![](/static/253f0d9b/assets/icons/icon-96x96.png)
![](https://lemmy.world/pictrs/image/8286e071-7449-4413-a084-1eb5242e2cf4.png)
This isn’t specific to just netdata, but I frequently find projects that have some feature provided via their cloud offering and then say “but you can also do it locally” and gesture vaguely at some half-written docs that don’t really help.
It makes sense for them, since one of those is how they make money and the other is how they loose cloud customers, but it’s still annoying.
Shoutout to healthcheck.io who seem to provide both nice cloud offerings and a fully-fledged server with good documentation.
Increase the attack surface compared to what? If you don’t allow/enable any access to services inside your network from outside, then by definition you have fewer attack surfaces than if you add a VPN to that empty list.
So trivially the answer is “yes, it adds an attack surface”.
But what are the alternatives? If you directly expose each individual service on a dedicated port, for example, then you’d add many more (and usually less well hardened) attack surfaces instead.
So if the comparison is “expose 5 web-based services directly” vs. “expose one VPN like wireguard”, then the second option is almost always the clear winner when it comes to security (and frequently also when it comes to ease of setup as well as comfort).