NextBox: Remote access via proxy vs. DynDNS

Two options are stated to access the NextBox from the internet, regarding which I have some questions:

  1. Regarding the NitroKey proxy option:
  • If one chooses the proxy option, then the data is not encrypted when passing through Nitrokey’s servers, correct?
  • Insofar, one has to trust Nitrokey to not eavesdrop and to properly protect the proxy server from unwanted visitors, is this correct? I do not want, in any way, insinuate that Nitrokey would do any harm on purpose. I just try to determine which technical problems could arise.
  • Further, could this be solved by using Nextcloud’s built-in encryption option? That way, I understand, the files itself should be encrypted?
  • Finally, I imagine that there must be some kind of cost (in terms of money) associated with running the proxy server. How does NitroKey plan to pay for this in the long-term? I am not interested in ‘business plan’ kind of things, but more whether NitroKey rules out that it will introduce a fee in the long run for NitroBox users who choose the proxy option, defeating its campaign’s promise of “no monthly costs”.
  1. Regarding the DynDNS with deSEC option:
  • This does not sound awfully complicated even for a layperson (like myself). I am wondering, though, whether there are plans to show layusers how to do things like “port share” and “DNS rebinding”?
  • Also, is it planned (if technically useful) to a priori determine whether an individual is likely going to be able to use this option, for example, by means of setting up an online form where one enters different technical specifications of your use case’s router / ISP / technical setup?

More generally, I kind of know that one problem for individuals to set up a private self-hosted cloud using a NAS is that their ISP will not allow them to have access to it via the internet. I think this is because in the usual cases one needs a static IP, which ISPs don’t want to assign to normal people. If this is kind of correct, this should not be a problem in either of the above mentioned options, correct? There should be, even more broadly, no forseeable problems arising from the end-user’s ISP when using the NextBox?

Thanks so much for your time! :slight_smile:

Hey Tencel,
let’s see if I can answer


no worries understand this correctly, here again: true, you have to trust us here

good question, I have to admit I do not have full insight into the Nextcloud encryption, whether it is E2E or just for the files in rest. E2E would imply that the client (e.g., android app) would de/en-crypt the files. Sorry, I have to pass here.

Currently, we assume that this proxy solution is good for the enthusiast user, who will likely not generate too much traffic, compared to a power user, who will also more likely use the dynDNS solution. Furthermore, we are mainly talking about network traffic here, neither high cpu nor high memory demands, means no need for overly expensive servers. Nevertheless, if we observe very high load on the server we leave us the option to throttle traffic for all users. To be very direct here: of course I cannot promise things here, but there is clearly no plan to lure the users into the proxy service and then ask them to pay for it after a while.

An additional note here: the proxy will also be open-source, so even if we for any reason cannot continue the proxy, the community can still set up one on its own.

The amount of automation (magic) for this step is in constant discussion. The golden path between “automating as much as possible” (and possibly not work everywhere as this is a globally sold product) and “giving proper descriptions and docs” during the process is something what is not yet fully defined. But we clearly commit to constantly improve and add documentation for the NextBox in order to adapt to user demands.

Nope, this is not planned, this would be a huge amount of work to even set up this database. We believe it’s better to support the user during the setup.

So far (at least I) cannot tell any scenario in which the backwards proxy may not work, if not intentionally forbidden by a firewall or similar filtering mechanism, so this will always be the easy go-to-solution, but with drawbacks for e.g. accessing the NextBox from at home. The static IP problem on the other side is solved by the dynamic DNS approach, which is exactly targeting this case. Still as DS-Lite is a thing nowadays, this also comes with the drawback of some additional configuration (i.e., IPv6 + DNS-Rebind).

Puh, hope I hit most questions :wink:


1 Like

Dear @daringer,

thanks so much for your elaborate and transparent answers (this also goes regarding my other questions you answered)! I really appreciate that you took so much time. :slight_smile:

I just had another question popping up regarding proxy vs. DynDNS access: is it possible to switch from one to another?


1 Like

Yap, this will be possible.

best wishes