why some can’t grasp this.
I don’t grasp your intention clearly. What’s the purpose of needing a VPS? Wouldn’t it be simpler to link directly to your home’s VPN? With a VPN already in place, you only need to open one port; SSH and HTTPS don’t require separate ports, so everything can flow through the VPN. That doesn’t really boost security—it just adds complexity. Sure, limiting IP ranges can help, but if you’re using key pairs (which you should be), this isn’t a major concern. Someone will likely discover a vulnerability in your VPN before they try brute force, making the source IP irrelevant. Still, why? If you have OPNsense, why aren’t you connecting directly to it?
I never set up a port on my home router - always. Key pairs will be handled, along with IP restrictions. Since I’m likely connecting to a difficult-to-block public Wi-Fi like TCP 443, it’s also frequently scanned by bots (along with other standard ports). The goal is to transfer data and use public networks when convenient. Many users face problems with VPN traffic. For extra protection, I plan to limit which IP addresses can connect. A DDNS entry could help manage this. I realize now it’s straightforward, so why not? There’s little reason not to improve security. Regarding the VPN on my VPS, I suspect it isn’t a high-value target for attackers, as I mainly use it for ad blocking and streaming. Any unencrypted traffic through the VPN would be audio or video streams without sensitive data. Still, if boosting security is possible, I’ll do it. Also, fail2ban will make brute force attacks much harder. If I’m using OPNSENSE, it offers many simple setup options. The inconvenience of relying on free Wi-Fi with a VPN—waiting five minutes for the DDNS to update or needing to reconnect periodically—might be a hassle. It’s manageable if I’m in a place like a park near the beach, especially when temperatures soar above 35°C. In my area, a very hot summer is expected.
I also overlooked that. Fail2ban combined with keys makes brute force attacks unfeasible. A VPN vulnerability would need to be discovered, and the chance of a zero-day exploit being targeted against you is practically nonexistent. Those who uncover an exploit for WireGuard will likely sell it to the highest bidder—China, North Korea, Russia, the US, etc.—and it wouldn’t be used against you. Using WireGuard on your home network with fail2ban and key pairs significantly boosts security; it’s just as safe as browsing the internet at home. Alternatively, consider cloudflare zero trust tunnels, Tailscale, or self-hosted Headscale. You won’t need to manage ports, but you’re redirecting the attack focus from trust in WireGuard to confidence in how Cloudflare implements its service.
So fail2ban - that does help a lot as I understand. As for 'free' tunnels, they are not suited to video streaming which is what I want to do. Oh and from a privacy standpoint, really have no trust there. Oh and nothing that means a home port open. Edit: fail2ban already applied for the vpn port and a non standard ssh port. So change the port number in the VPS of ssh to 433. Setup a tunnel through the SSH connection it to stream from jellyfin. Of course what I am adding is port 433 access form from ONLY my phone & probably home IP, using DDNS domain names assigned to them. There is a script available to run on the VPS - through cron. This is for a scenario when using a vpn unfriendly public wifi. If the vpn can connect, well just use that.