Security & upkeep
Is it safe to expose a service without a VPN?
Is it safe to expose a self-hosted service directly to the internet without a VPN?
Short answer
Is it safe to expose a self-hosted service directly to the internet without a VPN?
It can be, for a small number of well-chosen services — if each one has real authentication, gets patched promptly, and you actually understand what it exposes. It is not safe for anything running default credentials, with a history of serious vulnerabilities, or that you set up once and haven't updated in months. "Safe to expose" is a property of the specific app and how you run it, not a blanket yes or no.
Exposing a service means opening it to the public internet — through a port-forward or a reverse proxy — so anyone can reach its login page, rather than keeping it private behind a VPN where only you can. The trade is convenience (public links, no client to install) against a permanently larger attack surface that you're now responsible for defending.
- Every servicemust be judged on its own — auth, patch history, your understanding
- 0 default credsthe non-negotiable before anything faces the internet
- Patched + watchedthe ongoing cost of anything you expose
“Safe” is per-service, not a slogan
The internet is full of both “never expose anything!” and “just port-forward it, it’s fine,” and both are too blunt to be useful. The truth is that exposure safety lives at the level of the individual service: a well-built, actively-maintained app with strong authentication is a very different proposition from an abandoned one with a default password, even though “exposing to the internet” describes both.
The checklist before anything goes public
Before you open a service to the world, it should clear all of these: a strong, unique login with two-factor; prompt updates (and a plan to keep updating it); a decent security reputation; and your own honest understanding of what it exposes. Put it behind a reverse proxy so only hardened web ports face out, not the app’s raw port. And expose only what genuinely needs to be public — the rest belongs behind the VPN, where the attack surface is simply zero.
The part people forget
The dangerous moment usually isn’t the day you expose something — it’s six months later, when you’ve stopped thinking about it and stopped updating it. Public services need ongoing care, because automated scanners are hammering every address on the internet looking for exactly the stale, default, unpatched thing yours might have quietly become. If you’re not prepared to keep watching it, don’t expose it — keep it behind the VPN and sleep easier.
| Signal | Reasonable to expose | Don't |
|---|---|---|
| Authentication | Strong login + 2FA | Default or weak creds |
| Updates | Patched promptly | Untouched for months |
| Track record | Clean, well-regarded | History of serious CVEs |
| Your grasp of it | You know what it opens | You're not sure |
I'll expose a handful of things I trust — real login, actively patched, and I know what they open up. I won't expose something with default passwords, a rough security record, or that I haven't looked at in months. That box got me ransomed once; the internet doesn't forgive stale software.
Common questions
Isn't a VPN always safer than exposing anything?
Yes — a VPN keeps everything private and is the smaller attack surface, so it's the default when only you need access. Exposing a service is a deliberate trade you make for a specific reason (a public link, no client to install). It can be done responsibly for the right app; it's just never the free option.
Which kinds of services are reasonable to expose?
Ones purpose-built to face the internet, with strong authentication and a good security reputation, that you keep updated — and, ideally, that you'd put behind a reverse proxy so only hardened web ports are open. Even then, expose the few that genuinely need to be public and keep the rest behind the VPN.
What makes exposing something actively dangerous?
Default or reused credentials, no two-factor, a known history of serious vulnerabilities, and — the quiet killer — not being updated. Automated scanners hit every public address constantly looking for exactly those. An app that's perfectly safe on day one becomes a liability the month you stop patching it.