Reason for my question is the following:
I want to host some services on my public server and while they all have normal password protection, I want to ensure the security a tiny bit more. Therefore I want to limit the access to the specific services through ufw and nginx to specific IP addresses. For my homeaddress I can use DYNDNS to get my current IP. However that will not work for my phone, when I’m on the go.
I don’t want to constantly use vpn, as it slows down the speed of the internet connection significantly. Instead I would much prefer to just simply keep my server updated on my phones IP, so I can update the necessary config files through a script and thus allow my phone to access the services, where ever I am.

  • You can probably run some sort of dyndns client on android. I’d think maybe in something like termux.

    Otherwise, check out mutual-TLS, also known as client SSL.
    We use SSL all the time for servers, but the same can be done for clients.
    I run eveything behind an nginx reverse proxy that handles all that with the ssl_client_verify directive beefier proxying the request to the different services.
    You generate a cert that’s to be installed on the phone.
    On a new connection, the server will challenge the client for its certificate and just drop eveything else.
    I’d say it’s as secure as doing VPN with PKI, but without having to keep the vpn running.

    A few caveats: not all apps and browsers support mTLS.

  • tech2but1B
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    The correct answer has been given a few times here, split tunnelling.

    But your idea is mental. If your IP changes and access is locked down by IP address how do you expect your phone to connect to your server to tell it about the new IP if it can;t access the server due to the fact it hasn’t got the correct IP in the allow list?

    • SorasterOPB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Yeah I thought about this problem. I don’t want to lock down all ports for nginx, but instead only certain websites through nginx rules.
      The webhook receiver would remain open to the public, but would require a long passphrase that would result in ban through fail2ban, if entered incorrectly.

      I know this isn’t ideal, but that’s what I had in mind, when thinking about the problem.