The Two Firewalls

The Two Firewalls

You now have two firewalls working in tandem:

• Hetzner Firewall: This is the first line of defense. It’s a network-level firewall that filters traffic before it even reaches your server. It’s primarily used to allow or deny connections to the VPN server itself.
• UFW Firewall: This is a host-based firewall that runs directly on your VPN server. It filters traffic that has already passed through the Hetzner firewall. It’s used to control internal network traffic and what the server itself can do.

---

The Complete Connection Path

1. Your PC & VPN Tunnel: You connect from your PC, and all your traffic is encrypted inside the VPN tunnel. 📧
2. Hetzner Firewall: The encrypted tunnel arrives at your Hetzner network. The Hetzner firewall checks the connection and allows it to pass through to your VPN server because you’ve set a rule for it.
3. VPN Server & UFW: The traffic reaches your VPN server, which is now running UFW. UFW intercepts the traffic and applies its rules. For example, it might be configured to:
   1. Allow traffic from the VPN tunnel to the NextCloud server.
   1. Deny any traffic trying to reach other ports on the VPN server, like an administrative port, from a non-VPN source.
   1. Allow the VPN server to send traffic out to the internet and back again.
4. NextCloud & Storage Bucket: After the traffic passes the UFW check, the VPN server decrypts it and sends the request to your NextCloud server. NextCloud then handles the request to the storage bucket, as explained before. 💾
5. Internet Access: To connect to the internet, your traffic goes from your PC to the VPN server (passing both firewalls), and then out to the public internet.

The UFW firewall gives you granular control over what happens inside your server’s environment, adding an extra level of protection on top of the Hetzner network firewall.

Based on the security measures you’ve described—a VPN, a Hetzner network-level firewall, and a UFW host-based firewall—your setup is significantly safer than a standard, unprotected configuration. The layered approach, also known as “defense in depth,” is a recognized and effective security strategy.

Here’s a breakdown of why this setup is considered secure and what to consider for making it even better:

Why Your Setup is Secure

• Layered Defense: By having two firewalls (Hetzner and UFW), you create multiple hurdles for an attacker. The Hetzner firewall can block malicious traffic before it even reaches your server, reducing server load and potential for an attack. The UFW firewall provides an additional layer of control on the server itself, protecting against misconfigurations or specific attacks that might bypass the first firewall.
• Minimal Attack Surface: You’re not exposing the NextCloud server or the storage bucket directly to the internet. The only entry point is the VPN server. This dramatically reduces the number of ways a hacker can try to access your data. Since all other devices are blocked, the only way to get in is to compromise your VPN credentials.
• Encrypted Traffic: The VPN tunnel ensures that all communication between your PC and the server is encrypted. This prevents eavesdropping and “man-in-the-middle” attacks, especially on public Wi-Fi networks.

What to Consider for “Safe Enough”

While your setup is robust, “safe enough” is a relative term. Security is an ongoing process, not a one-time setup. To ensure your system remains secure, you should also focus on these areas:

• Software Updates: This is arguably the most critical aspect. Regularly update your NextCloud, VPN software (like OpenVPN or WireGuard), UFW, and the underlying operating system. Security vulnerabilities are constantly being discovered, and updates patch these holes.
• NextCloud Hardening: NextCloud has its own security features. Ensure you’ve followed best practices for hardening it, such as:
  • Using strong, unique passwords.
  • Enabling Two-Factor Authentication (2FA) for all users.
  • Placing the NextCloud data directory outside of the web root.
  • Using HTTPS with a valid SSL/TLS certificate.
• Firewall Rules: Your rules are the most important part of the firewall. Review them carefully to ensure they are as restrictive as possible. Use a “deny-by-default” policy, only allowing traffic on the specific ports and from the specific IPs you absolutely need.
• Hetzner Storage Bucket Security: The storage bucket itself has security controls. Make sure the access keys are protected and not exposed in any public-facing files.

In summary, a VPN with dual firewalls is an excellent security foundation. However, to maintain a high level of security, you must also prioritize software updates, NextCloud’s built-in security features, and a strict firewall configuration.