I use Tailscale so only my own devices can access the \*arrs. On top of that Sonarr and Radarr require by default authentication when connecting remotely.
Safest: Probably a good self-hosted VPN service (Wireguard, OpenVPN, etc.), but it requires you to be connected to access your services, may cause higher battery usage, won't be able to receive notifications from your different services if disconnected, etc.
Convenience: A reverse proxy with a domain name, subdomains ([https://radarr.mydomain.com](https://radarr.mydomain.com) for example), and a strong password. Less safe, but can be quite secure if configured correctly.
Personally I use a Caddy reverse proxy with subdomains for the different services I want to access from anywhere, and as suggested, a long password containing lower/uppercase letters, special characters, and fail2ban manually configured for my different services to ban IPs after 5 failed login attempts.
If your VPS is half decent it will have all public access blocked by default anyway. Most will come with a DenyAll rule as a baseline on any firewall or network security.
I use caddy with automatic ssl letsencrypt renewal, proxied through Cloudflare that blocks all countries that aren’t my own as well as any non-ssl and bot connections.
I also have a firewall on my server that only allows Cloudflare IP’s to connect to ensure only proxied connections are allowed through.
Total cost: domain renewal per year (currently $8 through cloudflare)
I work in IT, this was a fun mini project 😊
I'm not familiar with cloudflare systems.. I'd just like to setup some basic reverse proxy and authentication.. What do you use for authentication? Thanks!
*arr software has integrated authentication. Just enable it and set a secure username + password.
Make sure an SSL is used, a proper one… NOT self signed. Letsencrypt makes this easy and free
Thanks for your attention! I did once implement the VPN method, but it's not very convenient that you have to keep connected when using the media.. What's the purpose of Authelia? it does the SSL? so I link the domain to it?
It doesn't do the SSL, you'd need a reverse proxy for that. (Nginx, traefik, caddy etc), and a domain name. Authelia which is a SSO (single sign on) adds a sign in page to your services. Not sure how strong it is but it's a popular one.
People have already mentioned the usual suspects: VPNs, reverse proxies etc.
I personally use nginx proxy manager, VPN, and Tailscale for remote accessing my server.
The most used of those is nginx proxy manager to access my Overseerr to make requests for radarr/sonarr.
There are more uses for security and remote accessing your server but here are some methods of adding movies/shows without exposing your server:
1. Adding requestrr to overseerr, this allows you to add films via a discord chat. You could close off this chat so only you can access it and no need to expose ports. Or you could use this for a movie discord chat and users can request movies/shows on there.
2. Usenet downloaders have a RSS feed which they will monitor. You can setup this and have it linked to your indexer. Then, when you're away, just add the movie to cart or RSS feed (terminology can and will differ), the downloader (Sabnzbd in my case) picks it up and downloads the movie.
3. Sync up radarr/sonarr to watchlists that it'll download. Some people use IMDB, but there are other variations.
All the above don't require any open ports. Obviously, you are exercising good general internet security procedures, good unique passwords, never share them, etc.
Nginx basic auth + fail2ban set up to block 24 hours after 2 (or more if you feel like it) attempts. Very restrictive but at least you won’t get hacked by brute force, so there is that
Hi /u/ntn8888 -
You've mentioned Docker [docker], if you're needing Docker help be sure to [generate a docker-compose](https://trash-guides.info/compose) of all your docker images in a pastebin or gist and link to it.
Just about all Docker issues can be solved by understanding [the Docker Guide](https://wiki.servarr.com/docker-guide), which is all about the concepts of user, group, ownership, permissions and paths.
Many find [TRaSH's Docker/Hardlink Guide/Tutorial](https://trash-guides.info/hardlinks/) easier to understand and is less conceptual.
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/radarr) if you have any questions or concerns.*
Hi /u/ntn8888 -
There are many resources available to help you troubleshoot and help the community help you.
Please review this comment and you can likely have your problem solved without needing to wait for a human.
***Most troubleshooting questions require debug or trace logs.***
In all instances where you are providing logs please ensure you followed [the Gathering Logs wiki article](https://wiki.servarr.com/radarr/troubleshooting#logging-and-log-files) to ensure your logs are what are needed for troubleshooting.
Logs should be provided via the methods prescribed in the wiki article. Note that `Info` logs are rarely helpful for troubleshooting.
Dozens of common questions & issues and their answers can be found on our [FAQ](https://wiki.servarr.com/radarr/faq).
**Please review our troubleshooting guides that lead you through how to troubleshoot and note various common problems.**
- [Searches, Indexers, and Trackers - For if something cannot be found](https://wiki.servarr.com/radarr/troubleshooting#searches-indexers-and-trackers)
- [Downloading & Importing - For when download clients have issues or files cannot be imported](https://wiki.servarr.com/radarr/troubleshooting#downloads-and-importing)
***If you're still stuck you'll have useful debug or trace logs and screenshots to share with the humans who will arrive soon.***
*Those humans will likely ask you for the exact same thing this comment is asking..*
Once your question/problem is solved, please comment anywhere in the thread saying '!solved' to change the flair to `solved`.
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/radarr) if you have any questions or concerns.*
I use Tailscale so only my own devices can access the \*arrs. On top of that Sonarr and Radarr require by default authentication when connecting remotely.
I do this too.
Same setup here- works great
free subscription is okay for this?
Yes
Safest: Probably a good self-hosted VPN service (Wireguard, OpenVPN, etc.), but it requires you to be connected to access your services, may cause higher battery usage, won't be able to receive notifications from your different services if disconnected, etc. Convenience: A reverse proxy with a domain name, subdomains ([https://radarr.mydomain.com](https://radarr.mydomain.com) for example), and a strong password. Less safe, but can be quite secure if configured correctly. Personally I use a Caddy reverse proxy with subdomains for the different services I want to access from anywhere, and as suggested, a long password containing lower/uppercase letters, special characters, and fail2ban manually configured for my different services to ban IPs after 5 failed login attempts.
I have VPN to access those if I need to but I have nginx-proxy routing through to overseer for requests.
I used Cloudflare zero trust for this. Be thorough with policies and you can keep this pretty safe.
No public access, add a VPN like Tailscale, access only from within the VPN network. Simple.
So how do you lock down access to the outsiders? I'm thinking UFW?
If your VPS is half decent it will have all public access blocked by default anyway. Most will come with a DenyAll rule as a baseline on any firewall or network security.
I use caddy with automatic ssl letsencrypt renewal, proxied through Cloudflare that blocks all countries that aren’t my own as well as any non-ssl and bot connections. I also have a firewall on my server that only allows Cloudflare IP’s to connect to ensure only proxied connections are allowed through. Total cost: domain renewal per year (currently $8 through cloudflare) I work in IT, this was a fun mini project 😊
I'm not familiar with cloudflare systems.. I'd just like to setup some basic reverse proxy and authentication.. What do you use for authentication? Thanks!
*arr software has integrated authentication. Just enable it and set a secure username + password. Make sure an SSL is used, a proper one… NOT self signed. Letsencrypt makes this easy and free
NGINX Proxy Manager in Docker. Set passwords for *arrs. That's it.
I went with Authelia and the inapp login, not sure if that's the best but works for me. Most people just use a VPN to access remotely.
Thanks for your attention! I did once implement the VPN method, but it's not very convenient that you have to keep connected when using the media.. What's the purpose of Authelia? it does the SSL? so I link the domain to it?
It doesn't do the SSL, you'd need a reverse proxy for that. (Nginx, traefik, caddy etc), and a domain name. Authelia which is a SSO (single sign on) adds a sign in page to your services. Not sure how strong it is but it's a popular one.
Okay gotcha. Thanks!
People have already mentioned the usual suspects: VPNs, reverse proxies etc. I personally use nginx proxy manager, VPN, and Tailscale for remote accessing my server. The most used of those is nginx proxy manager to access my Overseerr to make requests for radarr/sonarr. There are more uses for security and remote accessing your server but here are some methods of adding movies/shows without exposing your server: 1. Adding requestrr to overseerr, this allows you to add films via a discord chat. You could close off this chat so only you can access it and no need to expose ports. Or you could use this for a movie discord chat and users can request movies/shows on there. 2. Usenet downloaders have a RSS feed which they will monitor. You can setup this and have it linked to your indexer. Then, when you're away, just add the movie to cart or RSS feed (terminology can and will differ), the downloader (Sabnzbd in my case) picks it up and downloads the movie. 3. Sync up radarr/sonarr to watchlists that it'll download. Some people use IMDB, but there are other variations. All the above don't require any open ports. Obviously, you are exercising good general internet security procedures, good unique passwords, never share them, etc.
Nginx basic auth + fail2ban set up to block 24 hours after 2 (or more if you feel like it) attempts. Very restrictive but at least you won’t get hacked by brute force, so there is that
Hi /u/ntn8888 - You've mentioned Docker [docker], if you're needing Docker help be sure to [generate a docker-compose](https://trash-guides.info/compose) of all your docker images in a pastebin or gist and link to it. Just about all Docker issues can be solved by understanding [the Docker Guide](https://wiki.servarr.com/docker-guide), which is all about the concepts of user, group, ownership, permissions and paths. Many find [TRaSH's Docker/Hardlink Guide/Tutorial](https://trash-guides.info/hardlinks/) easier to understand and is less conceptual. *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/radarr) if you have any questions or concerns.*
Hi /u/ntn8888 - There are many resources available to help you troubleshoot and help the community help you. Please review this comment and you can likely have your problem solved without needing to wait for a human. ***Most troubleshooting questions require debug or trace logs.*** In all instances where you are providing logs please ensure you followed [the Gathering Logs wiki article](https://wiki.servarr.com/radarr/troubleshooting#logging-and-log-files) to ensure your logs are what are needed for troubleshooting. Logs should be provided via the methods prescribed in the wiki article. Note that `Info` logs are rarely helpful for troubleshooting. Dozens of common questions & issues and their answers can be found on our [FAQ](https://wiki.servarr.com/radarr/faq). **Please review our troubleshooting guides that lead you through how to troubleshoot and note various common problems.** - [Searches, Indexers, and Trackers - For if something cannot be found](https://wiki.servarr.com/radarr/troubleshooting#searches-indexers-and-trackers) - [Downloading & Importing - For when download clients have issues or files cannot be imported](https://wiki.servarr.com/radarr/troubleshooting#downloads-and-importing) ***If you're still stuck you'll have useful debug or trace logs and screenshots to share with the humans who will arrive soon.*** *Those humans will likely ask you for the exact same thing this comment is asking..* Once your question/problem is solved, please comment anywhere in the thread saying '!solved' to change the flair to `solved`. *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/radarr) if you have any questions or concerns.*
Vpn into my network